Sign In
golang
/
flannel
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e6edfac9cb
Branches Tags
flannel
/
vendor
/
k8s.io
/
kubernetes
/
cmd
/
kube-apiserver
/
app
/
server.go

server.go 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310 
  1. /*
    2. 

  2. Copyright 2014 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. // Package app does all of the work necessary to create a Kubernetes
    18. 

  18. // APIServer by binding together the API, master and APIServer infrastructure.
    19. 

  19. // It can be configured and called directly or via the hyperkube framework.
    20. 

  20. package app
    21. 

  21. 

  22. import (
    23. 

  23. 	"crypto/tls"
    24. 

  24. 	"net"
    25. 

  25. 	"net/url"
    26. 

  26. 	"strconv"
    27. 

  27. 	"strings"
    28. 

  28. 	"time"
    29. 

  29. 

  30. 	"github.com/golang/glog"
    31. 

  31. 	"github.com/spf13/cobra"
    32. 

  32. 	"github.com/spf13/pflag"
    33. 

  33. 

  34. 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
    35. 

  35. 	"k8s.io/kubernetes/pkg/admission"
    36. 

  36. 	"k8s.io/kubernetes/pkg/api"
    37. 

  37. 	"k8s.io/kubernetes/pkg/api/unversioned"
    38. 

  38. 	"k8s.io/kubernetes/pkg/apis/autoscaling"
    39. 

  39. 	"k8s.io/kubernetes/pkg/apis/batch"
    40. 

  40. 	"k8s.io/kubernetes/pkg/apis/extensions"
    41. 

  41. 	"k8s.io/kubernetes/pkg/apis/rbac"
    42. 

  42. 	"k8s.io/kubernetes/pkg/apiserver"
    43. 

  43. 	"k8s.io/kubernetes/pkg/apiserver/authenticator"
    44. 

  44. 	"k8s.io/kubernetes/pkg/capabilities"
    45. 

  45. 	"k8s.io/kubernetes/pkg/cloudprovider"
    46. 

  46. 	"k8s.io/kubernetes/pkg/controller/framework/informers"
    47. 

  47. 	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
    48. 

  48. 	"k8s.io/kubernetes/pkg/genericapiserver"
    49. 

  49. 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
    50. 

  50. 	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
    51. 

  51. 	genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
    52. 

  52. 	kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
    53. 

  53. 	"k8s.io/kubernetes/pkg/master"
    54. 

  54. 	"k8s.io/kubernetes/pkg/registry/cachesize"
    55. 

  55. 	"k8s.io/kubernetes/pkg/registry/clusterrole"
    56. 

  56. 	clusterroleetcd "k8s.io/kubernetes/pkg/registry/clusterrole/etcd"
    57. 

  57. 	"k8s.io/kubernetes/pkg/registry/clusterrolebinding"
    58. 

  58. 	clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/clusterrolebinding/etcd"
    59. 

  59. 	"k8s.io/kubernetes/pkg/registry/generic"
    60. 

  60. 	"k8s.io/kubernetes/pkg/registry/role"
    61. 

  61. 	roleetcd "k8s.io/kubernetes/pkg/registry/role/etcd"
    62. 

  62. 	"k8s.io/kubernetes/pkg/registry/rolebinding"
    63. 

  63. 	rolebindingetcd "k8s.io/kubernetes/pkg/registry/rolebinding/etcd"
    64. 

  64. 	"k8s.io/kubernetes/pkg/serviceaccount"
    65. 

  65. 	"k8s.io/kubernetes/pkg/util/wait"
    66. 

  66. )
    67. 

  67. 

  68. // NewAPIServerCommand creates a *cobra.Command object with default parameters
    69. 

  69. func NewAPIServerCommand() *cobra.Command {
    70. 

  70. 	s := options.NewAPIServer()
    71. 

  71. 	s.AddFlags(pflag.CommandLine)
    72. 

  72. 	cmd := &cobra.Command{
    73. 

  73. 		Use: "kube-apiserver",
    74. 

  74. 		Long: `The Kubernetes API server validates and configures data
    75. 

  75. for the api objects which include pods, services, replicationcontrollers, and
    76. 

  76. others. The API Server services REST operations and provides the frontend to the
    77. 

  77. cluster's shared state through which all other components interact.`,
    78. 

  78. 		Run: func(cmd *cobra.Command, args []string) {
    79. 

  79. 		},
    80. 

  80. 	}
    81. 

  81. 

  82. 	return cmd
    83. 

  83. }
    84. 

  84. 

  85. // Run runs the specified APIServer.  This should never exit.
    86. 

  86. func Run(s *options.APIServer) error {
    87. 

  87. 	genericvalidation.VerifyEtcdServersList(s.ServerRunOptions)
    88. 

  88. 	genericapiserver.DefaultAndValidateRunOptions(s.ServerRunOptions)
    89. 

  89. 

  90. 	capabilities.Initialize(capabilities.Capabilities{
    91. 

  91. 		AllowPrivileged: s.AllowPrivileged,
    92. 

  92. 		// TODO(vmarmol): Implement support for HostNetworkSources.
    93. 

  93. 		PrivilegedSources: capabilities.PrivilegedSources{
    94. 

  94. 			HostNetworkSources: []string{},
    95. 

  95. 			HostPIDSources:     []string{},
    96. 

  96. 			HostIPCSources:     []string{},
    97. 

  97. 		},
    98. 

  98. 		PerConnectionBandwidthLimitBytesPerSec: s.MaxConnectionBytesPerSec,
    99. 

  99. 	})
    100. 

  100. 

  101. 	// Setup tunneler if needed
    102. 

  102. 	var tunneler genericapiserver.Tunneler
    103. 

  103. 	var proxyDialerFn apiserver.ProxyDialerFunc
    104. 

  104. 	if len(s.SSHUser) > 0 {
    105. 

  105. 		// Get ssh key distribution func, if supported
    106. 

  106. 		var installSSH genericapiserver.InstallSSHKey
    107. 

  107. 		cloud, err := cloudprovider.InitCloudProvider(s.CloudProvider, s.CloudConfigFile)
    108. 

  108. 		if err != nil {
    109. 

  109. 			glog.Fatalf("Cloud provider could not be initialized: %v", err)
    110. 

  110. 		}
    111. 

  111. 		if cloud != nil {
    112. 

  112. 			if instances, supported := cloud.Instances(); supported {
    113. 

  113. 				installSSH = instances.AddSSHKeyToAllInstances
    114. 

  114. 			}
    115. 

  115. 		}
    116. 

  116. 		if s.KubeletConfig.Port == 0 {
    117. 

  117. 			glog.Fatalf("Must enable kubelet port if proxy ssh-tunneling is specified.")
    118. 

  118. 		}
    119. 

  119. 		// Set up the tunneler
    120. 

  120. 		// TODO(cjcullen): If we want this to handle per-kubelet ports or other
    121. 

  121. 		// kubelet listen-addresses, we need to plumb through options.
    122. 

  122. 		healthCheckPath := &url.URL{
    123. 

  123. 			Scheme: "https",
    124. 

  124. 			Host:   net.JoinHostPort("127.0.0.1", strconv.FormatUint(uint64(s.KubeletConfig.Port), 10)),
    125. 

  125. 			Path:   "healthz",
    126. 

  126. 		}
    127. 

  127. 		tunneler = genericapiserver.NewSSHTunneler(s.SSHUser, s.SSHKeyfile, healthCheckPath, installSSH)
    128. 

  128. 

  129. 		// Use the tunneler's dialer to connect to the kubelet
    130. 

  130. 		s.KubeletConfig.Dial = tunneler.Dial
    131. 

  131. 		// Use the tunneler's dialer when proxying to pods, services, and nodes
    132. 

  132. 		proxyDialerFn = tunneler.Dial
    133. 

  133. 	}
    134. 

  134. 

  135. 	// Proxying to pods and services is IP-based... don't expect to be able to verify the hostname
    136. 

  136. 	proxyTLSClientConfig := &tls.Config{InsecureSkipVerify: true}
    137. 

  137. 

  138. 	kubeletClient, err := kubeletclient.NewStaticKubeletClient(&s.KubeletConfig)
    139. 

  139. 	if err != nil {
    140. 

  140. 		glog.Fatalf("Failed to start kubelet client: %v", err)
    141. 

  141. 	}
    142. 

  142. 

  143. 	storageGroupsToEncodingVersion, err := s.StorageGroupsToEncodingVersion()
    144. 

  144. 	if err != nil {
    145. 

  145. 		glog.Fatalf("error generating storage version map: %s", err)
    146. 

  146. 	}
    147. 

  147. 	storageFactory, err := genericapiserver.BuildDefaultStorageFactory(
    148. 

  148. 		s.StorageConfig, s.DefaultStorageMediaType, api.Codecs,
    149. 

  149. 		genericapiserver.NewDefaultResourceEncodingConfig(), storageGroupsToEncodingVersion,
    150. 

  150. 		// FIXME: this GroupVersionResource override should be configurable
    151. 

  151. 		[]unversioned.GroupVersionResource{batch.Resource("scheduledjobs").WithVersion("v2alpha1")},
    152. 

  152. 		master.DefaultAPIResourceConfigSource(), s.RuntimeConfig)
    153. 

  153. 	if err != nil {
    154. 

  154. 		glog.Fatalf("error in initializing storage factory: %s", err)
    155. 

  155. 	}
    156. 

  156. 	storageFactory.AddCohabitatingResources(batch.Resource("jobs"), extensions.Resource("jobs"))
    157. 

  157. 	storageFactory.AddCohabitatingResources(autoscaling.Resource("horizontalpodautoscalers"), extensions.Resource("horizontalpodautoscalers"))
    158. 

  158. 	for _, override := range s.EtcdServersOverrides {
    159. 

  159. 		tokens := strings.Split(override, "#")
    160. 

  160. 		if len(tokens) != 2 {
    161. 

  161. 			glog.Errorf("invalid value of etcd server overrides: %s", override)
    162. 

  162. 			continue
    163. 

  163. 		}
    164. 

  164. 

  165. 		apiresource := strings.Split(tokens[0], "/")
    166. 

  166. 		if len(apiresource) != 2 {
    167. 

  167. 			glog.Errorf("invalid resource definition: %s", tokens[0])
    168. 

  168. 			continue
    169. 

  169. 		}
    170. 

  170. 		group := apiresource[0]
    171. 

  171. 		resource := apiresource[1]
    172. 

  172. 		groupResource := unversioned.GroupResource{Group: group, Resource: resource}
    173. 

  173. 

  174. 		servers := strings.Split(tokens[1], ";")
    175. 

  175. 		storageFactory.SetEtcdLocation(groupResource, servers)
    176. 

  176. 	}
    177. 

  177. 

  178. 	// Default to the private server key for service account token signing
    179. 

  179. 	if s.ServiceAccountKeyFile == "" && s.TLSPrivateKeyFile != "" {
    180. 

  180. 		if authenticator.IsValidServiceAccountKeyFile(s.TLSPrivateKeyFile) {
    181. 

  181. 			s.ServiceAccountKeyFile = s.TLSPrivateKeyFile
    182. 

  182. 		} else {
    183. 

  183. 			glog.Warning("No RSA key provided, service account token authentication disabled")
    184. 

  184. 		}
    185. 

  185. 	}
    186. 

  186. 

  187. 	var serviceAccountGetter serviceaccount.ServiceAccountTokenGetter
    188. 

  188. 	if s.ServiceAccountLookup {
    189. 

  189. 		// If we need to look up service accounts and tokens,
    190. 

  190. 		// go directly to etcd to avoid recursive auth insanity
    191. 

  191. 		storageConfig, err := storageFactory.NewConfig(api.Resource("serviceaccounts"))
    192. 

  192. 		if err != nil {
    193. 

  193. 			glog.Fatalf("Unable to get serviceaccounts storage: %v", err)
    194. 

  194. 		}
    195. 

  195. 		serviceAccountGetter = serviceaccountcontroller.NewGetterFromStorageInterface(storageConfig, storageFactory.ResourcePrefix(api.Resource("serviceaccounts")), storageFactory.ResourcePrefix(api.Resource("secrets")))
    196. 

  196. 	}
    197. 

  197. 

  198. 	authenticator, err := authenticator.New(authenticator.AuthenticatorConfig{
    199. 

  199. 		BasicAuthFile:               s.BasicAuthFile,
    200. 

  200. 		ClientCAFile:                s.ClientCAFile,
    201. 

  201. 		TokenAuthFile:               s.TokenAuthFile,
    202. 

  202. 		OIDCIssuerURL:               s.OIDCIssuerURL,
    203. 

  203. 		OIDCClientID:                s.OIDCClientID,
    204. 

  204. 		OIDCCAFile:                  s.OIDCCAFile,
    205. 

  205. 		OIDCUsernameClaim:           s.OIDCUsernameClaim,
    206. 

  206. 		OIDCGroupsClaim:             s.OIDCGroupsClaim,
    207. 

  207. 		ServiceAccountKeyFile:       s.ServiceAccountKeyFile,
    208. 

  208. 		ServiceAccountLookup:        s.ServiceAccountLookup,
    209. 

  209. 		ServiceAccountTokenGetter:   serviceAccountGetter,
    210. 

  210. 		KeystoneURL:                 s.KeystoneURL,
    211. 

  211. 		WebhookTokenAuthnConfigFile: s.WebhookTokenAuthnConfigFile,
    212. 

  212. 		WebhookTokenAuthnCacheTTL:   s.WebhookTokenAuthnCacheTTL,
    213. 

  213. 	})
    214. 

  214. 

  215. 	if err != nil {
    216. 

  216. 		glog.Fatalf("Invalid Authentication Config: %v", err)
    217. 

  217. 	}
    218. 

  218. 

  219. 	authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
    220. 

  220. 

  221. 	modeEnabled := func(mode string) bool {
    222. 

  222. 		for _, m := range authorizationModeNames {
    223. 

  223. 			if m == mode {
    224. 

  224. 				return true
    225. 

  225. 			}
    226. 

  226. 		}
    227. 

  227. 		return false
    228. 

  228. 	}
    229. 

  229. 

  230. 	authorizationConfig := authorizer.AuthorizationConfig{
    231. 

  231. 		PolicyFile:                  s.AuthorizationPolicyFile,
    232. 

  232. 		WebhookConfigFile:           s.AuthorizationWebhookConfigFile,
    233. 

  233. 		WebhookCacheAuthorizedTTL:   s.AuthorizationWebhookCacheAuthorizedTTL,
    234. 

  234. 		WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
    235. 

  235. 		RBACSuperUser:               s.AuthorizationRBACSuperUser,
    236. 

  236. 	}
    237. 

  237. 	if modeEnabled(genericoptions.ModeRBAC) {
    238. 

  238. 		mustGetRESTOptions := func(resource string) generic.RESTOptions {
    239. 

  239. 			config, err := storageFactory.NewConfig(rbac.Resource(resource))
    240. 

  240. 			if err != nil {
    241. 

  241. 				glog.Fatalf("Unable to get %s storage: %v", resource, err)
    242. 

  242. 			}
    243. 

  243. 			return generic.RESTOptions{StorageConfig: config, Decorator: generic.UndecoratedStorage, ResourcePrefix: storageFactory.ResourcePrefix(rbac.Resource(resource))}
    244. 

  244. 		}
    245. 

  245. 

  246. 		// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
    247. 

  247. 		authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
    248. 

  248. 		authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
    249. 

  249. 		authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
    250. 

  250. 		authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
    251. 

  251. 	}
    252. 

  252. 

  253. 	authorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
    254. 

  254. 	if err != nil {
    255. 

  255. 		glog.Fatalf("Invalid Authorization Config: %v", err)
    256. 

  256. 	}
    257. 

  257. 

  258. 	admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
    259. 

  259. 	client, err := s.NewSelfClient()
    260. 

  260. 	if err != nil {
    261. 

  261. 		glog.Errorf("Failed to create clientset: %v", err)
    262. 

  262. 	}
    263. 

  263. 	sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
    264. 

  264. 	pluginInitializer := admission.NewPluginInitializer(sharedInformers)
    265. 

  265. 

  266. 	admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
    267. 

  267. 	if err != nil {
    268. 

  268. 		glog.Fatalf("Failed to initialize plugins: %v", err)
    269. 

  269. 	}
    270. 

  270. 

  271. 	genericConfig := genericapiserver.NewConfig(s.ServerRunOptions)
    272. 

  272. 	// TODO: Move the following to generic api server as well.
    273. 

  273. 	genericConfig.StorageFactory = storageFactory
    274. 

  274. 	genericConfig.Authenticator = authenticator
    275. 

  275. 	genericConfig.SupportsBasicAuth = len(s.BasicAuthFile) > 0
    276. 

  276. 	genericConfig.Authorizer = authorizer
    277. 

  277. 	genericConfig.AuthorizerRBACSuperUser = s.AuthorizationRBACSuperUser
    278. 

  278. 	genericConfig.AdmissionControl = admissionController
    279. 

  279. 	genericConfig.APIResourceConfigSource = storageFactory.APIResourceConfigSource
    280. 

  280. 	genericConfig.MasterServiceNamespace = s.MasterServiceNamespace
    281. 

  281. 	genericConfig.ProxyDialer = proxyDialerFn
    282. 

  282. 	genericConfig.ProxyTLSClientConfig = proxyTLSClientConfig
    283. 

  283. 	genericConfig.Serializer = api.Codecs
    284. 

  284. 	genericConfig.OpenAPIInfo.Title = "Kubernetes"
    285. 

  285. 

  286. 	config := &master.Config{
    287. 

  287. 		Config:                  genericConfig,
    288. 

  288. 		EnableCoreControllers:   true,
    289. 

  289. 		DeleteCollectionWorkers: s.DeleteCollectionWorkers,
    290. 

  290. 		EventTTL:                s.EventTTL,
    291. 

  291. 		KubeletClient:           kubeletClient,
    292. 

  292. 

  293. 		Tunneler: tunneler,
    294. 

  294. 	}
    295. 

  295. 

  296. 	if s.EnableWatchCache {
    297. 

  297. 		glog.V(2).Infof("Initalizing cache sizes based on %dMB limit", s.TargetRAMMB)
    298. 

  298. 		cachesize.InitializeWatchCacheSizes(s.TargetRAMMB)
    299. 

  299. 		cachesize.SetWatchCacheSizes(s.WatchCacheSizes)
    300. 

  300. 	}
    301. 

  301. 

  302. 	m, err := master.New(config)
    303. 

  303. 	if err != nil {
    304. 

  304. 		return err
    305. 

  305. 	}
    306. 

  306. 

  307. 	sharedInformers.Start(wait.NeverStop)
    308. 

  308. 	m.Run(s.ServerRunOptions)
    309. 

  309. 	return nil
    310. 

  310. }
    311.