From 533efb7c51df5c4b372d81ac8ed96d24b36a4cfd Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Tue, 28 Mar 2017 13:02:33 -0400 Subject: [PATCH] Add Authorization / RBAC option to schema --- pkg/apis/kops/cluster.go | 14 ++++ pkg/apis/kops/v1alpha1/cluster.go | 14 ++++ .../kops/v1alpha1/zz_generated.conversion.go | 72 +++++++++++++++++++ pkg/apis/kops/v1alpha2/cluster.go | 14 ++++ .../kops/v1alpha2/zz_generated.conversion.go | 72 +++++++++++++++++++ pkg/model/components/apiserver.go | 6 ++ 6 files changed, 192 insertions(+) diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go index f30f90229f..9eabc148f9 100644 --- a/pkg/apis/kops/cluster.go +++ b/pkg/apis/kops/cluster.go @@ -236,10 +236,24 @@ type ClusterSpec struct { // API field controls how the API is exposed outside the cluster API *AccessSpec `json:"api,omitempty"` + // Authorization field controls how the cluster is configured for authorization + Authorization *AuthorizationSpec `json:"authorization,omitempty"` + // Tags for AWS instance groups CloudLabels map[string]string `json:"cloudLabels,omitempty"` } +type AuthorizationSpec struct { + RBAC *RBACAuthorizationSpec `json:"rbac,omitempty"` +} + +func (s *AuthorizationSpec) IsEmpty() bool { + return s.RBAC == nil +} + +type RBACAuthorizationSpec struct { +} + type AccessSpec struct { DNS *DNSAccessSpec `json:"dns,omitempty"` LoadBalancer *LoadBalancerAccessSpec `json:"loadBalancer,omitempty"` diff --git a/pkg/apis/kops/v1alpha1/cluster.go b/pkg/apis/kops/v1alpha1/cluster.go index 7ee0cb100e..ebac4f4d39 100644 --- a/pkg/apis/kops/v1alpha1/cluster.go +++ b/pkg/apis/kops/v1alpha1/cluster.go @@ -234,10 +234,24 @@ type ClusterSpec struct { // API field controls how the API is exposed outside the cluster API *AccessSpec `json:"api,omitempty"` + // Authorization field controls how the cluster is configured for authorization + Authorization *AuthorizationSpec `json:"authorization,omitempty"` + // Tags for AWS instance groups CloudLabels map[string]string `json:"cloudLabels,omitempty"` } +type AuthorizationSpec struct { + RBAC *RBACAuthorizationSpec `json:"rbac,omitempty"` +} + +func (s *AuthorizationSpec) IsEmpty() bool { + return s.RBAC == nil +} + +type RBACAuthorizationSpec struct { +} + type AccessSpec struct { DNS *DNSAccessSpec `json:"dns,omitempty"` LoadBalancer *LoadBalancerAccessSpec `json:"loadBalancer,omitempty"` diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go index b1f330e47b..9806f40698 100644 --- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go @@ -37,6 +37,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { return scheme.AddGeneratedConversionFuncs( Convert_v1alpha1_AccessSpec_To_kops_AccessSpec, Convert_kops_AccessSpec_To_v1alpha1_AccessSpec, + Convert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec, + Convert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec, Convert_v1alpha1_CNINetworkingSpec_To_kops_CNINetworkingSpec, Convert_kops_CNINetworkingSpec_To_v1alpha1_CNINetworkingSpec, Convert_v1alpha1_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec, @@ -101,6 +103,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_kops_LoadBalancerAccessSpec_To_v1alpha1_LoadBalancerAccessSpec, Convert_v1alpha1_NetworkingSpec_To_kops_NetworkingSpec, Convert_kops_NetworkingSpec_To_v1alpha1_NetworkingSpec, + Convert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec, + Convert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec, Convert_v1alpha1_WeaveNetworkingSpec_To_kops_WeaveNetworkingSpec, Convert_kops_WeaveNetworkingSpec_To_v1alpha1_WeaveNetworkingSpec, ) @@ -158,6 +162,40 @@ func Convert_kops_AccessSpec_To_v1alpha1_AccessSpec(in *kops.AccessSpec, out *Ac return autoConvert_kops_AccessSpec_To_v1alpha1_AccessSpec(in, out, s) } +func autoConvert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error { + if in.RBAC != nil { + in, out := &in.RBAC, &out.RBAC + *out = new(kops.RBACAuthorizationSpec) + if err := Convert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.RBAC = nil + } + return nil +} + +func Convert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(in, out, s) +} + +func autoConvert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error { + if in.RBAC != nil { + in, out := &in.RBAC, &out.RBAC + *out = new(RBACAuthorizationSpec) + if err := Convert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.RBAC = nil + } + return nil +} + +func Convert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error { + return autoConvert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(in, out, s) +} + func autoConvert_v1alpha1_CNINetworkingSpec_To_kops_CNINetworkingSpec(in *CNINetworkingSpec, out *kops.CNINetworkingSpec, s conversion.Scope) error { return nil } @@ -451,6 +489,15 @@ func autoConvert_v1alpha1_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out * } else { out.API = nil } + if in.Authorization != nil { + in, out := &in.Authorization, &out.Authorization + *out = new(kops.AuthorizationSpec) + if err := Convert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Authorization = nil + } out.CloudLabels = in.CloudLabels return nil } @@ -598,6 +645,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha1_ClusterSpec(in *kops.ClusterSpec, } else { out.API = nil } + if in.Authorization != nil { + in, out := &in.Authorization, &out.Authorization + *out = new(AuthorizationSpec) + if err := Convert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Authorization = nil + } out.CloudLabels = in.CloudLabels return nil } @@ -1552,6 +1608,22 @@ func Convert_kops_NetworkingSpec_To_v1alpha1_NetworkingSpec(in *kops.NetworkingS return autoConvert_kops_NetworkingSpec_To_v1alpha1_NetworkingSpec(in, out, s) } +func autoConvert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error { + return nil +} + +func Convert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error { + return autoConvert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in, out, s) +} + +func autoConvert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error { + return nil +} + +func Convert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error { + return autoConvert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(in, out, s) +} + func autoConvert_v1alpha1_WeaveNetworkingSpec_To_kops_WeaveNetworkingSpec(in *WeaveNetworkingSpec, out *kops.WeaveNetworkingSpec, s conversion.Scope) error { return nil } diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go index 98eb77477e..d02cd5ef8d 100644 --- a/pkg/apis/kops/v1alpha2/cluster.go +++ b/pkg/apis/kops/v1alpha2/cluster.go @@ -156,10 +156,24 @@ type ClusterSpec struct { // API field controls how the API is exposed outside the cluster API *AccessSpec `json:"api,omitempty"` + // Authorization field controls how the cluster is configured for authorization + Authorization *AuthorizationSpec `json:"authorization,omitempty"` + // Tags for AWS resources CloudLabels map[string]string `json:"cloudLabels,omitempty"` } +type AuthorizationSpec struct { + RBAC *RBACAuthorizationSpec `json:"rbac,omitempty"` +} + +func (s *AuthorizationSpec) IsEmpty() bool { + return s.RBAC == nil +} + +type RBACAuthorizationSpec struct { +} + type AccessSpec struct { DNS *DNSAccessSpec `json:"dns,omitempty"` LoadBalancer *LoadBalancerAccessSpec `json:"loadBalancer,omitempty"` diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 55badc8335..f86ae7589d 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -37,6 +37,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { return scheme.AddGeneratedConversionFuncs( Convert_v1alpha2_AccessSpec_To_kops_AccessSpec, Convert_kops_AccessSpec_To_v1alpha2_AccessSpec, + Convert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec, + Convert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec, Convert_v1alpha2_BastionSpec_To_kops_BastionSpec, Convert_kops_BastionSpec_To_v1alpha2_BastionSpec, Convert_v1alpha2_CNINetworkingSpec_To_kops_CNINetworkingSpec, @@ -105,6 +107,8 @@ func RegisterConversions(scheme *runtime.Scheme) error { Convert_kops_LoadBalancerAccessSpec_To_v1alpha2_LoadBalancerAccessSpec, Convert_v1alpha2_NetworkingSpec_To_kops_NetworkingSpec, Convert_kops_NetworkingSpec_To_v1alpha2_NetworkingSpec, + Convert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec, + Convert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec, Convert_v1alpha2_TopologySpec_To_kops_TopologySpec, Convert_kops_TopologySpec_To_v1alpha2_TopologySpec, Convert_v1alpha2_WeaveNetworkingSpec_To_kops_WeaveNetworkingSpec, @@ -164,6 +168,40 @@ func Convert_kops_AccessSpec_To_v1alpha2_AccessSpec(in *kops.AccessSpec, out *Ac return autoConvert_kops_AccessSpec_To_v1alpha2_AccessSpec(in, out, s) } +func autoConvert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error { + if in.RBAC != nil { + in, out := &in.RBAC, &out.RBAC + *out = new(kops.RBACAuthorizationSpec) + if err := Convert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.RBAC = nil + } + return nil +} + +func Convert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error { + return autoConvert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(in, out, s) +} + +func autoConvert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error { + if in.RBAC != nil { + in, out := &in.RBAC, &out.RBAC + *out = new(RBACAuthorizationSpec) + if err := Convert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.RBAC = nil + } + return nil +} + +func Convert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error { + return autoConvert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(in, out, s) +} + func autoConvert_v1alpha2_BastionSpec_To_kops_BastionSpec(in *BastionSpec, out *kops.BastionSpec, s conversion.Scope) error { out.BastionPublicName = in.BastionPublicName out.IdleTimeoutSeconds = in.IdleTimeoutSeconds @@ -487,6 +525,15 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out * } else { out.API = nil } + if in.Authorization != nil { + in, out := &in.Authorization, &out.Authorization + *out = new(kops.AuthorizationSpec) + if err := Convert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Authorization = nil + } out.CloudLabels = in.CloudLabels return nil } @@ -648,6 +695,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec, } else { out.API = nil } + if in.Authorization != nil { + in, out := &in.Authorization, &out.Authorization + *out = new(AuthorizationSpec) + if err := Convert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(*in, *out, s); err != nil { + return err + } + } else { + out.Authorization = nil + } out.CloudLabels = in.CloudLabels return nil } @@ -1650,6 +1706,22 @@ func Convert_kops_NetworkingSpec_To_v1alpha2_NetworkingSpec(in *kops.NetworkingS return autoConvert_kops_NetworkingSpec_To_v1alpha2_NetworkingSpec(in, out, s) } +func autoConvert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error { + return nil +} + +func Convert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error { + return autoConvert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in, out, s) +} + +func autoConvert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error { + return nil +} + +func Convert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error { + return autoConvert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(in, out, s) +} + func autoConvert_v1alpha2_TopologySpec_To_kops_TopologySpec(in *TopologySpec, out *kops.TopologySpec, s conversion.Scope) error { out.Masters = in.Masters out.Nodes = in.Nodes diff --git a/pkg/model/components/apiserver.go b/pkg/model/components/apiserver.go index 92aa737e0b..a81f5ef5a3 100644 --- a/pkg/model/components/apiserver.go +++ b/pkg/model/components/apiserver.go @@ -75,6 +75,12 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error { } } + if clusterSpec.Authorization != nil { + if clusterSpec.Authorization.RBAC != nil { + clusterSpec.KubeAPIServer.AuthorizationMode = fi.String("RBAC") + } + } + return nil }