GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

apiserver

package

v1.31.0-alpha.2 Latest Latest Go to latest Published: Jun 18, 2024 License: Apache-2.0 Imports: 90 Imported by: 6

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Documentation ¶

Index ¶

Constants
Variables
func BuildAuthorizer(ctx context.Context, s options.CompletedOptions, ...) (authorizer.Authorizer, authorizer.RuleResolver, bool, error)
func BuildGenericConfig(s options.CompletedOptions, schemes []*runtime.Scheme, ...) (genericConfig *genericapiserver.Config, ...)
func BuildPeerProxy(versionedInformer clientgoinformers.SharedInformerFactory, ...) (utilpeerproxy.Interface, error)
func CreateAPIExtensionsConfig(kubeAPIServerConfig server.Config, ...) (*apiextensionsapiserver.Config, error)
func CreateAggregatorConfig(kubeAPIServerConfig genericapiserver.Config, ...) (*aggregatorapiserver.Config, error)
func CreateAggregatorServer(aggregatorConfig aggregatorapiserver.CompletedConfig, ...) (*aggregatorapiserver.APIAggregator, error)
func CreatePeerEndpointLeaseReconciler(c genericapiserver.Config, storageFactory serverstorage.StorageFactory) (reconcilers.PeerEndpointLeaseReconciler, error)
func CreateProxyTransport() *http.Transport
func DefaultGenericAPIServicePriorities() map[schema.GroupVersion]APIServicePriority
type APIServicePriority
type CompletedConfig
- func (c *CompletedConfig) GenericStorageProviders(discovery discovery.DiscoveryInterface) ([]RESTStorageProvider, error)
- func (c CompletedConfig) New(name string, delegationTarget genericapiserver.DelegationTarget) (*Server, error)
- func (c *CompletedConfig) NewCoreGenericConfig() *corerest.GenericConfig
type Config
- func CreateConfig(opts options.CompletedOptions, genericConfig *genericapiserver.Config, ...) (*Config, []admission.PluginInitializer, error)
- func (c *Config) Complete() CompletedConfig
type Extra
type RESTStorageProvider
type Server
- func (s *Server) InstallAPIs(restStorageProviders ...RESTStorageProvider) error

Constants ¶

View Source

const (
	// DefaultPeerEndpointReconcileInterval is the default amount of time for how often
	// the peer endpoint leases are reconciled.
	DefaultPeerEndpointReconcileInterval = 10 * time.Second
	// DefaultPeerEndpointReconcilerTTL is the default TTL timeout for peer endpoint
	// leases on the storage layer
	DefaultPeerEndpointReconcilerTTL = 15 * time.Second
)

View Source

const (
	// IdentityLeaseComponentLabelKey is used to apply a component label to identity lease objects, indicating:
	//   1. the lease is an identity lease (different from leader election leases)
	//   2. which component owns this lease
	IdentityLeaseComponentLabelKey = "apiserver.kubernetes.io/identity"
)

Variables ¶

View Source

var (
	// IdentityLeaseGCPeriod is the interval which the lease GC controller checks for expired leases
	// IdentityLeaseGCPeriod is exposed so integration tests can tune this value.
	IdentityLeaseGCPeriod = 3600 * time.Second
	// IdentityLeaseDurationSeconds is the duration of kube-apiserver lease in seconds
	// IdentityLeaseDurationSeconds is exposed so integration tests can tune this value.
	IdentityLeaseDurationSeconds = 3600
	// IdentityLeaseRenewIntervalPeriod is the interval of kube-apiserver renewing its lease in seconds
	// IdentityLeaseRenewIntervalPeriod is exposed so integration tests can tune this value.
	IdentityLeaseRenewIntervalPeriod = 10 * time.Second
)

Functions ¶

func BuildAuthorizer ¶

func BuildAuthorizer(ctx context.Context, s options.CompletedOptions, egressSelector *egressselector.EgressSelector, apiserverID string, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, bool, error)

BuildAuthorizer constructs the authorizer. If authorization is not set in s, it returns nil, nil, false, nil

func BuildGenericConfig ¶

func BuildGenericConfig(
	s options.CompletedOptions,
	schemes []*runtime.Scheme,
	resourceConfig *serverstorage.ResourceConfig,
	getOpenAPIDefinitions func(ref openapicommon.ReferenceCallback) map[string]openapicommon.OpenAPIDefinition,
) (
	genericConfig *genericapiserver.Config,
	versionedInformers clientgoinformers.SharedInformerFactory,
	storageFactory *serverstorage.DefaultStorageFactory,
	lastErr error,
)

BuildGenericConfig takes the generic controlplane apiserver options and produces the genericapiserver.Config associated with it. The genericapiserver.Config is often shared between multiple delegated apiservers.

func BuildPeerProxy ¶

func BuildPeerProxy(versionedInformer clientgoinformers.SharedInformerFactory, svm storageversion.Manager,
	proxyClientCertFile string, proxyClientKeyFile string, peerCAFile string, peerAdvertiseAddress reconcilers.PeerAdvertiseAddress,
	apiServerID string, reconciler reconcilers.PeerEndpointLeaseReconciler, serializer runtime.NegotiatedSerializer) (utilpeerproxy.Interface, error)

func CreateAPIExtensionsConfig ¶

func CreateAPIExtensionsConfig(
	kubeAPIServerConfig server.Config,
	kubeInformers informers.SharedInformerFactory,
	pluginInitializers []admission.PluginInitializer,
	commandOptions options.CompletedOptions,
	masterCount int,
	serviceResolver webhook.ServiceResolver,
	authResolverWrapper webhook.AuthenticationInfoResolverWrapper,
) (*apiextensionsapiserver.Config, error)

func CreateAggregatorConfig ¶ added in v1.31.0

func CreateAggregatorConfig(
	kubeAPIServerConfig genericapiserver.Config,
	commandOptions options.CompletedOptions,
	externalInformers kubeexternalinformers.SharedInformerFactory,
	serviceResolver aggregatorapiserver.ServiceResolver,
	proxyTransport *http.Transport,
	peerProxy utilpeerproxy.Interface,
	pluginInitializers []admission.PluginInitializer,
) (*aggregatorapiserver.Config, error)

func CreateAggregatorServer ¶ added in v1.31.0

func CreateAggregatorServer(aggregatorConfig aggregatorapiserver.CompletedConfig, delegateAPIServer genericapiserver.DelegationTarget, crds apiextensionsinformers.CustomResourceDefinitionInformer, crdAPIEnabled bool, apiVersionPriorities map[schema.GroupVersion]APIServicePriority) (*aggregatorapiserver.APIAggregator, error)

func CreatePeerEndpointLeaseReconciler ¶

func CreatePeerEndpointLeaseReconciler(c genericapiserver.Config, storageFactory serverstorage.StorageFactory) (reconcilers.PeerEndpointLeaseReconciler, error)

CreatePeerEndpointLeaseReconciler creates a apiserver endpoint lease reconciliation loop The peer endpoint leases are used to find network locations of apiservers for peer proxy

func CreateProxyTransport ¶ added in v1.31.0

func CreateProxyTransport() *http.Transport

CreateProxyTransport creates the dialer infrastructure to connect to the nodes.

func DefaultGenericAPIServicePriorities ¶ added in v1.31.0

func DefaultGenericAPIServicePriorities() map[schema.GroupVersion]APIServicePriority

DefaultGenericAPIServicePriorities returns the APIService priorities for generic APIs

Types ¶

type APIServicePriority ¶ added in v1.31.0

type APIServicePriority struct {
	// Group indicates the order of the group relative to other groups.
	Group int32
	// Version indicates the relative order of the Version inside of its group.
	Version int32
}

APIServicePriority defines group priority that is used in discovery. This controls group position in the kubectl output.

type CompletedConfig ¶ added in v1.31.0

type CompletedConfig struct {
	// contains filtered or unexported fields
}

CompletedConfig embeds a private pointer that cannot be instantiated outside of this package

func (*CompletedConfig) GenericStorageProviders ¶ added in v1.31.0

func (c *CompletedConfig) GenericStorageProviders(discovery discovery.DiscoveryInterface) ([]RESTStorageProvider, error)

GenericStorageProviders returns a set of APIs for a generic control plane. They ought to be a subset of those served by kube-apiserver.

func (CompletedConfig) New ¶ added in v1.31.0

func (c CompletedConfig) New(name string, delegationTarget genericapiserver.DelegationTarget) (*Server, error)

New returns a new instance of Master from the given config. Certain config fields will be set to a default value if unset. Certain config fields must be specified, including: KubeletClientConfig

func (*CompletedConfig) NewCoreGenericConfig ¶ added in v1.31.0

func (c *CompletedConfig) NewCoreGenericConfig() *corerest.GenericConfig

NewCoreGenericConfig returns a new core rest generic config.

type Config ¶ added in v1.31.0

type Config struct {
	Generic *genericapiserver.Config
	Extra
}

Config defines configuration for the master

func CreateConfig ¶ added in v1.31.0

func CreateConfig(
	opts options.CompletedOptions,
	genericConfig *genericapiserver.Config,
	versionedInformers clientgoinformers.SharedInformerFactory,
	storageFactory *serverstorage.DefaultStorageFactory,
	serviceResolver aggregatorapiserver.ServiceResolver,
	additionalInitializers []admission.PluginInitializer,
) (
	*Config,
	[]admission.PluginInitializer,
	error,
)

CreateConfig takes the generic controlplane apiserver options and creates a config for the generic Kube APIs out of it.

func (*Config) Complete ¶ added in v1.31.0

func (c *Config) Complete() CompletedConfig

type Extra ¶ added in v1.31.0

type Extra struct {
	ClusterAuthenticationInfo clusterauthenticationtrust.ClusterAuthenticationInfo

	APIResourceConfigSource serverstorage.APIResourceConfigSource
	StorageFactory          serverstorage.StorageFactory
	EventTTL                time.Duration

	EnableLogsSupport bool
	ProxyTransport    *http.Transport

	// PeerProxy, if not nil, sets proxy transport between kube-apiserver peers for requests
	// that can not be served locally
	PeerProxy utilpeerproxy.Interface
	// PeerEndpointReconcileInterval defines how often the endpoint leases are reconciled in etcd.
	PeerEndpointReconcileInterval time.Duration
	// PeerEndpointLeaseReconciler updates the peer endpoint leases
	PeerEndpointLeaseReconciler peerreconcilers.PeerEndpointLeaseReconciler
	// PeerAdvertiseAddress is the IP for this kube-apiserver which is used by peer apiservers to route a request
	// to this apiserver. This happens in cases where the peer is not able to serve the request due to
	// version skew. If unset, AdvertiseAddress/BindAddress will be used.
	PeerAdvertiseAddress peerreconcilers.PeerAdvertiseAddress

	ServiceAccountIssuer        serviceaccount.TokenGenerator
	ServiceAccountMaxExpiration time.Duration
	ExtendExpiration            bool

	// ServiceAccountIssuerDiscovery
	ServiceAccountIssuerURL  string
	ServiceAccountJWKSURI    string
	ServiceAccountPublicKeys []interface{}

	SystemNamespaces []string

	VersionedInformers clientgoinformers.SharedInformerFactory
}

type RESTStorageProvider ¶ added in v1.31.0

type RESTStorageProvider interface {
	GroupName() string
	NewRESTStorage(apiResourceConfigSource serverstorage.APIResourceConfigSource, restOptionsGetter generic.RESTOptionsGetter) (genericapiserver.APIGroupInfo, error)
}

RESTStorageProvider is a factory type for REST storage.

type Server ¶ added in v1.31.0

type Server struct {
	GenericAPIServer *genericapiserver.GenericAPIServer

	APIResourceConfigSource   serverstorage.APIResourceConfigSource
	RESTOptionsGetter         genericregistry.RESTOptionsGetter
	ClusterAuthenticationInfo clusterauthenticationtrust.ClusterAuthenticationInfo
	VersionedInformers        clientgoinformers.SharedInformerFactory
}

Server is a struct that contains a generic control plane apiserver instance that can be run to start serving the APIs.

func (*Server) InstallAPIs ¶ added in v1.31.0

func (s *Server) InstallAPIs(restStorageProviders ...RESTStorageProvider) error

InstallAPIs will install the APIs for the restStorageProviders if they are enabled.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
admission
options Package options contains flags and options for initializing an apiserver	Package options contains flags and options for initializing an apiserver

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL