mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-06-14 02:43:36 +00:00
vendor update for CSI 0.3.0
This commit is contained in:
gman
11
vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/BUILD
generated
vendored
11
vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/BUILD
generated
vendored
@ -3,17 +3,6 @@ package(default_visibility = ["//visibility:public"])
|
||||
load(
|
||||
"@io_bazel_rules_go//go:def.bzl",
|
||||
"go_library",
|
||||
"go_test",
|
||||
)
|
||||
|
||||
go_test(
|
||||
name = "go_default_test",
|
||||
srcs = ["config_test.go"],
|
||||
data = [
|
||||
"//pkg/auth/authorizer/abac:example_policy",
|
||||
],
|
||||
embed = [":go_default_library"],
|
||||
deps = ["//pkg/kubeapiserver/authorizer/modes:go_default_library"],
|
||||
)
|
||||
|
||||
go_library(
|
||||
|
||||
35
vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config.go
generated
vendored
35
vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config.go
generated
vendored
@ -17,7 +17,6 @@ limitations under the License.
|
||||
package authorizer
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
@ -60,26 +59,22 @@ type AuthorizationConfig struct {
|
||||
// based on the authorizationMode or an error.
|
||||
func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleResolver, error) {
|
||||
if len(config.AuthorizationModes) == 0 {
|
||||
return nil, nil, errors.New("At least one authorization mode should be passed")
|
||||
return nil, nil, fmt.Errorf("at least one authorization mode must be passed")
|
||||
}
|
||||
|
||||
var (
|
||||
authorizers []authorizer.Authorizer
|
||||
ruleResolvers []authorizer.RuleResolver
|
||||
)
|
||||
authorizerMap := make(map[string]bool)
|
||||
|
||||
for _, authorizationMode := range config.AuthorizationModes {
|
||||
if authorizerMap[authorizationMode] {
|
||||
return nil, nil, fmt.Errorf("Authorization mode %s specified more than once", authorizationMode)
|
||||
}
|
||||
|
||||
// Keep cases in sync with constant list above.
|
||||
// Keep cases in sync with constant list in k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go.
|
||||
switch authorizationMode {
|
||||
case modes.ModeNode:
|
||||
graph := node.NewGraph()
|
||||
node.AddGraphEventHandlers(
|
||||
graph,
|
||||
config.InformerFactory.Core().InternalVersion().Nodes(),
|
||||
config.InformerFactory.Core().InternalVersion().Pods(),
|
||||
config.InformerFactory.Core().InternalVersion().PersistentVolumes(),
|
||||
config.VersionedInformerFactory.Storage().V1beta1().VolumeAttachments(),
|
||||
@ -96,9 +91,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
|
||||
authorizers = append(authorizers, alwaysDenyAuthorizer)
|
||||
ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)
|
||||
case modes.ModeABAC:
|
||||
if config.PolicyFile == "" {
|
||||
return nil, nil, errors.New("ABAC's authorization policy file not passed")
|
||||
}
|
||||
abacAuthorizer, err := abac.NewFromFile(config.PolicyFile)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
@ -106,9 +98,6 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
|
||||
authorizers = append(authorizers, abacAuthorizer)
|
||||
ruleResolvers = append(ruleResolvers, abacAuthorizer)
|
||||
case modes.ModeWebhook:
|
||||
if config.WebhookConfigFile == "" {
|
||||
return nil, nil, errors.New("Webhook's configuration file not passed")
|
||||
}
|
||||
webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,
|
||||
config.WebhookCacheAuthorizedTTL,
|
||||
config.WebhookCacheUnauthorizedTTL)
|
||||
@ -119,24 +108,16 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleR
|
||||
ruleResolvers = append(ruleResolvers, webhookAuthorizer)
|
||||
case modes.ModeRBAC:
|
||||
rbacAuthorizer := rbac.New(
|
||||
&rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
|
||||
&rbac.RoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()},
|
||||
&rbac.ClusterRoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()},
|
||||
&rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
|
||||
&rbac.RoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().Roles().Lister()},
|
||||
&rbac.RoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().RoleBindings().Lister()},
|
||||
&rbac.ClusterRoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoles().Lister()},
|
||||
&rbac.ClusterRoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoleBindings().Lister()},
|
||||
)
|
||||
authorizers = append(authorizers, rbacAuthorizer)
|
||||
ruleResolvers = append(ruleResolvers, rbacAuthorizer)
|
||||
default:
|
||||
return nil, nil, fmt.Errorf("Unknown authorization mode %s specified", authorizationMode)
|
||||
return nil, nil, fmt.Errorf("unknown authorization mode %s specified", authorizationMode)
|
||||
}
|
||||
authorizerMap[authorizationMode] = true
|
||||
}
|
||||
|
||||
if !authorizerMap[modes.ModeABAC] && config.PolicyFile != "" {
|
||||
return nil, nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC")
|
||||
}
|
||||
if !authorizerMap[modes.ModeWebhook] && config.WebhookConfigFile != "" {
|
||||
return nil, nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook")
|
||||
}
|
||||
|
||||
return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil
|
||||
|
||||
101
vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config_test.go
generated
vendored
101
vendor/k8s.io/kubernetes/pkg/kubeapiserver/authorizer/config_test.go
generated
vendored
@ -1,101 +0,0 @@
|
||||
/*
|
||||
Copyright 2016 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package authorizer
|
||||
|
||||
import (
|
||||
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||
"testing"
|
||||
)
|
||||
|
||||
// New has multiple return possibilities. This test
|
||||
// validates that errors are returned only when proper.
|
||||
func TestNew(t *testing.T) {
|
||||
examplePolicyFile := "../../auth/authorizer/abac/example_policy_file.jsonl"
|
||||
|
||||
tests := []struct {
|
||||
config AuthorizationConfig
|
||||
wantErr bool
|
||||
msg string
|
||||
}{
|
||||
{
|
||||
// Unknown modes should return errors
|
||||
config: AuthorizationConfig{AuthorizationModes: []string{"DoesNotExist"}},
|
||||
wantErr: true,
|
||||
msg: "using a fake mode should have returned an error",
|
||||
},
|
||||
{
|
||||
// ModeAlwaysAllow and ModeAlwaysDeny should return without authorizationPolicyFile
|
||||
// but error if one is given
|
||||
config: AuthorizationConfig{AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny}},
|
||||
msg: "returned an error for valid config",
|
||||
},
|
||||
{
|
||||
// ModeABAC requires a policy file
|
||||
config: AuthorizationConfig{AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny, modes.ModeABAC}},
|
||||
wantErr: true,
|
||||
msg: "specifying ABAC with no policy file should return an error",
|
||||
},
|
||||
{
|
||||
// ModeABAC should not error if a valid policy path is provided
|
||||
config: AuthorizationConfig{
|
||||
AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny, modes.ModeABAC},
|
||||
PolicyFile: examplePolicyFile,
|
||||
},
|
||||
msg: "errored while using a valid policy file",
|
||||
},
|
||||
{
|
||||
|
||||
// Authorization Policy file cannot be used without ModeABAC
|
||||
config: AuthorizationConfig{
|
||||
AuthorizationModes: []string{modes.ModeAlwaysAllow, modes.ModeAlwaysDeny},
|
||||
PolicyFile: examplePolicyFile,
|
||||
},
|
||||
wantErr: true,
|
||||
msg: "should have errored when Authorization Policy File is used without ModeABAC",
|
||||
},
|
||||
{
|
||||
// At least one authorizationMode is necessary
|
||||
config: AuthorizationConfig{PolicyFile: examplePolicyFile},
|
||||
wantErr: true,
|
||||
msg: "should have errored when no authorization modes are passed",
|
||||
},
|
||||
{
|
||||
// ModeWebhook requires at minimum a target.
|
||||
config: AuthorizationConfig{AuthorizationModes: []string{modes.ModeWebhook}},
|
||||
wantErr: true,
|
||||
msg: "should have errored when config was empty with ModeWebhook",
|
||||
},
|
||||
{
|
||||
// Cannot provide webhook flags without ModeWebhook
|
||||
config: AuthorizationConfig{
|
||||
AuthorizationModes: []string{modes.ModeAlwaysAllow},
|
||||
WebhookConfigFile: "authz_webhook_config.yml",
|
||||
},
|
||||
wantErr: true,
|
||||
msg: "should have errored when Webhook config file is used without ModeWebhook",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
_, _, err := tt.config.New()
|
||||
if tt.wantErr && (err == nil) {
|
||||
t.Errorf("New %s", tt.msg)
|
||||
} else if !tt.wantErr && (err != nil) {
|
||||
t.Errorf("New %s: %v", tt.msg, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user