remove references to client-go/pkg/api
Kubernetes-commit: d978f22e04519f6eecfde839110c398dc28d4e8e
This commit is contained in:
Chao Xu
Kubernetes Publisher
parent
6eb4e56e79
commit
e84e32eaa5
|
|
@ -54,7 +54,8 @@ go_library(
|
|||
"//vendor/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/server/httplog:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api/v1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/apis/authentication:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/apis/authentication/v1:go_default_library",
|
||||
],
|
||||
)
|
||||
|
|
|
|||
|
|
@ -30,8 +30,8 @@ import (
|
|||
"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
|
||||
"k8s.io/apiserver/pkg/endpoints/request"
|
||||
"k8s.io/apiserver/pkg/server/httplog"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
authenticationapi "k8s.io/client-go/pkg/apis/authentication"
|
||||
"k8s.io/client-go/pkg/api/v1"
|
||||
authenticationv1 "k8s.io/client-go/pkg/apis/authentication/v1"
|
||||
)
|
||||
|
||||
// WithImpersonation is a filter that will inspect and check requests that attempt to change the user.Info for their requests
|
||||
|
|
@ -61,7 +61,7 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques
|
|||
|
||||
// if groups are not specified, then we need to look them up differently depending on the type of user
|
||||
// if they are specified, then they are the authority (including the inclusion of system:authenticated/system:unauthenticated groups)
|
||||
groupsSpecified := len(req.Header[authenticationapi.ImpersonateGroupHeader]) > 0
|
||||
groupsSpecified := len(req.Header[authenticationv1.ImpersonateGroupHeader]) > 0
|
||||
|
||||
// make sure we're allowed to impersonate each thing we're requesting. While we're iterating through, start building username
|
||||
// and group information
|
||||
|
|
@ -79,7 +79,7 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques
|
|||
}
|
||||
|
||||
switch impersonationRequest.GetObjectKind().GroupVersionKind().GroupKind() {
|
||||
case api.Kind("ServiceAccount"):
|
||||
case v1.SchemeGroupVersion.WithKind("ServiceAccount").GroupKind():
|
||||
actingAsAttributes.Resource = "serviceaccounts"
|
||||
username = serviceaccount.MakeUsername(impersonationRequest.Namespace, impersonationRequest.Name)
|
||||
if !groupsSpecified {
|
||||
|
|
@ -87,15 +87,15 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques
|
|||
groups = serviceaccount.MakeGroupNames(impersonationRequest.Namespace, impersonationRequest.Name)
|
||||
}
|
||||
|
||||
case api.Kind("User"):
|
||||
case v1.SchemeGroupVersion.WithKind("User").GroupKind():
|
||||
actingAsAttributes.Resource = "users"
|
||||
username = impersonationRequest.Name
|
||||
|
||||
case api.Kind("Group"):
|
||||
case v1.SchemeGroupVersion.WithKind("Group").GroupKind():
|
||||
actingAsAttributes.Resource = "groups"
|
||||
groups = append(groups, impersonationRequest.Name)
|
||||
|
||||
case authenticationapi.Kind("UserExtra"):
|
||||
case authenticationv1.SchemeGroupVersion.WithKind("UserExtra").GroupKind():
|
||||
extraKey := impersonationRequest.FieldPath
|
||||
extraValue := impersonationRequest.Name
|
||||
actingAsAttributes.Resource = "userextras"
|
||||
|
|
@ -143,10 +143,10 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques
|
|||
httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)
|
||||
|
||||
// clear all the impersonation headers from the request
|
||||
req.Header.Del(authenticationapi.ImpersonateUserHeader)
|
||||
req.Header.Del(authenticationapi.ImpersonateGroupHeader)
|
||||
req.Header.Del(authenticationv1.ImpersonateUserHeader)
|
||||
req.Header.Del(authenticationv1.ImpersonateGroupHeader)
|
||||
for headerName := range req.Header {
|
||||
if strings.HasPrefix(headerName, authenticationapi.ImpersonateUserExtraHeaderPrefix) {
|
||||
if strings.HasPrefix(headerName, authenticationv1.ImpersonateUserExtraHeaderPrefix) {
|
||||
req.Header.Del(headerName)
|
||||
}
|
||||
}
|
||||
|
|
@ -158,42 +158,42 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques
|
|||
// buildImpersonationRequests returns a list of objectreferences that represent the different things we're requesting to impersonate.
|
||||
// Also includes a map[string][]string representing user.Info.Extra
|
||||
// Each request must be authorized against the current user before switching contexts.
|
||||
func buildImpersonationRequests(headers http.Header) ([]api.ObjectReference, error) {
|
||||
impersonationRequests := []api.ObjectReference{}
|
||||
func buildImpersonationRequests(headers http.Header) ([]v1.ObjectReference, error) {
|
||||
impersonationRequests := []v1.ObjectReference{}
|
||||
|
||||
requestedUser := headers.Get(authenticationapi.ImpersonateUserHeader)
|
||||
requestedUser := headers.Get(authenticationv1.ImpersonateUserHeader)
|
||||
hasUser := len(requestedUser) > 0
|
||||
if hasUser {
|
||||
if namespace, name, err := serviceaccount.SplitUsername(requestedUser); err == nil {
|
||||
impersonationRequests = append(impersonationRequests, api.ObjectReference{Kind: "ServiceAccount", Namespace: namespace, Name: name})
|
||||
impersonationRequests = append(impersonationRequests, v1.ObjectReference{Kind: "ServiceAccount", Namespace: namespace, Name: name})
|
||||
} else {
|
||||
impersonationRequests = append(impersonationRequests, api.ObjectReference{Kind: "User", Name: requestedUser})
|
||||
impersonationRequests = append(impersonationRequests, v1.ObjectReference{Kind: "User", Name: requestedUser})
|
||||
}
|
||||
}
|
||||
|
||||
hasGroups := false
|
||||
for _, group := range headers[authenticationapi.ImpersonateGroupHeader] {
|
||||
for _, group := range headers[authenticationv1.ImpersonateGroupHeader] {
|
||||
hasGroups = true
|
||||
impersonationRequests = append(impersonationRequests, api.ObjectReference{Kind: "Group", Name: group})
|
||||
impersonationRequests = append(impersonationRequests, v1.ObjectReference{Kind: "Group", Name: group})
|
||||
}
|
||||
|
||||
hasUserExtra := false
|
||||
for headerName, values := range headers {
|
||||
if !strings.HasPrefix(headerName, authenticationapi.ImpersonateUserExtraHeaderPrefix) {
|
||||
if !strings.HasPrefix(headerName, authenticationv1.ImpersonateUserExtraHeaderPrefix) {
|
||||
continue
|
||||
}
|
||||
|
||||
hasUserExtra = true
|
||||
extraKey := strings.ToLower(headerName[len(authenticationapi.ImpersonateUserExtraHeaderPrefix):])
|
||||
extraKey := strings.ToLower(headerName[len(authenticationv1.ImpersonateUserExtraHeaderPrefix):])
|
||||
|
||||
// make a separate request for each extra value they're trying to set
|
||||
for _, value := range values {
|
||||
impersonationRequests = append(impersonationRequests,
|
||||
api.ObjectReference{
|
||||
v1.ObjectReference{
|
||||
Kind: "UserExtra",
|
||||
// we only parse out a group above, but the parsing will fail if there isn't SOME version
|
||||
// using the internal version will help us fail if anyone starts using it
|
||||
APIVersion: authenticationapi.SchemeGroupVersion.String(),
|
||||
APIVersion: authenticationv1.SchemeGroupVersion.String(),
|
||||
Name: value,
|
||||
// ObjectReference doesn't have a subresource field. FieldPath is close and available, so we'll use that
|
||||
// TODO fight the good fight for ObjectReference to refer to resources and subresources
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ go_test(
|
|||
"//vendor/k8s.io/apiserver/pkg/features:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/util/proxy:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api/v1:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -26,11 +26,11 @@ import (
|
|||
"testing"
|
||||
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
"k8s.io/client-go/pkg/api/v1"
|
||||
)
|
||||
|
||||
func TestGenericHttpResponseChecker(t *testing.T) {
|
||||
responseChecker := NewGenericHttpResponseChecker(api.Resource("pods"), "foo")
|
||||
responseChecker := NewGenericHttpResponseChecker(v1.Resource("pods"), "foo")
|
||||
tests := []struct {
|
||||
resp *http.Response
|
||||
expectError bool
|
||||
|
|
@ -79,7 +79,7 @@ func TestGenericHttpResponseChecker(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestGenericHttpResponseCheckerLimitReader(t *testing.T) {
|
||||
responseChecker := NewGenericHttpResponseChecker(api.Resource("pods"), "foo")
|
||||
responseChecker := NewGenericHttpResponseChecker(v1.Resource("pods"), "foo")
|
||||
excessedString := strings.Repeat("a", (maxReadLength + 10000))
|
||||
resp := &http.Response{
|
||||
Body: ioutil.NopCloser(bytes.NewBufferString(excessedString)),
|
||||
|
|
|
|||
|
|
@ -30,7 +30,8 @@ go_test(
|
|||
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/watch:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api/v1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/tools/cache:go_default_library",
|
||||
"//vendor/k8s.io/client-go/util/clock:go_default_library",
|
||||
],
|
||||
|
|
|
|||
|
|
@ -24,7 +24,8 @@ import (
|
|||
"k8s.io/apimachinery/pkg/fields"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
"k8s.io/client-go/kubernetes/scheme"
|
||||
"k8s.io/client-go/pkg/api/v1"
|
||||
)
|
||||
|
||||
// verifies the cacheWatcher.process goroutine is properly cleaned up even if
|
||||
|
|
@ -39,12 +40,12 @@ func TestCacheWatcherCleanupNotBlockedByResult(t *testing.T) {
|
|||
count++
|
||||
}
|
||||
initEvents := []*watchCacheEvent{
|
||||
{Object: &api.Pod{}},
|
||||
{Object: &api.Pod{}},
|
||||
{Object: &v1.Pod{}},
|
||||
{Object: &v1.Pod{}},
|
||||
}
|
||||
// set the size of the buffer of w.result to 0, so that the writes to
|
||||
// w.result is blocked.
|
||||
w := newCacheWatcher(api.Scheme, 0, 0, initEvents, filter, forget)
|
||||
w := newCacheWatcher(scheme.Scheme, 0, 0, initEvents, filter, forget)
|
||||
w.Stop()
|
||||
if err := wait.PollImmediate(1*time.Second, 5*time.Second, func() (bool, error) {
|
||||
lock.RLock()
|
||||
|
|
|
|||
|
|
@ -30,13 +30,13 @@ import (
|
|||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apimachinery/pkg/watch"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
"k8s.io/client-go/pkg/api/v1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/util/clock"
|
||||
)
|
||||
|
||||
func makeTestPod(name string, resourceVersion uint64) *api.Pod {
|
||||
return &api.Pod{
|
||||
func makeTestPod(name string, resourceVersion uint64) *v1.Pod {
|
||||
return &v1.Pod{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Namespace: "ns",
|
||||
Name: name,
|
||||
|
|
@ -99,7 +99,7 @@ func TestWatchCacheBasic(t *testing.T) {
|
|||
{
|
||||
podNames := sets.String{}
|
||||
for _, item := range store.List() {
|
||||
podNames.Insert(item.(*storeElement).Object.(*api.Pod).ObjectMeta.Name)
|
||||
podNames.Insert(item.(*storeElement).Object.(*v1.Pod).ObjectMeta.Name)
|
||||
}
|
||||
if !podNames.HasAll("pod1", "pod2", "pod3") {
|
||||
t.Errorf("missing pods, found %v", podNames)
|
||||
|
|
@ -117,7 +117,7 @@ func TestWatchCacheBasic(t *testing.T) {
|
|||
{
|
||||
podNames := sets.String{}
|
||||
for _, item := range store.List() {
|
||||
podNames.Insert(item.(*storeElement).Object.(*api.Pod).ObjectMeta.Name)
|
||||
podNames.Insert(item.(*storeElement).Object.(*v1.Pod).ObjectMeta.Name)
|
||||
}
|
||||
if !podNames.HasAll("pod4", "pod5") {
|
||||
t.Errorf("missing pods, found %v", podNames)
|
||||
|
|
@ -349,10 +349,10 @@ func TestReflectorForWatchCache(t *testing.T) {
|
|||
return fw, nil
|
||||
},
|
||||
ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
|
||||
return &api.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "10"}}, nil
|
||||
return &v1.PodList{ListMeta: metav1.ListMeta{ResourceVersion: "10"}}, nil
|
||||
},
|
||||
}
|
||||
r := cache.NewReflector(lw, &api.Pod{}, store, 0)
|
||||
r := cache.NewReflector(lw, &v1.Pod{}, store, 0)
|
||||
r.ListAndWatch(wait.NeverStop)
|
||||
|
||||
{
|
||||
|
|
|
|||
|
|
@ -34,8 +34,9 @@ go_test(
|
|||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apimachinery/registered:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library",
|
||||
"//vendor/k8s.io/client-go/rest:go_default_library",
|
||||
"//vendor/k8s.io/client-go/tools/clientcmd/api/v1:go_default_library",
|
||||
],
|
||||
|
|
|
|||
|
|
@ -32,8 +32,9 @@ import (
|
|||
"time"
|
||||
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/apimachinery/registered"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
"k8s.io/client-go/kubernetes/scheme"
|
||||
"k8s.io/client-go/rest"
|
||||
"k8s.io/client-go/tools/clientcmd/api/v1"
|
||||
)
|
||||
|
|
@ -73,7 +74,8 @@ var (
|
|||
func TestDisabledGroupVersion(t *testing.T) {
|
||||
gv := schema.GroupVersion{Group: "webhook.util.k8s.io", Version: "v1"}
|
||||
gvs := []schema.GroupVersion{gv}
|
||||
_, err := NewGenericWebhook(api.Registry, api.Codecs, "/some/path", gvs, retryBackoff)
|
||||
registry := registered.NewOrDie(gv.String())
|
||||
_, err := NewGenericWebhook(registry, scheme.Codecs, "/some/path", gvs, retryBackoff)
|
||||
|
||||
if err == nil {
|
||||
t.Errorf("expected an error")
|
||||
|
|
@ -270,7 +272,7 @@ func TestKubeConfigFile(t *testing.T) {
|
|||
if err == nil {
|
||||
defer os.Remove(kubeConfigFile)
|
||||
|
||||
_, err = NewGenericWebhook(api.Registry, api.Codecs, kubeConfigFile, groupVersions, retryBackoff)
|
||||
_, err = NewGenericWebhook(registered.NewOrDie(""), scheme.Codecs, kubeConfigFile, groupVersions, retryBackoff)
|
||||
}
|
||||
|
||||
return err
|
||||
|
|
@ -293,7 +295,7 @@ func TestKubeConfigFile(t *testing.T) {
|
|||
// TestMissingKubeConfigFile ensures that a kube config path to a missing file is handled properly
|
||||
func TestMissingKubeConfigFile(t *testing.T) {
|
||||
kubeConfigPath := "/some/missing/path"
|
||||
_, err := NewGenericWebhook(api.Registry, api.Codecs, kubeConfigPath, groupVersions, retryBackoff)
|
||||
_, err := NewGenericWebhook(registered.NewOrDie(""), scheme.Codecs, kubeConfigPath, groupVersions, retryBackoff)
|
||||
|
||||
if err == nil {
|
||||
t.Errorf("creating the webhook should had failed")
|
||||
|
|
@ -405,7 +407,7 @@ func TestTLSConfig(t *testing.T) {
|
|||
|
||||
defer os.Remove(configFile)
|
||||
|
||||
wh, err := NewGenericWebhook(api.Registry, api.Codecs, configFile, groupVersions, retryBackoff)
|
||||
wh, err := NewGenericWebhook(registered.NewOrDie(""), scheme.Codecs, configFile, groupVersions, retryBackoff)
|
||||
|
||||
if err == nil {
|
||||
err = wh.RestClient.Get().Do().Error()
|
||||
|
|
@ -497,7 +499,7 @@ func TestWithExponentialBackoff(t *testing.T) {
|
|||
|
||||
defer os.Remove(configFile)
|
||||
|
||||
wh, err := NewGenericWebhook(api.Registry, api.Codecs, configFile, groupVersions, retryBackoff)
|
||||
wh, err := NewGenericWebhook(registered.NewOrDie(""), scheme.Codecs, configFile, groupVersions, retryBackoff)
|
||||
|
||||
if err != nil {
|
||||
t.Fatalf("failed to create the webhook: %v", err)
|
||||
|
|
|
|||
|
|
@ -29,14 +29,14 @@ go_library(
|
|||
srcs = ["webhook.go"],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor/k8s.io/apimachinery/pkg/apimachinery/registered:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/util/cache:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/util/webhook:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes/typed/authentication/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/apis/authentication/install:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/apis/authentication/v1beta1:go_default_library",
|
||||
],
|
||||
)
|
||||
|
|
|
|||
|
|
@ -18,18 +18,18 @@ limitations under the License.
|
|||
package webhook
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"k8s.io/apimachinery/pkg/apimachinery/registered"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/util/cache"
|
||||
"k8s.io/apiserver/pkg/util/webhook"
|
||||
"k8s.io/client-go/kubernetes/scheme"
|
||||
authenticationclient "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
authentication "k8s.io/client-go/pkg/apis/authentication/v1beta1"
|
||||
|
||||
_ "k8s.io/client-go/pkg/apis/authentication/install"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
@ -109,11 +109,24 @@ func (w *WebhookTokenAuthenticator) AuthenticateToken(token string) (user.Info,
|
|||
}, true, nil
|
||||
}
|
||||
|
||||
// NOTE: client-go doesn't provide a registry. client-go does registers the
|
||||
// authentication/v1beta1. We construct a registry that acknowledges
|
||||
// authentication/v1beta1 as an enabled version to pass a check enforced in
|
||||
// NewGenericWebhook.
|
||||
var registry = registered.NewOrDie("")
|
||||
|
||||
func init() {
|
||||
registry.RegisterVersions(groupVersions)
|
||||
if err := registry.EnableVersions(groupVersions...); err != nil {
|
||||
panic(fmt.Sprintf("failed to enable version %v", groupVersions))
|
||||
}
|
||||
}
|
||||
|
||||
// tokenReviewInterfaceFromKubeconfig builds a client from the specified kubeconfig file,
|
||||
// and returns a TokenReviewInterface that uses that client. Note that the client submits TokenReview
|
||||
// requests to the exact path specified in the kubeconfig file, so arbitrary non-API servers can be targeted.
|
||||
func tokenReviewInterfaceFromKubeconfig(kubeConfigFile string) (authenticationclient.TokenReviewInterface, error) {
|
||||
gw, err := webhook.NewGenericWebhook(api.Registry, api.Codecs, kubeConfigFile, groupVersions, 0)
|
||||
gw, err := webhook.NewGenericWebhook(registry, scheme.Codecs, kubeConfigFile, groupVersions, 0)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,12 +32,13 @@ go_library(
|
|||
tags = ["automanaged"],
|
||||
deps = [
|
||||
"//vendor/github.com/golang/glog:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apimachinery/registered:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/util/cache:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/util/webhook:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes/scheme:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes/typed/authorization/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/api:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/apis/authorization/install:go_default_library",
|
||||
"//vendor/k8s.io/client-go/pkg/apis/authorization/v1beta1:go_default_library",
|
||||
],
|
||||
|
|
|
|||
|
|
@ -19,16 +19,18 @@ package webhook
|
|||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/apimachinery/pkg/apimachinery/registered"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/util/cache"
|
||||
"k8s.io/apiserver/pkg/util/webhook"
|
||||
"k8s.io/client-go/kubernetes/scheme"
|
||||
authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
|
||||
"k8s.io/client-go/pkg/api"
|
||||
authorization "k8s.io/client-go/pkg/apis/authorization/v1beta1"
|
||||
|
||||
_ "k8s.io/client-go/pkg/apis/authorization/install"
|
||||
|
|
@ -207,11 +209,24 @@ func convertToSARExtra(extra map[string][]string) map[string]authorization.Extra
|
|||
return ret
|
||||
}
|
||||
|
||||
// NOTE: client-go doesn't provide a registry. client-go does registers the
|
||||
// authorization/v1beta1. We construct a registry that acknowledges
|
||||
// authorization/v1beta1 as an enabled version to pass a check enforced in
|
||||
// NewGenericWebhook.
|
||||
var registry = registered.NewOrDie("")
|
||||
|
||||
func init() {
|
||||
registry.RegisterVersions(groupVersions)
|
||||
if err := registry.EnableVersions(groupVersions...); err != nil {
|
||||
panic(fmt.Sprintf("failed to enable version %v", groupVersions))
|
||||
}
|
||||
}
|
||||
|
||||
// subjectAccessReviewInterfaceFromKubeconfig builds a client from the specified kubeconfig file,
|
||||
// and returns a SubjectAccessReviewInterface that uses that client. Note that the client submits SubjectAccessReview
|
||||
// requests to the exact path specified in the kubeconfig file, so arbitrary non-API servers can be targeted.
|
||||
func subjectAccessReviewInterfaceFromKubeconfig(kubeConfigFile string) (authorizationclient.SubjectAccessReviewInterface, error) {
|
||||
gw, err := webhook.NewGenericWebhook(api.Registry, api.Codecs, kubeConfigFile, groupVersions, 0)
|
||||
gw, err := webhook.NewGenericWebhook(registry, scheme.Codecs, kubeConfigFile, groupVersions, 0)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue