// ensureComponentAuthorizationRules initializes the cluster policies
func (c *MasterConfig) ensureComponentAuthorizationRules() {
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterpolicystorage.NewStorage(c.EtcdHelper))
ctx := kapi.WithNamespace(kapi.NewContext(), "")
if _, err := clusterPolicyRegistry.GetClusterPolicy(ctx, authorizationapi.PolicyName); kapierror.IsNotFound(err) {
glog.Infof("No cluster policy found. Creating bootstrap policy based on: %v", c.Options.PolicyConfig.BootstrapPolicyFile)
if err := admin.OverwriteBootstrapPolicy(c.EtcdHelper, c.Options.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
glog.Errorf("Error creating bootstrap policy: %v", err)
}
} else {
glog.V(2).Infof("Ignoring bootstrap policy file because cluster policy found")
}
// Wait until the policy cache has caught up before continuing
review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: "get", Resource: "clusterpolicies"}}
err := wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (done bool, err error) {
result, err := c.PolicyClient().SubjectAccessReviews().Create(review)
if err == nil && result.Allowed {
return true, nil
}
if kapierror.IsForbidden(err) || (err == nil && !result.Allowed) {
glog.V(2).Infof("waiting for policy cache to initialize")
return false, nil
}
return false, err
})
if err != nil {
glog.Errorf("error waiting for policy cache to initialize: %v", err)
}
}
// newReadOnlyCacheAndClient returns a ReadOnlyCache for administrative interactions with the cache holding policies and bindings on a project
// and cluster level as well as a ReadOnlyPolicyClient for use in the project authorization cache and authorizer to query for the same data
func newReadOnlyCacheAndClient(optsGetter restoptions.Getter) (policycache.ReadOnlyCache, policyclient.ReadOnlyPolicyClient, error) {
policyStorage, err := policyetcd.NewStorage(optsGetter)
if err != nil {
return nil, nil, err
}
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(optsGetter)
if err != nil {
return nil, nil, err
}
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicyetcd.NewStorage(optsGetter)
if err != nil {
return nil, nil, err
}
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingetcd.NewStorage(optsGetter)
if err != nil {
return nil, nil, err
}
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
cache, client := policycache.NewReadOnlyCacheAndClient(policyBindingRegistry, policyRegistry, clusterPolicyBindingRegistry, clusterPolicyRegistry)
return cache, client, nil
}
// ensureComponentAuthorizationRules initializes the cluster policies
func (c *MasterConfig) ensureComponentAuthorizationRules() {
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterpolicystorage.NewStorage(c.EtcdHelper))
ctx := kapi.WithNamespace(kapi.NewContext(), "")
if _, err := clusterPolicyRegistry.GetClusterPolicy(ctx, authorizationapi.PolicyName); kapierror.IsNotFound(err) {
glog.Infof("No cluster policy found. Creating bootstrap policy based on: %v", c.Options.PolicyConfig.BootstrapPolicyFile)
if err := admin.OverwriteBootstrapPolicy(c.EtcdHelper, c.Options.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
glog.Errorf("Error creating bootstrap policy: %v", err)
}
} else {
glog.V(2).Infof("Ignoring bootstrap policy file because cluster policy found")
}
// Wait until the policy cache has caught up before continuing
review := &authorizationapi.SubjectAccessReview{Action: authorizationapi.AuthorizationAttributes{Verb: "get", Group: authorizationapi.GroupName, Resource: "clusterpolicies"}}
err := wait.PollImmediate(100*time.Millisecond, 30*time.Second, func() (done bool, err error) {
result, err := c.PolicyClient().SubjectAccessReviews().Create(review)
if err == nil && result.Allowed {
return true, nil
}
if kapierror.IsForbidden(err) || (err == nil && !result.Allowed) {
glog.V(2).Infof("waiting for policy cache to initialize")
return false, nil
}
return false, err
})
if err != nil {
glog.Errorf("error waiting for policy cache to initialize: %v", err)
}
// Reconcile roles that must exist for the cluster to function
// Be very judicious about what is placed in this list, since it will be enforced on every server start
reconcileRoles := &policy.ReconcileClusterRolesOptions{
RolesToReconcile: []string{bootstrappolicy.DiscoveryRoleName},
Confirmed: true,
Union: true,
Out: ioutil.Discard,
RoleClient: c.PrivilegedLoopbackOpenShiftClient.ClusterRoles(),
}
if err := reconcileRoles.RunReconcileClusterRoles(nil, nil); err != nil {
glog.Errorf("Could not auto reconcile roles: %v\n", err)
}
// Reconcile rolebindings that must exist for the cluster to function
// Be very judicious about what is placed in this list, since it will be enforced on every server start
reconcileRoleBindings := &policy.ReconcileClusterRoleBindingsOptions{
RolesToReconcile: []string{bootstrappolicy.DiscoveryRoleName},
Confirmed: true,
Union: true,
Out: ioutil.Discard,
RoleBindingClient: c.PrivilegedLoopbackOpenShiftClient.ClusterRoleBindings(),
}
if err := reconcileRoleBindings.RunReconcileClusterRoleBindings(nil, nil); err != nil {
glog.Errorf("Could not auto reconcile role bindings: %v\n", err)
}
}
// newReadOnlyCacheAndClient returns a ReadOnlyCache for administrative interactions with the cache holding policies and bindings on a project
// and cluster level as well as a ReadOnlyPolicyClient for use in the project authorization cache and authorizer to query for the same data
func newReadOnlyCacheAndClient(etcdHelper storage.Interface) (cache policycache.ReadOnlyCache, client policyclient.ReadOnlyPolicyClient) {
policyRegistry := policyregistry.NewRegistry(policyetcd.NewStorage(etcdHelper))
policyBindingRegistry := policybindingregistry.NewRegistry(policybindingetcd.NewStorage(etcdHelper))
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterpolicyetcd.NewStorage(etcdHelper))
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterpolicybindingetcd.NewStorage(etcdHelper))
cache, client = policycache.NewReadOnlyCacheAndClient(policyBindingRegistry, policyRegistry, clusterPolicyBindingRegistry, clusterPolicyRegistry)
return
}
// ensureComponentAuthorizationRules initializes the cluster policies
func (c *MasterConfig) ensureComponentAuthorizationRules() {
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterpolicystorage.NewStorage(c.EtcdHelper))
ctx := kapi.WithNamespace(kapi.NewContext(), "")
if _, err := clusterPolicyRegistry.GetClusterPolicy(ctx, authorizationapi.PolicyName); kapierror.IsNotFound(err) {
glog.Infof("No cluster policy found. Creating bootstrap policy based on: %v", c.Options.PolicyConfig.BootstrapPolicyFile)
if err := admin.OverwriteBootstrapPolicy(c.EtcdHelper, c.Options.PolicyConfig.BootstrapPolicyFile, admin.CreateBootstrapPolicyFileFullCommand, true, ioutil.Discard); err != nil {
glog.Errorf("Error creating bootstrap policy: %v", err)
}
} else {
glog.V(2).Infof("Ignoring bootstrap policy file because cluster policy found")
}
}
func newClusterPolicyLW(optsGetter restoptions.Getter) (cache.ListerWatcher, error) {
ctx := kapi.WithNamespace(kapi.NewContext(), kapi.NamespaceAll)
storage, err := clusterpolicyetcd.NewStorage(optsGetter)
if err != nil {
return nil, err
}
registry := clusterpolicyregistry.NewRegistry(storage)
return &cache.ListWatch{
ListFunc: func(options kapi.ListOptions) (runtime.Object, error) {
return registry.ListClusterPolicies(ctx, &options)
},
WatchFunc: func(options kapi.ListOptions) (watch.Interface, error) {
return registry.WatchClusterPolicies(ctx, &options)
},
}, nil
}
func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
defaultRegistry := env("OPENSHIFT_DEFAULT_REGISTRY", "${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT}")
svcCache := service.NewServiceResolverCache(c.KubeClient().Services(kapi.NamespaceDefault).Get)
defaultRegistryFunc, err := svcCache.Defer(defaultRegistry)
if err != nil {
glog.Fatalf("OPENSHIFT_DEFAULT_REGISTRY variable is invalid %q: %v", defaultRegistry, err)
}
kubeletClient, err := kclient.NewKubeletClient(c.KubeletClientConfig)
if err != nil {
glog.Fatalf("Unable to configure Kubelet client: %v", err)
}
buildStorage := buildetcd.NewStorage(c.EtcdHelper)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage := buildconfigetcd.NewStorage(c.EtcdHelper)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
deployConfigStorage := deployconfigetcd.NewStorage(c.EtcdHelper)
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
routeAllocator := c.RouteAllocator()
routeEtcd := routeetcd.NewREST(c.EtcdHelper, routeAllocator)
hostSubnetStorage := hostsubnetetcd.NewREST(c.EtcdHelper)
netNamespaceStorage := netnamespaceetcd.NewREST(c.EtcdHelper)
clusterNetworkStorage := clusternetworketcd.NewREST(c.EtcdHelper)
userStorage := useretcd.NewREST(c.EtcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage := identityetcd.NewREST(c.EtcdHelper)
identityRegistry := identityregistry.NewRegistry(identityStorage)
userIdentityMappingStorage := useridentitymapping.NewREST(userRegistry, identityRegistry)
policyStorage := policyetcd.NewStorage(c.EtcdHelper)
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage := policybindingetcd.NewStorage(c.EtcdHelper)
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage := clusterpolicystorage.NewStorage(c.EtcdHelper)
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage := clusterpolicybindingstorage.NewStorage(c.EtcdHelper)
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyRegistry, policyBindingRegistry, clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.Authorizer)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
imageStorage := imageetcd.NewREST(c.EtcdHelper)
imageRegistry := image.NewRegistry(imageStorage)
imageStreamStorage, imageStreamStatusStorage := imagestreametcd.NewREST(c.EtcdHelper, imagestream.DefaultRegistryFunc(defaultRegistryFunc), subjectAccessReviewRegistry)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatusStorage)
imageStreamMappingStorage := imagestreammapping.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
buildGenerator := &buildgenerator.BuildGenerator{
Client: buildgenerator.Client{
GetBuildConfigFunc: buildConfigRegistry.GetBuildConfig,
UpdateBuildConfigFunc: buildConfigRegistry.UpdateBuildConfig,
GetBuildFunc: buildRegistry.GetBuild,
CreateBuildFunc: buildRegistry.CreateBuild,
GetImageStreamFunc: imageStreamRegistry.GetImageStream,
GetImageStreamImageFunc: imageStreamImageRegistry.GetImageStreamImage,
GetImageStreamTagFunc: imageStreamTagRegistry.GetImageStreamTag,
},
ServiceAccounts: c.KubeClient(),
Secrets: c.KubeClient(),
}
// TODO: with sharding, this needs to be changed
deployConfigGenerator := &deployconfiggenerator.DeploymentConfigGenerator{
Client: deployconfiggenerator.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
ISFn: imageStreamRegistry.GetImageStream,
LISFn2: imageStreamRegistry.ListImageStreams,
},
}
_, kclient := c.DeploymentConfigControllerClients()
deployRollback := &deployrollback.RollbackGenerator{}
deployRollbackClient := deployrollback.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
RCFn: clientDeploymentInterface{kclient}.GetDeployment,
GRFn: deployRollback.GenerateRollback,
}
projectStorage := projectproxy.NewREST(kclient.Namespaces(), c.ProjectAuthorizationCache)
namespace, templateName, err := configapi.ParseNamespaceAndName(c.Options.ProjectConfig.ProjectRequestTemplate)
if err != nil {
glog.Errorf("Error parsing project request template value: %v", err)
// we can continue on, the storage that gets created will be valid, it simply won't work properly. There's no reason to kill the master
}
projectRequestStorage := projectrequeststorage.NewREST(c.Options.ProjectConfig.ProjectRequestMessage, namespace, templateName, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient)
bcClient := c.BuildConfigWebHookClient()
buildConfigWebHooks := buildconfigregistry.NewWebHookREST(
buildConfigRegistry,
buildclient.NewOSClientBuildConfigInstantiatorClient(bcClient),
map[string]webhook.Plugin{
"generic": generic.New(),
"github": github.New(),
},
)
storage := map[string]rest.Storage{
"images": imageStorage,
"imageStreams": imageStreamStorage,
"imageStreams/status": imageStreamStatusStorage,
"imageStreamImages": imageStreamImageStorage,
"imageStreamMappings": imageStreamMappingStorage,
"imageStreamTags": imageStreamTagStorage,
"deploymentConfigs": deployConfigStorage,
"generateDeploymentConfigs": deployconfiggenerator.NewREST(deployConfigGenerator, c.EtcdHelper.Codec()),
"deploymentConfigRollbacks": deployrollback.NewREST(deployRollbackClient, c.EtcdHelper.Codec()),
"processedTemplates": templateregistry.NewREST(),
"templates": templateetcd.NewREST(c.EtcdHelper),
"routes": routeEtcd.Route,
"routes/status": routeEtcd.Status,
"projects": projectStorage,
"projectRequests": projectRequestStorage,
"hostSubnets": hostSubnetStorage,
"netNamespaces": netNamespaceStorage,
"clusterNetworks": clusterNetworkStorage,
"users": userStorage,
"groups": groupetcd.NewREST(c.EtcdHelper),
"identities": identityStorage,
"userIdentityMappings": userIdentityMappingStorage,
"oAuthAuthorizeTokens": authorizetokenetcd.NewREST(c.EtcdHelper),
"oAuthAccessTokens": accesstokenetcd.NewREST(c.EtcdHelper),
"oAuthClients": clientetcd.NewREST(c.EtcdHelper),
"oAuthClientAuthorizations": clientauthetcd.NewREST(c.EtcdHelper),
"resourceAccessReviews": resourceAccessReviewStorage,
"subjectAccessReviews": subjectAccessReviewStorage,
"localSubjectAccessReviews": localSubjectAccessReviewStorage,
"localResourceAccessReviews": localResourceAccessReviewStorage,
"policies": policyStorage,
"policyBindings": policyBindingStorage,
"roles": roleStorage,
"roleBindings": roleBindingStorage,
"clusterPolicies": clusterPolicyStorage,
"clusterPolicyBindings": clusterPolicyBindingStorage,
"clusterRoleBindings": clusterRoleBindingStorage,
"clusterRoles": clusterRoleStorage,
}
if configapi.IsBuildEnabled(&c.Options) {
storage["builds"] = buildStorage
storage["buildConfigs"] = buildConfigStorage
storage["buildConfigs/webhooks"] = buildConfigWebHooks
storage["builds/clone"] = buildclonestorage.NewStorage(buildGenerator)
storage["buildConfigs/instantiate"] = buildinstantiatestorage.NewStorage(buildGenerator)
storage["builds/log"] = buildlogregistry.NewREST(buildRegistry, c.BuildLogClient(), kubeletClient)
}
return storage
}
func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
kubeletClient, err := kubeletclient.NewStaticKubeletClient(c.KubeletClientConfig)
if err != nil {
glog.Fatalf("Unable to configure Kubelet client: %v", err)
}
// TODO: allow the system CAs and the local CAs to be joined together.
importTransport, err := restclient.TransportFor(&restclient.Config{})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
insecureImportTransport, err := restclient.TransportFor(&restclient.Config{Insecure: true})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
buildStorage, buildDetailsStorage, err := buildetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage, err := buildconfigetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
deployConfigStorage, deployConfigStatusStorage, deployConfigScaleStorage, err := deployconfigetcd.NewREST(c.RESTOptionsGetter)
dcInstantiateOriginClient, dcInstantiateKubeClient := c.DeploymentConfigInstantiateClients()
dcInstantiateStorage := deployconfiginstantiate.NewREST(
*deployConfigStorage.Store,
dcInstantiateOriginClient,
dcInstantiateKubeClient,
c.ExternalVersionCodec,
c.AdmissionControl,
)
checkStorageErr(err)
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
routeAllocator := c.RouteAllocator()
routeStorage, routeStatusStorage, err := routeetcd.NewREST(c.RESTOptionsGetter, routeAllocator)
checkStorageErr(err)
hostSubnetStorage, err := hostsubnetetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
netNamespaceStorage, err := netnamespaceetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
clusterNetworkStorage, err := clusternetworketcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
egressNetworkPolicyStorage, err := egressnetworkpolicyetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
userStorage, err := useretcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage, err := identityetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
identityRegistry := identityregistry.NewRegistry(identityStorage)
userIdentityMappingStorage := useridentitymapping.NewREST(userRegistry, identityRegistry)
groupStorage, err := groupetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
policyStorage, err := policyetcd.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicystorage.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingstorage.NewStorage(c.RESTOptionsGetter)
checkStorageErr(err)
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
selfSubjectRulesReviewStorage := selfsubjectrulesreview.NewREST(c.RuleResolver, c.Informers.ClusterPolicies().Lister().ClusterPolicies())
subjectRulesReviewStorage := subjectrulesreview.NewREST(c.RuleResolver, c.Informers.ClusterPolicies().Lister().ClusterPolicies())
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, c.RuleResolver)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, c.RuleResolver)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.Authorizer)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
podSecurityPolicyReviewStorage := podsecuritypolicyreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
podSecurityPolicySubjectStorage := podsecuritypolicysubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
podSecurityPolicySelfSubjectReviewStorage := podsecuritypolicyselfsubjectreview.NewREST(oscc.NewDefaultSCCMatcher(c.Informers.SecurityContextConstraints().Lister()), clientadapter.FromUnversionedClient(c.PrivilegedLoopbackKubernetesClient))
imageStorage, err := imageetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
imageRegistry := image.NewRegistry(imageStorage)
imageSignatureStorage := imagesignature.NewREST(c.PrivilegedLoopbackOpenShiftClient.Images())
imageStreamSecretsStorage := imagesecret.NewREST(c.ImageStreamSecretClient())
imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage, err := imagestreametcd.NewREST(c.RESTOptionsGetter, c.RegistryNameFn, subjectAccessReviewRegistry, c.LimitVerifier)
checkStorageErr(err)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage)
imageStreamMappingStorage := imagestreammapping.NewREST(imageRegistry, imageStreamRegistry, c.RegistryNameFn)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
importerFn := func(r importer.RepositoryRetriever) imageimporter.Interface {
return imageimporter.NewImageStreamImporter(r, c.Options.ImagePolicyConfig.MaxImagesBulkImportedPerRepository, flowcontrol.NewTokenBucketRateLimiter(2.0, 3))
}
importerDockerClientFn := func() dockerregistry.Client {
return dockerregistry.NewClient(20*time.Second, false)
}
imageStreamImportStorage := imagestreamimport.NewREST(importerFn, imageStreamRegistry, internalImageStreamStorage, imageStorage, c.ImageStreamImportSecretClient(), importTransport, insecureImportTransport, importerDockerClientFn)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
buildGenerator := &buildgenerator.BuildGenerator{
Client: buildgenerator.Client{
GetBuildConfigFunc: buildConfigRegistry.GetBuildConfig,
UpdateBuildConfigFunc: buildConfigRegistry.UpdateBuildConfig,
GetBuildFunc: buildRegistry.GetBuild,
CreateBuildFunc: buildRegistry.CreateBuild,
GetImageStreamFunc: imageStreamRegistry.GetImageStream,
GetImageStreamImageFunc: imageStreamImageRegistry.GetImageStreamImage,
GetImageStreamTagFunc: imageStreamTagRegistry.GetImageStreamTag,
},
ServiceAccounts: c.KubeClient(),
Secrets: c.KubeClient(),
}
// TODO: with sharding, this needs to be changed
deployConfigGenerator := &deployconfiggenerator.DeploymentConfigGenerator{
Client: deployconfiggenerator.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
ISFn: imageStreamRegistry.GetImageStream,
LISFn2: imageStreamRegistry.ListImageStreams,
},
}
configClient, kclient := c.DeploymentConfigClients()
deployRollbackClient := deployrollback.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
RCFn: clientDeploymentInterface{kclient}.GetDeployment,
GRFn: deployrollback.NewRollbackGenerator().GenerateRollback,
}
deployConfigRollbackStorage := deployrollback.NewREST(configClient, kclient, c.ExternalVersionCodec)
projectStorage := projectproxy.NewREST(c.PrivilegedLoopbackKubernetesClient.Namespaces(), c.ProjectAuthorizationCache, c.ProjectAuthorizationCache, c.ProjectCache)
namespace, templateName, err := configapi.ParseNamespaceAndName(c.Options.ProjectConfig.ProjectRequestTemplate)
if err != nil {
glog.Errorf("Error parsing project request template value: %v", err)
// we can continue on, the storage that gets created will be valid, it simply won't work properly. There's no reason to kill the master
}
projectRequestStorage := projectrequeststorage.NewREST(c.Options.ProjectConfig.ProjectRequestMessage, namespace, templateName, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient, c.Informers.PolicyBindings().Lister())
bcClient := c.BuildConfigWebHookClient()
buildConfigWebHooks := buildconfigregistry.NewWebHookREST(
buildConfigRegistry,
buildclient.NewOSClientBuildConfigInstantiatorClient(bcClient),
map[string]webhook.Plugin{
"generic": generic.New(),
"github": github.New(),
},
)
clientStorage, err := clientetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
clientRegistry := clientregistry.NewRegistry(clientStorage)
// If OAuth is disabled, set the strategy to Deny
saAccountGrantMethod := oauthapi.GrantHandlerDeny
if c.Options.OAuthConfig != nil {
// Otherwise, take the value provided in master-config.yaml
saAccountGrantMethod = oauthapi.GrantHandlerType(c.Options.OAuthConfig.GrantConfig.ServiceAccountMethod)
}
combinedOAuthClientGetter := saoauth.NewServiceAccountOAuthClientGetter(c.KubeClient(), c.KubeClient(), clientRegistry, saAccountGrantMethod)
authorizeTokenStorage, err := authorizetokenetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)
checkStorageErr(err)
accessTokenStorage, err := accesstokenetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)
checkStorageErr(err)
clientAuthorizationStorage, err := clientauthetcd.NewREST(c.RESTOptionsGetter, combinedOAuthClientGetter)
checkStorageErr(err)
templateStorage, err := templateetcd.NewREST(c.RESTOptionsGetter)
checkStorageErr(err)
storage := map[string]rest.Storage{
"images": imageStorage,
"imagesignatures": imageSignatureStorage,
"imageStreams/secrets": imageStreamSecretsStorage,
"imageStreams": imageStreamStorage,
"imageStreams/status": imageStreamStatusStorage,
"imageStreamImports": imageStreamImportStorage,
"imageStreamImages": imageStreamImageStorage,
"imageStreamMappings": imageStreamMappingStorage,
"imageStreamTags": imageStreamTagStorage,
"deploymentConfigs": deployConfigStorage,
"deploymentConfigs/scale": deployConfigScaleStorage,
"deploymentConfigs/status": deployConfigStatusStorage,
"deploymentConfigs/rollback": deployConfigRollbackStorage,
"deploymentConfigs/log": deploylogregistry.NewREST(configClient, kclient, c.DeploymentLogClient(), kubeletClient),
"deploymentConfigs/instantiate": dcInstantiateStorage,
// TODO: Deprecate these
"generateDeploymentConfigs": deployconfiggenerator.NewREST(deployConfigGenerator, c.ExternalVersionCodec),
"deploymentConfigRollbacks": deployrollback.NewDeprecatedREST(deployRollbackClient, c.ExternalVersionCodec),
"processedTemplates": templateregistry.NewREST(),
"templates": templateStorage,
"routes": routeStorage,
"routes/status": routeStatusStorage,
"projects": projectStorage,
"projectRequests": projectRequestStorage,
"hostSubnets": hostSubnetStorage,
"netNamespaces": netNamespaceStorage,
"clusterNetworks": clusterNetworkStorage,
"egressNetworkPolicies": egressNetworkPolicyStorage,
"users": userStorage,
"groups": groupStorage,
"identities": identityStorage,
"userIdentityMappings": userIdentityMappingStorage,
"oAuthAuthorizeTokens": authorizeTokenStorage,
"oAuthAccessTokens": accessTokenStorage,
"oAuthClients": clientStorage,
"oAuthClientAuthorizations": clientAuthorizationStorage,
"resourceAccessReviews": resourceAccessReviewStorage,
"subjectAccessReviews": subjectAccessReviewStorage,
"localSubjectAccessReviews": localSubjectAccessReviewStorage,
"localResourceAccessReviews": localResourceAccessReviewStorage,
"selfSubjectRulesReviews": selfSubjectRulesReviewStorage,
"subjectRulesReviews": subjectRulesReviewStorage,
"podSecurityPolicyReviews": podSecurityPolicyReviewStorage,
"podSecurityPolicySubjectReviews": podSecurityPolicySubjectStorage,
"podSecurityPolicySelfSubjectReviews": podSecurityPolicySelfSubjectReviewStorage,
"policies": policyStorage,
"policyBindings": policyBindingStorage,
"roles": roleStorage,
"roleBindings": roleBindingStorage,
"clusterPolicies": clusterPolicyStorage,
"clusterPolicyBindings": clusterPolicyBindingStorage,
"clusterRoleBindings": clusterRoleBindingStorage,
"clusterRoles": clusterRoleStorage,
"clusterResourceQuotas": restInPeace(clusterresourcequotaregistry.NewStorage(c.RESTOptionsGetter)),
"clusterResourceQuotas/status": updateInPeace(clusterresourcequotaregistry.NewStatusStorage(c.RESTOptionsGetter)),
"appliedClusterResourceQuotas": appliedclusterresourcequotaregistry.NewREST(
c.ClusterQuotaMappingController.GetClusterQuotaMapper(), c.Informers.ClusterResourceQuotas().Lister(), c.Informers.Namespaces().Lister()),
}
if configapi.IsBuildEnabled(&c.Options) {
storage["builds"] = buildStorage
storage["buildConfigs"] = buildConfigStorage
storage["buildConfigs/webhooks"] = buildConfigWebHooks
storage["builds/clone"] = buildclone.NewStorage(buildGenerator)
storage["buildConfigs/instantiate"] = buildconfiginstantiate.NewStorage(buildGenerator)
storage["buildConfigs/instantiatebinary"] = buildconfiginstantiate.NewBinaryStorage(buildGenerator, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/log"] = buildlogregistry.NewREST(buildStorage, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/details"] = buildDetailsStorage
}
return storage
}
func (c *MasterConfig) GetRestStorage() map[string]rest.Storage {
defaultRegistry := env("OPENSHIFT_DEFAULT_REGISTRY", "${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT}")
svcCache := service.NewServiceResolverCache(c.KubeClient().Services(kapi.NamespaceDefault).Get)
defaultRegistryFunc, err := svcCache.Defer(defaultRegistry)
if err != nil {
glog.Fatalf("OPENSHIFT_DEFAULT_REGISTRY variable is invalid %q: %v", defaultRegistry, err)
}
kubeletClient, err := kubeletclient.NewStaticKubeletClient(c.KubeletClientConfig)
if err != nil {
glog.Fatalf("Unable to configure Kubelet client: %v", err)
}
// TODO: allow the system CAs and the local CAs to be joined together.
importTransport, err := restclient.TransportFor(&restclient.Config{})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
insecureImportTransport, err := restclient.TransportFor(&restclient.Config{Insecure: true})
if err != nil {
glog.Fatalf("Unable to configure a default transport for importing: %v", err)
}
applicationStorage := application.NewREST(c.EtcdHelper, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient)
serviceBrokerStorage := servicebroker.NewREST(c.EtcdHelper, c.BackingServiceInstanceControllerClients())
backingServiceStorage := backingservice.NewREST(c.EtcdHelper, c.BackingServiceInstanceControllerClients())
buildStorage, buildDetailsStorage := buildetcd.NewREST(c.EtcdHelper)
buildRegistry := buildregistry.NewRegistry(buildStorage)
buildConfigStorage := buildconfigetcd.NewREST(c.EtcdHelper)
buildConfigRegistry := buildconfigregistry.NewRegistry(buildConfigStorage)
deployConfigStorage, deployConfigScaleStorage := deployconfigetcd.NewREST(c.EtcdHelper, c.DeploymentConfigScaleClient())
deployConfigRegistry := deployconfigregistry.NewRegistry(deployConfigStorage)
routeAllocator := c.RouteAllocator()
routeStorage, routeStatusStorage := routeetcd.NewREST(c.EtcdHelper, routeAllocator)
hostSubnetStorage := hostsubnetetcd.NewREST(c.EtcdHelper)
netNamespaceStorage := netnamespaceetcd.NewREST(c.EtcdHelper)
clusterNetworkStorage := clusternetworketcd.NewREST(c.EtcdHelper)
userStorage := useretcd.NewREST(c.EtcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
identityStorage := identityetcd.NewREST(c.EtcdHelper)
identityRegistry := identityregistry.NewRegistry(identityStorage)
userIdentityMappingStorage := useridentitymapping.NewREST(userRegistry, identityRegistry)
policyStorage := policyetcd.NewStorage(c.EtcdHelper)
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage := policybindingetcd.NewStorage(c.EtcdHelper)
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage := clusterpolicystorage.NewStorage(c.EtcdHelper)
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage := clusterpolicybindingstorage.NewStorage(c.EtcdHelper)
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
policyRegistry,
policyBindingRegistry,
clusterPolicyRegistry,
clusterPolicyBindingRegistry,
)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, ruleResolver)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, ruleResolver)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
subjectAccessReviewStorage := subjectaccessreview.NewREST(c.Authorizer)
subjectAccessReviewRegistry := subjectaccessreview.NewRegistry(subjectAccessReviewStorage)
localSubjectAccessReviewStorage := localsubjectaccessreview.NewREST(subjectAccessReviewRegistry)
resourceAccessReviewStorage := resourceaccessreview.NewREST(c.Authorizer)
resourceAccessReviewRegistry := resourceaccessreview.NewRegistry(resourceAccessReviewStorage)
localResourceAccessReviewStorage := localresourceaccessreview.NewREST(resourceAccessReviewRegistry)
imageStorage := imageetcd.NewREST(c.EtcdHelper)
imageRegistry := image.NewRegistry(imageStorage)
imageStreamSecretsStorage := imagesecret.NewREST(c.ImageStreamSecretClient())
imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage := imagestreametcd.NewREST(c.EtcdHelper, imagestream.DefaultRegistryFunc(defaultRegistryFunc), subjectAccessReviewRegistry)
imageStreamRegistry := imagestream.NewRegistry(imageStreamStorage, imageStreamStatusStorage, internalImageStreamStorage)
imageStreamMappingStorage := imagestreammapping.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagStorage := imagestreamtag.NewREST(imageRegistry, imageStreamRegistry)
imageStreamTagRegistry := imagestreamtag.NewRegistry(imageStreamTagStorage)
importerFn := func(r importer.RepositoryRetriever) imageimporter.Interface {
return imageimporter.NewImageStreamImporter(r, c.Options.ImagePolicyConfig.MaxImagesBulkImportedPerRepository, util.NewTokenBucketRateLimiter(2.0, 3))
}
importerDockerClientFn := func() dockerregistry.Client {
return dockerregistry.NewClient(20*time.Second, false)
}
imageStreamImportStorage := imagestreamimport.NewREST(importerFn, imageStreamRegistry, internalImageStreamStorage, imageStorage, c.ImageStreamImportSecretClient(), importTransport, insecureImportTransport, importerDockerClientFn)
imageStreamImageStorage := imagestreamimage.NewREST(imageRegistry, imageStreamRegistry)
imageStreamImageRegistry := imagestreamimage.NewRegistry(imageStreamImageStorage)
backingServiceInstanceEtcd := backingserviceinstanceetcd.NewREST(c.EtcdHelper)
backingServiceInstanceRegistry := backingserviceinstanceregistry.NewRegistry(backingServiceInstanceEtcd)
backingServiceInstanceBindingEtcd := backingserviceinstanceetcd.NewBindingREST(backingServiceInstanceRegistry, deployConfigRegistry)
buildGenerator := &buildgenerator.BuildGenerator{
Client: buildgenerator.Client{
GetBuildConfigFunc: buildConfigRegistry.GetBuildConfig,
UpdateBuildConfigFunc: buildConfigRegistry.UpdateBuildConfig,
GetBuildFunc: buildRegistry.GetBuild,
CreateBuildFunc: buildRegistry.CreateBuild,
GetImageStreamFunc: imageStreamRegistry.GetImageStream,
GetImageStreamImageFunc: imageStreamImageRegistry.GetImageStreamImage,
GetImageStreamTagFunc: imageStreamTagRegistry.GetImageStreamTag,
},
ServiceAccounts: c.KubeClient(),
Secrets: c.KubeClient(),
}
// TODO: with sharding, this needs to be changed
deployConfigGenerator := &deployconfiggenerator.DeploymentConfigGenerator{
Client: deployconfiggenerator.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
ISFn: imageStreamRegistry.GetImageStream,
LISFn2: imageStreamRegistry.ListImageStreams,
},
}
configClient, kclient := c.DeploymentConfigClients()
deployRollback := &deployrollback.RollbackGenerator{}
deployRollbackClient := deployrollback.Client{
DCFn: deployConfigRegistry.GetDeploymentConfig,
RCFn: clientDeploymentInterface{kclient}.GetDeployment,
GRFn: deployRollback.GenerateRollback,
}
projectStorage := projectproxy.NewREST(kclient.Namespaces(), c.ProjectAuthorizationCache)
namespace, templateName, err := configapi.ParseNamespaceAndName(c.Options.ProjectConfig.ProjectRequestTemplate)
if err != nil {
glog.Errorf("Error parsing project request template value: %v", err)
// we can continue on, the storage that gets created will be valid, it simply won't work properly. There's no reason to kill the master
}
projectRequestStorage := projectrequeststorage.NewREST(c.Options.ProjectConfig.ProjectRequestMessage, namespace, templateName, c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient)
bcClient := c.BuildConfigWebHookClient()
buildConfigWebHooks := buildconfigregistry.NewWebHookREST(
buildConfigRegistry,
buildclient.NewOSClientBuildConfigInstantiatorClient(bcClient),
map[string]webhook.Plugin{
"generic": generic.New(),
"github": github.New(),
},
)
storage := map[string]rest.Storage{
"images": imageStorage,
"imageStreams/secrets": imageStreamSecretsStorage,
"imageStreams": imageStreamStorage,
"imageStreams/status": imageStreamStatusStorage,
"imageStreamImports": imageStreamImportStorage,
"imageStreamImages": imageStreamImageStorage,
"imageStreamMappings": imageStreamMappingStorage,
"imageStreamTags": imageStreamTagStorage,
"applications": applicationStorage,
"serviceBrokers": serviceBrokerStorage,
"backingServices": backingServiceStorage,
"backingServiceInstances": backingServiceInstanceEtcd,
"backingServiceInstances/binding": backingServiceInstanceBindingEtcd,
"deploymentConfigs": deployConfigStorage,
"deploymentConfigs/scale": deployConfigScaleStorage,
"generateDeploymentConfigs": deployconfiggenerator.NewREST(deployConfigGenerator, c.EtcdHelper.Codec()),
"deploymentConfigRollbacks": deployrollback.NewREST(deployRollbackClient, c.EtcdHelper.Codec()),
"deploymentConfigs/log": deploylogregistry.NewREST(configClient, kclient, c.DeploymentLogClient(), kubeletClient),
"processedTemplates": templateregistry.NewREST(),
"templates": templateetcd.NewREST(c.EtcdHelper),
"routes": routeStorage,
"routes/status": routeStatusStorage,
"projects": projectStorage,
"projectRequests": projectRequestStorage,
"hostSubnets": hostSubnetStorage,
"netNamespaces": netNamespaceStorage,
"clusterNetworks": clusterNetworkStorage,
"users": userStorage,
"groups": groupetcd.NewREST(c.EtcdHelper),
"identities": identityStorage,
"userIdentityMappings": userIdentityMappingStorage,
"oAuthAuthorizeTokens": authorizetokenetcd.NewREST(c.EtcdHelper),
"oAuthAccessTokens": accesstokenetcd.NewREST(c.EtcdHelper),
"oAuthClients": clientetcd.NewREST(c.EtcdHelper),
"oAuthClientAuthorizations": clientauthetcd.NewREST(c.EtcdHelper),
"resourceAccessReviews": resourceAccessReviewStorage,
"subjectAccessReviews": subjectAccessReviewStorage,
"localSubjectAccessReviews": localSubjectAccessReviewStorage,
"localResourceAccessReviews": localResourceAccessReviewStorage,
"policies": policyStorage,
"policyBindings": policyBindingStorage,
"roles": roleStorage,
"roleBindings": roleBindingStorage,
"clusterPolicies": clusterPolicyStorage,
"clusterPolicyBindings": clusterPolicyBindingStorage,
"clusterRoleBindings": clusterRoleBindingStorage,
"clusterRoles": clusterRoleStorage,
}
if configapi.IsBuildEnabled(&c.Options) {
storage["builds"] = buildStorage
storage["buildConfigs"] = buildConfigStorage
storage["buildConfigs/webhooks"] = buildConfigWebHooks
storage["builds/clone"] = buildclone.NewStorage(buildGenerator)
storage["buildConfigs/instantiate"] = buildconfiginstantiate.NewStorage(buildGenerator)
storage["buildConfigs/instantiatebinary"] = buildconfiginstantiate.NewBinaryStorage(buildGenerator, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/log"] = buildlogregistry.NewREST(buildStorage, buildStorage, c.BuildLogClient(), kubeletClient)
storage["builds/details"] = buildDetailsStorage
}
return storage
}
func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, createBootstrapPolicyCommand string, change bool, out io.Writer) error {
if !change {
fmt.Fprintf(out, "Performing a dry run of policy overwrite:\n\n")
}
mapper := cmdclientcmd.ShortcutExpander{RESTMapper: kubectl.ShortcutExpander{RESTMapper: registered.RESTMapper()}}
typer := kapi.Scheme
clientMapper := resource.ClientMapperFunc(func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
return nil, nil
})
r := resource.NewBuilder(mapper, typer, clientMapper, kapi.Codecs.UniversalDecoder()).
FilenameParam(false, false, policyFile).
Flatten().
Do()
if r.Err() != nil {
return r.Err()
}
policyStorage, err := policyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
policyListerNamespacer{registry: policyRegistry},
policyBindingListerNamespacer{registry: policyBindingRegistry},
clusterpolicyregistry.ReadOnlyClusterPolicy{Registry: clusterPolicyRegistry},
clusterpolicybindingregistry.ReadOnlyClusterPolicyBinding{Registry: clusterPolicyBindingRegistry},
)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, ruleResolver)
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, ruleResolver)
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry)
return r.Visit(func(info *resource.Info, err error) error {
if err != nil {
return err
}
template, ok := info.Object.(*templateapi.Template)
if !ok {
return errors.New("policy must be contained in a template. One can be created with '" + createBootstrapPolicyCommand + "'.")
}
runtime.DecodeList(template.Objects, kapi.Codecs.UniversalDecoder())
for _, item := range template.Objects {
switch t := item.(type) {
case *authorizationapi.Role:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
roleStorage.Delete(ctx, t.Name, nil)
if _, err := roleStorage.CreateRoleWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(t); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.RoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
roleBindingStorage.Delete(ctx, t.Name, nil)
if _, err := roleBindingStorage.CreateRoleBindingWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(t, nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRole:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
clusterRoleStorage.Delete(ctx, t.Name, nil)
if _, err := clusterRoleStorage.CreateClusterRoleWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(authorizationapi.ToRole(t)); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
clusterRoleBindingStorage.Delete(ctx, t.Name, nil)
if _, err := clusterRoleBindingStorage.CreateClusterRoleBindingWithEscalation(ctx, t); err != nil {
return err
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(authorizationapi.ToRoleBinding(t), nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
default:
return fmt.Errorf("only roles and rolebindings may be created in this mode, not: %v", reflect.TypeOf(t))
}
}
if !change {
fmt.Fprintf(out, "To make the changes described above, pass --force\n")
}
return nil
})
}
func OverwriteBootstrapPolicy(optsGetter restoptions.Getter, policyFile, createBootstrapPolicyCommand string, change bool, out io.Writer) error {
if !change {
fmt.Fprintf(out, "Performing a dry run of policy overwrite:\n\n")
}
mapper := cmdclientcmd.ShortcutExpander{RESTMapper: kubectl.ShortcutExpander{RESTMapper: registered.RESTMapper()}}
typer := kapi.Scheme
clientMapper := resource.ClientMapperFunc(func(mapping *meta.RESTMapping) (resource.RESTClient, error) {
return nil, nil
})
r := resource.NewBuilder(mapper, typer, clientMapper, kapi.Codecs.UniversalDecoder()).
FilenameParam(false, false, policyFile).
Flatten().
Do()
if r.Err() != nil {
return r.Err()
}
policyStorage, err := policyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyRegistry := policyregistry.NewRegistry(policyStorage)
policyBindingStorage, err := policybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
policyBindingRegistry := policybindingregistry.NewRegistry(policyBindingStorage)
clusterPolicyStorage, err := clusterpolicyetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyRegistry := clusterpolicyregistry.NewRegistry(clusterPolicyStorage)
clusterPolicyBindingStorage, err := clusterpolicybindingetcd.NewStorage(optsGetter)
if err != nil {
return err
}
clusterPolicyBindingRegistry := clusterpolicybindingregistry.NewRegistry(clusterPolicyBindingStorage)
ruleResolver := rulevalidation.NewDefaultRuleResolver(
policyListerNamespacer{registry: policyRegistry},
policyBindingListerNamespacer{registry: policyBindingRegistry},
clusterpolicyregistry.ReadOnlyClusterPolicy{Registry: clusterPolicyRegistry},
clusterpolicybindingregistry.ReadOnlyClusterPolicyBinding{Registry: clusterPolicyBindingRegistry},
)
roleStorage := rolestorage.NewVirtualStorage(policyRegistry, ruleResolver, nil, authorizationapi.Resource("role"))
roleBindingStorage := rolebindingstorage.NewVirtualStorage(policyBindingRegistry, ruleResolver, nil, authorizationapi.Resource("rolebinding"))
clusterRoleStorage := clusterrolestorage.NewClusterRoleStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry, nil)
clusterRoleBindingStorage := clusterrolebindingstorage.NewClusterRoleBindingStorage(clusterPolicyRegistry, clusterPolicyBindingRegistry, nil)
return r.Visit(func(info *resource.Info, err error) error {
if err != nil {
return err
}
template, ok := info.Object.(*templateapi.Template)
if !ok {
return errors.New("policy must be contained in a template. One can be created with '" + createBootstrapPolicyCommand + "'.")
}
runtime.DecodeList(template.Objects, kapi.Codecs.UniversalDecoder())
// For each object, we attempt the following to maximize our ability to persist the desired objects, while minimizing etcd write thrashing:
// 1. Create the object (no-ops if the object already exists)
// 2. If the object already exists, attempt to update the object (no-ops if an identical object is already persisted)
// 3. If we encounter any error updating, delete and recreate
errs := []error{}
for _, item := range template.Objects {
switch t := item.(type) {
case *authorizationapi.Role:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := roleStorage.CreateRoleWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = roleStorage.UpdateRoleWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
roleStorage.Delete(ctx, t.Name, nil)
_, err = roleStorage.CreateRoleWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(t); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.RoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := roleBindingStorage.CreateRoleBindingWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = roleBindingStorage.UpdateRoleBindingWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
roleBindingStorage.Delete(ctx, t.Name, nil)
_, err = roleBindingStorage.CreateRoleBindingWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(t, nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRole:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := clusterRoleStorage.CreateClusterRoleWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = clusterRoleStorage.UpdateClusterRoleWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
clusterRoleStorage.Delete(ctx, t.Name, nil)
_, err = clusterRoleStorage.CreateClusterRoleWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRole(authorizationapi.ToRole(t)); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
case *authorizationapi.ClusterRoleBinding:
ctx := kapi.WithNamespace(kapi.NewContext(), t.Namespace)
if change {
// Attempt to create
_, err := clusterRoleBindingStorage.CreateClusterRoleBindingWithEscalation(ctx, t)
// Unconditional replace if it already exists
if kapierrors.IsAlreadyExists(err) {
_, _, err = clusterRoleBindingStorage.UpdateClusterRoleBindingWithEscalation(ctx, t)
}
// Delete and recreate as a last resort
if err != nil {
clusterRoleBindingStorage.Delete(ctx, t.Name, nil)
_, err = clusterRoleBindingStorage.CreateClusterRoleBindingWithEscalation(ctx, t)
}
// Gather any error
if err != nil {
errs = append(errs, err)
}
} else {
fmt.Fprintf(out, "Overwrite role binding %s/%s\n", t.Namespace, t.Name)
if s, err := describe.DescribeRoleBinding(authorizationapi.ToRoleBinding(t), nil, nil); err == nil {
fmt.Fprintf(out, "%s\n", s)
}
}
default:
errs = append(errs, fmt.Errorf("only roles and rolebindings may be created in this mode, not: %v", reflect.TypeOf(t)))
}
}
if !change {
fmt.Fprintf(out, "To make the changes described above, pass --force\n")
}
return kerrors.NewAggregate(errs)
})
}
