rebase: bump k8s.io/kubernetes from 1.26.2 to 1.27.2

Bumps [k8s.io/kubernetes](https://github.com/kubernetes/kubernetes) from 1.26.2 to 1.27.2. - [Release notes](https://github.com/kubernetes/kubernetes/releases) - [Commits](https://github.com/kubernetes/kubernetes/compare/v1.26.2...v1.27.2) --- updated-dependencies: - dependency-name: k8s.io/kubernetes dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2025-06-13 18:43:34 +00:00 · 2023-05-29 21:03:29 +00:00
parent 0e79135419
commit 07b05616a0
1072 changed files with 208716 additions and 198880 deletions
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go
@ -0,0 +1,239 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package headerrequest
+
+import (
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	x509request "k8s.io/apiserver/pkg/authentication/request/x509"
+	"k8s.io/apiserver/pkg/authentication/user"
+	utilcert "k8s.io/client-go/util/cert"
+)
+
+// StringSliceProvider is a way to get a string slice value.  It is heavily used for authentication headers among other places.
+type StringSliceProvider interface {
+	// Value returns the current string slice.  Callers should never mutate the returned value.
+	Value() []string
+}
+
+// StringSliceProviderFunc is a function that matches the StringSliceProvider interface
+type StringSliceProviderFunc func() []string
+
+// Value returns the current string slice.  Callers should never mutate the returned value.
+func (d StringSliceProviderFunc) Value() []string {
+	return d()
+}
+
+// StaticStringSlice a StringSliceProvider that returns a fixed value
+type StaticStringSlice []string
+
+// Value returns the current string slice.  Callers should never mutate the returned value.
+func (s StaticStringSlice) Value() []string {
+	return s
+}
+
+type requestHeaderAuthRequestHandler struct {
+	// nameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
+	nameHeaders StringSliceProvider
+
+	// groupHeaders are the headers to check (case-insensitively) for group membership.  All values of all headers will be added.
+	groupHeaders StringSliceProvider
+
+	// extraHeaderPrefixes are the head prefixes to check (case-insensitively) for filling in
+	// the user.Info.Extra.  All values of all matching headers will be added.
+	extraHeaderPrefixes StringSliceProvider
+}
+
+func New(nameHeaders, groupHeaders, extraHeaderPrefixes []string) (authenticator.Request, error) {
+	trimmedNameHeaders, err := trimHeaders(nameHeaders...)
+	if err != nil {
+		return nil, err
+	}
+	trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
+	if err != nil {
+		return nil, err
+	}
+	trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewDynamic(
+		StaticStringSlice(trimmedNameHeaders),
+		StaticStringSlice(trimmedGroupHeaders),
+		StaticStringSlice(trimmedExtraHeaderPrefixes),
+	), nil
+}
+
+func NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request {
+	return &requestHeaderAuthRequestHandler{
+		nameHeaders:         nameHeaders,
+		groupHeaders:        groupHeaders,
+		extraHeaderPrefixes: extraHeaderPrefixes,
+	}
+}
+
+func trimHeaders(headerNames ...string) ([]string, error) {
+	ret := []string{}
+	for _, headerName := range headerNames {
+		trimmedHeader := strings.TrimSpace(headerName)
+		if len(trimmedHeader) == 0 {
+			return nil, fmt.Errorf("empty header %q", headerName)
+		}
+		ret = append(ret, trimmedHeader)
+	}
+
+	return ret, nil
+}
+
+func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string, groupHeaders []string, extraHeaderPrefixes []string) (authenticator.Request, error) {
+	if len(clientCA) == 0 {
+		return nil, fmt.Errorf("missing clientCA file")
+	}
+
+	// Wrap with an x509 verifier
+	caData, err := ioutil.ReadFile(clientCA)
+	if err != nil {
+		return nil, fmt.Errorf("error reading %s: %v", clientCA, err)
+	}
+	opts := x509request.DefaultVerifyOptions()
+	opts.Roots = x509.NewCertPool()
+	certs, err := utilcert.ParseCertsPEM(caData)
+	if err != nil {
+		return nil, fmt.Errorf("error loading certs from  %s: %v", clientCA, err)
+	}
+	for _, cert := range certs {
+		opts.Roots.AddCert(cert)
+	}
+
+	trimmedNameHeaders, err := trimHeaders(nameHeaders...)
+	if err != nil {
+		return nil, err
+	}
+	trimmedGroupHeaders, err := trimHeaders(groupHeaders...)
+	if err != nil {
+		return nil, err
+	}
+	trimmedExtraHeaderPrefixes, err := trimHeaders(extraHeaderPrefixes...)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewDynamicVerifyOptionsSecure(
+		x509request.StaticVerifierFn(opts),
+		StaticStringSlice(proxyClientNames),
+		StaticStringSlice(trimmedNameHeaders),
+		StaticStringSlice(trimmedGroupHeaders),
+		StaticStringSlice(trimmedExtraHeaderPrefixes),
+	), nil
+}
+
+func NewDynamicVerifyOptionsSecure(verifyOptionFn x509request.VerifyOptionFunc, proxyClientNames, nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request {
+	headerAuthenticator := NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes)
+
+	return x509request.NewDynamicCAVerifier(verifyOptionFn, headerAuthenticator, proxyClientNames)
+}
+
+func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
+	name := headerValue(req.Header, a.nameHeaders.Value())
+	if len(name) == 0 {
+		return nil, false, nil
+	}
+	groups := allHeaderValues(req.Header, a.groupHeaders.Value())
+	extra := newExtra(req.Header, a.extraHeaderPrefixes.Value())
+
+	// clear headers used for authentication
+	for _, headerName := range a.nameHeaders.Value() {
+		req.Header.Del(headerName)
+	}
+	for _, headerName := range a.groupHeaders.Value() {
+		req.Header.Del(headerName)
+	}
+	for k := range extra {
+		for _, prefix := range a.extraHeaderPrefixes.Value() {
+			req.Header.Del(prefix + k)
+		}
+	}
+
+	return &authenticator.Response{
+		User: &user.DefaultInfo{
+			Name:   name,
+			Groups: groups,
+			Extra:  extra,
+		},
+	}, true, nil
+}
+
+func headerValue(h http.Header, headerNames []string) string {
+	for _, headerName := range headerNames {
+		headerValue := h.Get(headerName)
+		if len(headerValue) > 0 {
+			return headerValue
+		}
+	}
+	return ""
+}
+
+func allHeaderValues(h http.Header, headerNames []string) []string {
+	ret := []string{}
+	for _, headerName := range headerNames {
+		headerKey := http.CanonicalHeaderKey(headerName)
+		values, ok := h[headerKey]
+		if !ok {
+			continue
+		}
+
+		for _, headerValue := range values {
+			if len(headerValue) > 0 {
+				ret = append(ret, headerValue)
+			}
+		}
+	}
+	return ret
+}
+
+func unescapeExtraKey(encodedKey string) string {
+	key, err := url.PathUnescape(encodedKey) // Decode %-encoded bytes.
+	if err != nil {
+		return encodedKey // Always record extra strings, even if malformed/unencoded.
+	}
+	return key
+}
+
+func newExtra(h http.Header, headerPrefixes []string) map[string][]string {
+	ret := map[string][]string{}
+
+	// we have to iterate over prefixes first in order to have proper ordering inside the value slices
+	for _, prefix := range headerPrefixes {
+		for headerName, vv := range h {
+			if !strings.HasPrefix(strings.ToLower(headerName), strings.ToLower(prefix)) {
+				continue
+			}
+
+			extraKey := unescapeExtraKey(strings.ToLower(headerName[len(prefix):]))
+			ret[extraKey] = append(ret[extraKey], vv...)
+		}
+	}
+
+	return ret
+}
--- a/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go
+++ b/vendor/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go
@ -0,0 +1,337 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package headerrequest
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	coreinformers "k8s.io/client-go/informers/core/v1"
+	"k8s.io/client-go/kubernetes"
+	corev1listers "k8s.io/client-go/listers/core/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
+	"sync/atomic"
+)
+
+const (
+	authenticationRoleName = "extension-apiserver-authentication-reader"
+)
+
+// RequestHeaderAuthRequestProvider a provider that knows how to dynamically fill parts of RequestHeaderConfig struct
+type RequestHeaderAuthRequestProvider interface {
+	UsernameHeaders() []string
+	GroupHeaders() []string
+	ExtraHeaderPrefixes() []string
+	AllowedClientNames() []string
+}
+
+var _ RequestHeaderAuthRequestProvider = &RequestHeaderAuthRequestController{}
+
+type requestHeaderBundle struct {
+	UsernameHeaders     []string
+	GroupHeaders        []string
+	ExtraHeaderPrefixes []string
+	AllowedClientNames  []string
+}
+
+// RequestHeaderAuthRequestController a controller that exposes a set of methods for dynamically filling parts of RequestHeaderConfig struct.
+// The methods are sourced from the config map which is being monitored by this controller.
+// The controller is primed from the server at the construction time for components that don't want to dynamically react to changes
+// in the config map.
+type RequestHeaderAuthRequestController struct {
+	name string
+
+	configmapName      string
+	configmapNamespace string
+
+	client                  kubernetes.Interface
+	configmapLister         corev1listers.ConfigMapNamespaceLister
+	configmapInformer       cache.SharedIndexInformer
+	configmapInformerSynced cache.InformerSynced
+
+	queue workqueue.RateLimitingInterface
+
+	// exportedRequestHeaderBundle is a requestHeaderBundle that contains the last read, non-zero length content of the configmap
+	exportedRequestHeaderBundle atomic.Value
+
+	usernameHeadersKey     string
+	groupHeadersKey        string
+	extraHeaderPrefixesKey string
+	allowedClientNamesKey  string
+}
+
+// NewRequestHeaderAuthRequestController creates a new controller that implements RequestHeaderAuthRequestController
+func NewRequestHeaderAuthRequestController(
+	cmName string,
+	cmNamespace string,
+	client kubernetes.Interface,
+	usernameHeadersKey, groupHeadersKey, extraHeaderPrefixesKey, allowedClientNamesKey string) *RequestHeaderAuthRequestController {
+	c := &RequestHeaderAuthRequestController{
+		name: "RequestHeaderAuthRequestController",
+
+		client: client,
+
+		configmapName:      cmName,
+		configmapNamespace: cmNamespace,
+
+		usernameHeadersKey:     usernameHeadersKey,
+		groupHeadersKey:        groupHeadersKey,
+		extraHeaderPrefixesKey: extraHeaderPrefixesKey,
+		allowedClientNamesKey:  allowedClientNamesKey,
+
+		queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "RequestHeaderAuthRequestController"),
+	}
+
+	// we construct our own informer because we need such a small subset of the information available.  Just one namespace.
+	c.configmapInformer = coreinformers.NewFilteredConfigMapInformer(client, c.configmapNamespace, 12*time.Hour, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, func(listOptions *metav1.ListOptions) {
+		listOptions.FieldSelector = fields.OneTermEqualSelector("metadata.name", c.configmapName).String()
+	})
+
+	c.configmapInformer.AddEventHandler(cache.FilteringResourceEventHandler{
+		FilterFunc: func(obj interface{}) bool {
+			if cast, ok := obj.(*corev1.ConfigMap); ok {
+				return cast.Name == c.configmapName && cast.Namespace == c.configmapNamespace
+			}
+			if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok {
+				if cast, ok := tombstone.Obj.(*corev1.ConfigMap); ok {
+					return cast.Name == c.configmapName && cast.Namespace == c.configmapNamespace
+				}
+			}
+			return true // always return true just in case.  The checks are fairly cheap
+		},
+		Handler: cache.ResourceEventHandlerFuncs{
+			// we have a filter, so any time we're called, we may as well queue. We only ever check one configmap
+			// so we don't have to be choosy about our key.
+			AddFunc: func(obj interface{}) {
+				c.queue.Add(c.keyFn())
+			},
+			UpdateFunc: func(oldObj, newObj interface{}) {
+				c.queue.Add(c.keyFn())
+			},
+			DeleteFunc: func(obj interface{}) {
+				c.queue.Add(c.keyFn())
+			},
+		},
+	})
+
+	c.configmapLister = corev1listers.NewConfigMapLister(c.configmapInformer.GetIndexer()).ConfigMaps(c.configmapNamespace)
+	c.configmapInformerSynced = c.configmapInformer.HasSynced
+
+	return c
+}
+
+func (c *RequestHeaderAuthRequestController) UsernameHeaders() []string {
+	return c.loadRequestHeaderFor(c.usernameHeadersKey)
+}
+
+func (c *RequestHeaderAuthRequestController) GroupHeaders() []string {
+	return c.loadRequestHeaderFor(c.groupHeadersKey)
+}
+
+func (c *RequestHeaderAuthRequestController) ExtraHeaderPrefixes() []string {
+	return c.loadRequestHeaderFor(c.extraHeaderPrefixesKey)
+}
+
+func (c *RequestHeaderAuthRequestController) AllowedClientNames() []string {
+	return c.loadRequestHeaderFor(c.allowedClientNamesKey)
+}
+
+// Run starts RequestHeaderAuthRequestController controller and blocks until stopCh is closed.
+func (c *RequestHeaderAuthRequestController) Run(ctx context.Context, workers int) {
+	defer utilruntime.HandleCrash()
+	defer c.queue.ShutDown()
+
+	klog.Infof("Starting %s", c.name)
+	defer klog.Infof("Shutting down %s", c.name)
+
+	go c.configmapInformer.Run(ctx.Done())
+
+	// wait for caches to fill before starting your work
+	if !cache.WaitForNamedCacheSync(c.name, ctx.Done(), c.configmapInformerSynced) {
+		return
+	}
+
+	// doesn't matter what workers say, only start one.
+	go wait.Until(c.runWorker, time.Second, ctx.Done())
+
+	<-ctx.Done()
+}
+
+// // RunOnce runs a single sync loop
+func (c *RequestHeaderAuthRequestController) RunOnce(ctx context.Context) error {
+	configMap, err := c.client.CoreV1().ConfigMaps(c.configmapNamespace).Get(ctx, c.configmapName, metav1.GetOptions{})
+	switch {
+	case errors.IsNotFound(err):
+		// ignore, authConfigMap is nil now
+		return nil
+	case errors.IsForbidden(err):
+		klog.Warningf("Unable to get configmap/%s in %s.  Usually fixed by "+
+			"'kubectl create rolebinding -n %s ROLEBINDING_NAME --role=%s --serviceaccount=YOUR_NS:YOUR_SA'",
+			c.configmapName, c.configmapNamespace, c.configmapNamespace, authenticationRoleName)
+		return err
+	case err != nil:
+		return err
+	}
+	return c.syncConfigMap(configMap)
+}
+
+func (c *RequestHeaderAuthRequestController) runWorker() {
+	for c.processNextWorkItem() {
+	}
+}
+
+func (c *RequestHeaderAuthRequestController) processNextWorkItem() bool {
+	dsKey, quit := c.queue.Get()
+	if quit {
+		return false
+	}
+	defer c.queue.Done(dsKey)
+
+	err := c.sync()
+	if err == nil {
+		c.queue.Forget(dsKey)
+		return true
+	}
+
+	utilruntime.HandleError(fmt.Errorf("%v failed with : %v", dsKey, err))
+	c.queue.AddRateLimited(dsKey)
+
+	return true
+}
+
+// sync reads the config and propagates the changes to exportedRequestHeaderBundle
+// which is exposed by the set of methods that are used to fill RequestHeaderConfig struct
+func (c *RequestHeaderAuthRequestController) sync() error {
+	configMap, err := c.configmapLister.Get(c.configmapName)
+	if err != nil {
+		return err
+	}
+	return c.syncConfigMap(configMap)
+}
+
+func (c *RequestHeaderAuthRequestController) syncConfigMap(configMap *corev1.ConfigMap) error {
+	hasChanged, newRequestHeaderBundle, err := c.hasRequestHeaderBundleChanged(configMap)
+	if err != nil {
+		return err
+	}
+	if hasChanged {
+		c.exportedRequestHeaderBundle.Store(newRequestHeaderBundle)
+		klog.V(2).Infof("Loaded a new request header values for %v", c.name)
+	}
+	return nil
+}
+
+func (c *RequestHeaderAuthRequestController) hasRequestHeaderBundleChanged(cm *corev1.ConfigMap) (bool, *requestHeaderBundle, error) {
+	currentHeadersBundle, err := c.getRequestHeaderBundleFromConfigMap(cm)
+	if err != nil {
+		return false, nil, err
+	}
+
+	rawHeaderBundle := c.exportedRequestHeaderBundle.Load()
+	if rawHeaderBundle == nil {
+		return true, currentHeadersBundle, nil
+	}
+
+	// check to see if we have a change. If the values are the same, do nothing.
+	loadedHeadersBundle, ok := rawHeaderBundle.(*requestHeaderBundle)
+	if !ok {
+		return true, currentHeadersBundle, nil
+	}
+
+	if !equality.Semantic.DeepEqual(loadedHeadersBundle, currentHeadersBundle) {
+		return true, currentHeadersBundle, nil
+	}
+	return false, nil, nil
+}
+
+func (c *RequestHeaderAuthRequestController) getRequestHeaderBundleFromConfigMap(cm *corev1.ConfigMap) (*requestHeaderBundle, error) {
+	usernameHeaderCurrentValue, err := deserializeStrings(cm.Data[c.usernameHeadersKey])
+	if err != nil {
+		return nil, err
+	}
+
+	groupHeadersCurrentValue, err := deserializeStrings(cm.Data[c.groupHeadersKey])
+	if err != nil {
+		return nil, err
+	}
+
+	extraHeaderPrefixesCurrentValue, err := deserializeStrings(cm.Data[c.extraHeaderPrefixesKey])
+	if err != nil {
+		return nil, err
+
+	}
+
+	allowedClientNamesCurrentValue, err := deserializeStrings(cm.Data[c.allowedClientNamesKey])
+	if err != nil {
+		return nil, err
+	}
+
+	return &requestHeaderBundle{
+		UsernameHeaders:     usernameHeaderCurrentValue,
+		GroupHeaders:        groupHeadersCurrentValue,
+		ExtraHeaderPrefixes: extraHeaderPrefixesCurrentValue,
+		AllowedClientNames:  allowedClientNamesCurrentValue,
+	}, nil
+}
+
+func (c *RequestHeaderAuthRequestController) loadRequestHeaderFor(key string) []string {
+	rawHeaderBundle := c.exportedRequestHeaderBundle.Load()
+	if rawHeaderBundle == nil {
+		return nil // this can happen if we've been unable load data from the apiserver for some reason
+	}
+	headerBundle := rawHeaderBundle.(*requestHeaderBundle)
+
+	switch key {
+	case c.usernameHeadersKey:
+		return headerBundle.UsernameHeaders
+	case c.groupHeadersKey:
+		return headerBundle.GroupHeaders
+	case c.extraHeaderPrefixesKey:
+		return headerBundle.ExtraHeaderPrefixes
+	case c.allowedClientNamesKey:
+		return headerBundle.AllowedClientNames
+	default:
+		return nil
+	}
+}
+
+func (c *RequestHeaderAuthRequestController) keyFn() string {
+	// this format matches DeletionHandlingMetaNamespaceKeyFunc for our single key
+	return c.configmapNamespace + "/" + c.configmapName
+}
+
+func deserializeStrings(in string) ([]string, error) {
+	if len(in) == 0 {
+		return nil, nil
+	}
+	var ret []string
+	if err := json.Unmarshal([]byte(in), &ret); err != nil {
+		return nil, err
+	}
+	return ret, nil
+}