/* Copyright 2016 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package server import ( "crypto/tls" "crypto/x509" "fmt" "net" "net/http" goruntime "runtime" "strconv" "strings" "sync/atomic" "time" jsonpatch "github.com/evanphx/json-patch" "github.com/pborman/uuid" "k8s.io/klog" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" "k8s.io/apimachinery/pkg/util/sets" utilwaitgroup "k8s.io/apimachinery/pkg/util/waitgroup" "k8s.io/apimachinery/pkg/version" "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/audit" auditpolicy "k8s.io/apiserver/pkg/audit/policy" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticatorfactory" authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizerfactory" authorizerunion "k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/pkg/endpoints/discovery" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" apirequest "k8s.io/apiserver/pkg/endpoints/request" genericregistry "k8s.io/apiserver/pkg/registry/generic" genericfilters "k8s.io/apiserver/pkg/server/filters" "k8s.io/apiserver/pkg/server/healthz" "k8s.io/apiserver/pkg/server/routes" serverstore "k8s.io/apiserver/pkg/server/storage" "k8s.io/client-go/informers" restclient "k8s.io/client-go/rest" certutil "k8s.io/client-go/util/cert" "k8s.io/component-base/logs" // install apis _ "k8s.io/apiserver/pkg/apis/apiserver/install" ) const ( // DefaultLegacyAPIPrefix is where the legacy APIs will be located. DefaultLegacyAPIPrefix = "/api" // APIGroupPrefix is where non-legacy API group will be located. APIGroupPrefix = "/apis" ) // Config is a structure used to configure a GenericAPIServer. // Its members are sorted roughly in order of importance for composers. type Config struct { // SecureServing is required to serve https SecureServing *SecureServingInfo // Authentication is the configuration for authentication Authentication AuthenticationInfo // Authorization is the configuration for authorization Authorization AuthorizationInfo // LoopbackClientConfig is a config for a privileged loopback connection to the API server // This is required for proper functioning of the PostStartHooks on a GenericAPIServer // TODO: move into SecureServing(WithLoopback) as soon as insecure serving is gone LoopbackClientConfig *restclient.Config // RuleResolver is required to get the list of rules that apply to a given user // in a given namespace RuleResolver authorizer.RuleResolver // AdmissionControl performs deep inspection of a given request (including content) // to set values and determine whether its allowed AdmissionControl admission.Interface CorsAllowedOriginList []string EnableIndex bool EnableProfiling bool EnableDiscovery bool // Requires generic profiling enabled EnableContentionProfiling bool EnableMetrics bool DisabledPostStartHooks sets.String // Version will enable the /version endpoint if non-nil Version *version.Info // AuditBackend is where audit events are sent to. AuditBackend audit.Backend // AuditPolicyChecker makes the decision of whether and how to audit log a request. AuditPolicyChecker auditpolicy.Checker // ExternalAddress is the host name to use for external (public internet) facing URLs (e.g. Swagger) // Will default to a value based on secure serving info and available ipv4 IPs. ExternalAddress string //=========================================================================== // Fields you probably don't care about changing //=========================================================================== // BuildHandlerChainFunc allows you to build custom handler chains by decorating the apiHandler. BuildHandlerChainFunc func(apiHandler http.Handler, c *Config) (secure http.Handler) // HandlerChainWaitGroup allows you to wait for all chain handlers exit after the server shutdown. HandlerChainWaitGroup *utilwaitgroup.SafeWaitGroup // DiscoveryAddresses is used to build the IPs pass to discovery. If nil, the ExternalAddress is // always reported DiscoveryAddresses discovery.Addresses // The default set of healthz checks. There might be more added via AddHealthzChecks dynamically. HealthzChecks []healthz.HealthzChecker // LegacyAPIGroupPrefixes is used to set up URL parsing for authorization and for validating requests // to InstallLegacyAPIGroup. New API servers don't generally have legacy groups at all. LegacyAPIGroupPrefixes sets.String // RequestInfoResolver is used to assign attributes (used by admission and authorization) based on a request URL. // Use-cases that are like kubelets may need to customize this. RequestInfoResolver apirequest.RequestInfoResolver // Serializer is required and provides the interface for serializing and converting objects to and from the wire // The default (api.Codecs) usually works fine. Serializer runtime.NegotiatedSerializer // RESTOptionsGetter is used to construct RESTStorage types via the generic registry. RESTOptionsGetter genericregistry.RESTOptionsGetter // If specified, all requests except those which match the LongRunningFunc predicate will timeout // after this duration. RequestTimeout time.Duration // If specified, long running requests such as watch will be allocated a random timeout between this value, and // twice this value. Note that it is up to the request handlers to ignore or honor this timeout. In seconds. MinRequestTimeout int // The limit on the total size increase all "copy" operations in a json // patch may cause. // This affects all places that applies json patch in the binary. JSONPatchMaxCopyBytes int64 // The limit on the request body size that would be accepted and decoded in a write request. // 0 means no limit. MaxRequestBodyBytes int64 // MaxRequestsInFlight is the maximum number of parallel non-long-running requests. Every further // request has to wait. Applies only to non-mutating requests. MaxRequestsInFlight int // MaxMutatingRequestsInFlight is the maximum number of parallel mutating requests. Every further // request has to wait. MaxMutatingRequestsInFlight int // Predicate which is true for paths of long-running http requests LongRunningFunc apirequest.LongRunningRequestCheck // MergedResourceConfig indicates which groupVersion enabled and its resources enabled/disabled. // This is composed of genericapiserver defaultAPIResourceConfig and those parsed from flags. // If not specify any in flags, then genericapiserver will only enable defaultAPIResourceConfig. MergedResourceConfig *serverstore.ResourceConfig //=========================================================================== // values below here are targets for removal //=========================================================================== // PublicAddress is the IP address where members of the cluster (kubelet, // kube-proxy, services, etc.) can reach the GenericAPIServer. // If nil or 0.0.0.0, the host's default interface will be used. PublicAddress net.IP } type RecommendedConfig struct { Config // SharedInformerFactory provides shared informers for Kubernetes resources. This value is set by // RecommendedOptions.CoreAPI.ApplyTo called by RecommendedOptions.ApplyTo. It uses an in-cluster client config // by default, or the kubeconfig given with kubeconfig command line flag. SharedInformerFactory informers.SharedInformerFactory // ClientConfig holds the kubernetes client configuration. // This value is set by RecommendedOptions.CoreAPI.ApplyTo called by RecommendedOptions.ApplyTo. // By default in-cluster client config is used. ClientConfig *restclient.Config } type SecureServingInfo struct { // Listener is the secure server network listener. Listener net.Listener // Cert is the main server cert which is used if SNI does not match. Cert must be non-nil and is // allowed to be in SNICerts. Cert *tls.Certificate // SNICerts are the TLS certificates by name used for SNI. SNICerts map[string]*tls.Certificate // ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates ClientCA *x509.CertPool // MinTLSVersion optionally overrides the minimum TLS version supported. // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). MinTLSVersion uint16 // CipherSuites optionally overrides the list of allowed cipher suites for the server. // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). CipherSuites []uint16 // HTTP2MaxStreamsPerConnection is the limit that the api server imposes on each client. // A value of zero means to use the default provided by golang's HTTP/2 support. HTTP2MaxStreamsPerConnection int AdvertisePort int } type AuthenticationInfo struct { // APIAudiences is a list of identifier that the API identifies as. This is // used by some authenticators to validate audience bound credentials. APIAudiences authenticator.Audiences // Authenticator determines which subject is making the request Authenticator authenticator.Request // SupportsBasicAuth indicates that's at least one Authenticator supports basic auth // If this is true, a basic auth challenge is returned on authentication failure // TODO(roberthbailey): Remove once the server no longer supports http basic auth. SupportsBasicAuth bool } type AuthorizationInfo struct { // Authorizer determines whether the subject is allowed to make the request based only // on the RequestURI Authorizer authorizer.Authorizer } // NewConfig returns a Config struct with the default values func NewConfig(codecs serializer.CodecFactory) *Config { return &Config{ Serializer: codecs, BuildHandlerChainFunc: DefaultBuildHandlerChain, HandlerChainWaitGroup: new(utilwaitgroup.SafeWaitGroup), LegacyAPIGroupPrefixes: sets.NewString(DefaultLegacyAPIPrefix), DisabledPostStartHooks: sets.NewString(), HealthzChecks: []healthz.HealthzChecker{healthz.PingHealthz, healthz.LogHealthz}, EnableIndex: true, EnableDiscovery: true, EnableProfiling: true, EnableMetrics: true, MaxRequestsInFlight: 400, MaxMutatingRequestsInFlight: 200, RequestTimeout: time.Duration(60) * time.Second, MinRequestTimeout: 1800, // 10MB is the recommended maximum client request size in bytes // the etcd server should accept. See // https://github.com/etcd-io/etcd/blob/release-3.3/etcdserver/server.go#L90. // A request body might be encoded in json, and is converted to // proto when persisted in etcd. Assuming the upper bound of // the size ratio is 10:1, we set 100MB as the largest size // increase the "copy" operations in a json patch may cause. JSONPatchMaxCopyBytes: int64(100 * 1024 * 1024), // 10MB is the recommended maximum client request size in bytes // the etcd server should accept. See // https://github.com/etcd-io/etcd/blob/release-3.3/etcdserver/server.go#L90. // A request body might be encoded in json, and is converted to // proto when persisted in etcd. Assuming the upper bound of // the size ratio is 10:1, we set 100MB as the largest request // body size to be accepted and decoded in a write request. MaxRequestBodyBytes: int64(100 * 1024 * 1024), // Default to treating watch as a long-running operation // Generic API servers have no inherent long-running subresources LongRunningFunc: genericfilters.BasicLongRunningRequestCheck(sets.NewString("watch"), sets.NewString()), } } // NewRecommendedConfig returns a RecommendedConfig struct with the default values func NewRecommendedConfig(codecs serializer.CodecFactory) *RecommendedConfig { return &RecommendedConfig{ Config: *NewConfig(codecs), } } func (c *AuthenticationInfo) ApplyClientCert(clientCAFile string, servingInfo *SecureServingInfo) error { if servingInfo != nil { if len(clientCAFile) > 0 { clientCAs, err := certutil.CertsFromFile(clientCAFile) if err != nil { return fmt.Errorf("unable to load client CA file: %v", err) } if servingInfo.ClientCA == nil { servingInfo.ClientCA = x509.NewCertPool() } for _, cert := range clientCAs { servingInfo.ClientCA.AddCert(cert) } } } return nil } type completedConfig struct { *Config //=========================================================================== // values below here are filled in during completion //=========================================================================== // SharedInformerFactory provides shared informers for resources SharedInformerFactory informers.SharedInformerFactory } type CompletedConfig struct { // Embed a private pointer that cannot be instantiated outside of this package. *completedConfig } // Complete fills in any fields not set that are required to have valid data and can be derived // from other fields. If you're going to `ApplyOptions`, do that first. It's mutating the receiver. func (c *Config) Complete(informers informers.SharedInformerFactory) CompletedConfig { if len(c.ExternalAddress) == 0 && c.PublicAddress != nil { c.ExternalAddress = c.PublicAddress.String() } // if there is no port, and we listen on one securely, use that one if _, _, err := net.SplitHostPort(c.ExternalAddress); err != nil { if c.SecureServing == nil { klog.Fatalf("cannot derive external address port without listening on a secure port.") } _, port, err := c.SecureServing.HostPort() if err != nil { klog.Fatalf("cannot derive external address from the secure port: %v", err) } c.ExternalAddress = net.JoinHostPort(c.ExternalAddress, strconv.Itoa(port)) } if c.DiscoveryAddresses == nil { c.DiscoveryAddresses = discovery.DefaultAddresses{DefaultAddress: c.ExternalAddress} } AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization) if c.RequestInfoResolver == nil { c.RequestInfoResolver = NewRequestInfoResolver(c) } return CompletedConfig{&completedConfig{c, informers}} } // Complete fills in any fields not set that are required to have valid data and can be derived // from other fields. If you're going to `ApplyOptions`, do that first. It's mutating the receiver. func (c *RecommendedConfig) Complete() CompletedConfig { return c.Config.Complete(c.SharedInformerFactory) } // New creates a new server which logically combines the handling chain with the passed server. // name is used to differentiate for logging. The handler chain in particular can be difficult as it starts delgating. // delegationTarget may not be nil. func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*GenericAPIServer, error) { if c.Serializer == nil { return nil, fmt.Errorf("Genericapiserver.New() called with config.Serializer == nil") } if c.LoopbackClientConfig == nil { return nil, fmt.Errorf("Genericapiserver.New() called with config.LoopbackClientConfig == nil") } handlerChainBuilder := func(handler http.Handler) http.Handler { return c.BuildHandlerChainFunc(handler, c.Config) } apiServerHandler := NewAPIServerHandler(name, c.Serializer, handlerChainBuilder, delegationTarget.UnprotectedHandler()) s := &GenericAPIServer{ discoveryAddresses: c.DiscoveryAddresses, LoopbackClientConfig: c.LoopbackClientConfig, legacyAPIGroupPrefixes: c.LegacyAPIGroupPrefixes, admissionControl: c.AdmissionControl, Serializer: c.Serializer, AuditBackend: c.AuditBackend, Authorizer: c.Authorization.Authorizer, delegationTarget: delegationTarget, HandlerChainWaitGroup: c.HandlerChainWaitGroup, minRequestTimeout: time.Duration(c.MinRequestTimeout) * time.Second, ShutdownTimeout: c.RequestTimeout, SecureServingInfo: c.SecureServing, ExternalAddress: c.ExternalAddress, Handler: apiServerHandler, listedPathProvider: apiServerHandler, postStartHooks: map[string]postStartHookEntry{}, preShutdownHooks: map[string]preShutdownHookEntry{}, disabledPostStartHooks: c.DisabledPostStartHooks, healthzChecks: c.HealthzChecks, DiscoveryGroupManager: discovery.NewRootAPIsHandler(c.DiscoveryAddresses, c.Serializer), maxRequestBodyBytes: c.MaxRequestBodyBytes, } for { if c.JSONPatchMaxCopyBytes <= 0 { break } existing := atomic.LoadInt64(&jsonpatch.AccumulatedCopySizeLimit) if existing > 0 && existing < c.JSONPatchMaxCopyBytes { break } if atomic.CompareAndSwapInt64(&jsonpatch.AccumulatedCopySizeLimit, existing, c.JSONPatchMaxCopyBytes) { break } } for k, v := range delegationTarget.PostStartHooks() { s.postStartHooks[k] = v } for k, v := range delegationTarget.PreShutdownHooks() { s.preShutdownHooks[k] = v } genericApiServerHookName := "generic-apiserver-start-informers" if c.SharedInformerFactory != nil && !s.isPostStartHookRegistered(genericApiServerHookName) { err := s.AddPostStartHook(genericApiServerHookName, func(context PostStartHookContext) error { c.SharedInformerFactory.Start(context.StopCh) return nil }) if err != nil { return nil, err } } for _, delegateCheck := range delegationTarget.HealthzChecks() { skip := false for _, existingCheck := range c.HealthzChecks { if existingCheck.Name() == delegateCheck.Name() { skip = true break } } if skip { continue } s.healthzChecks = append(s.healthzChecks, delegateCheck) } s.listedPathProvider = routes.ListedPathProviders{s.listedPathProvider, delegationTarget} installAPI(s, c.Config) // use the UnprotectedHandler from the delegation target to ensure that we don't attempt to double authenticator, authorize, // or some other part of the filter chain in delegation cases. if delegationTarget.UnprotectedHandler() == nil && c.EnableIndex { s.Handler.NonGoRestfulMux.NotFoundHandler(routes.IndexLister{ StatusCode: http.StatusNotFound, PathProvider: s.listedPathProvider, }) } return s, nil } func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { handler := genericapifilters.WithAuthorization(apiHandler, c.Authorization.Authorizer, c.Serializer) handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc) handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer) handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth) failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker) handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences) handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout) handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup) handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver) handler = genericfilters.WithPanicRecovery(handler) return handler } func installAPI(s *GenericAPIServer, c *Config) { if c.EnableIndex { routes.Index{}.Install(s.listedPathProvider, s.Handler.NonGoRestfulMux) } if c.EnableProfiling { routes.Profiling{}.Install(s.Handler.NonGoRestfulMux) if c.EnableContentionProfiling { goruntime.SetBlockProfileRate(1) } // so far, only logging related endpoints are considered valid to add for these debug flags. routes.DebugFlags{}.Install(s.Handler.NonGoRestfulMux, "v", routes.StringFlagPutHandler(logs.GlogSetter)) } if c.EnableMetrics { if c.EnableProfiling { routes.MetricsWithReset{}.Install(s.Handler.NonGoRestfulMux) } else { routes.DefaultMetrics{}.Install(s.Handler.NonGoRestfulMux) } } routes.Version{Version: c.Version}.Install(s.Handler.GoRestfulContainer) if c.EnableDiscovery { s.Handler.GoRestfulContainer.Add(s.DiscoveryGroupManager.WebService()) } } func NewRequestInfoResolver(c *Config) *apirequest.RequestInfoFactory { apiPrefixes := sets.NewString(strings.Trim(APIGroupPrefix, "/")) // all possible API prefixes legacyAPIPrefixes := sets.String{} // APIPrefixes that won't have groups (legacy) for legacyAPIPrefix := range c.LegacyAPIGroupPrefixes { apiPrefixes.Insert(strings.Trim(legacyAPIPrefix, "/")) legacyAPIPrefixes.Insert(strings.Trim(legacyAPIPrefix, "/")) } return &apirequest.RequestInfoFactory{ APIPrefixes: apiPrefixes, GrouplessAPIPrefixes: legacyAPIPrefixes, } } func (s *SecureServingInfo) HostPort() (string, int, error) { if s == nil || s.Listener == nil { return "", 0, fmt.Errorf("no listener found") } addr := s.Listener.Addr().String() host, portStr, err := net.SplitHostPort(addr) if err != nil { return "", 0, fmt.Errorf("failed to get port from listener address %q: %v", addr, err) } port, err := strconv.Atoi(portStr) if err != nil { return "", 0, fmt.Errorf("invalid non-numeric port %q", portStr) } if s.AdvertisePort != 0 { port = s.AdvertisePort } return host, port, nil } // AuthorizeClientBearerToken wraps the authenticator and authorizer in loopback authentication logic // if the loopback client config is specified AND it has a bearer token. func AuthorizeClientBearerToken(loopback *restclient.Config, authn *AuthenticationInfo, authz *AuthorizationInfo) { if loopback == nil || authn == nil || authz == nil || authn.Authenticator == nil && authz.Authorizer == nil || len(loopback.BearerToken) == 0 { return } privilegedLoopbackToken := loopback.BearerToken var uid = uuid.NewRandom().String() tokens := make(map[string]*user.DefaultInfo) tokens[privilegedLoopbackToken] = &user.DefaultInfo{ Name: user.APIServerUser, UID: uid, Groups: []string{user.SystemPrivilegedGroup}, } tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens) authn.Authenticator = authenticatorunion.New(tokenAuthenticator, authn.Authenticator) tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup) authz.Authorizer = authorizerunion.New(tokenAuthorizer, authz.Authorizer) }