func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) (secure, insecure http.Handler) { generic := func(handler http.Handler) http.Handler { handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithPanicRecovery(handler, c.RequestContextMapper) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc) handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.RequestContextMapper, c.LongRunningFunc) handler = genericapifilters.WithRequestInfo(handler, NewRequestInfoResolver(c), c.RequestContextMapper) handler = apirequest.WithRequestContext(handler, c.RequestContextMapper) return handler } audit := func(handler http.Handler) http.Handler { return genericapifilters.WithAudit(handler, c.RequestContextMapper, c.AuditWriter) } protect := func(handler http.Handler) http.Handler { handler = genericapifilters.WithAuthorization(handler, c.RequestContextMapper, c.Authorizer) handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorizer) handler = audit(handler) // before impersonation to read original user handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, genericapifilters.Unauthorized(c.SupportsBasicAuth)) return handler } return generic(protect(apiHandler)), generic(audit(apiHandler)) }
// handlerChain is a method to build the handler chain for this API server. We need a custom handler chain so that we // can have custom handling for `/apis`, since we're hosting discovery differently from anyone else and we're hosting // the endpoints differently, since we're proxying all groups except for apiregistration.k8s.io. func (h *handlerChainConfig) handlerChain(apiHandler http.Handler, c *genericapiserver.Config) (secure, insecure http.Handler) { // add this as a filter so that we never collide with "already registered" failures on `/apis` handler := WithAPIs(apiHandler, h.informers.Apiregistration().InternalVersion().APIServices(), h.serviceLister, h.endpointsLister) handler = genericapifilters.WithAuthorization(handler, c.RequestContextMapper, c.Authorizer) // this mux is NOT protected by authorization, but DOES have authentication information // this is so that everyone can hit the proxy and we can properly identify the user. The backing // API server will deal with authorization handler = WithProxyMux(handler, h.proxyMux) handler = genericapifilters.WithImpersonation(handler, c.RequestContextMapper, c.Authorizer) // audit to stdout to help with debugging as we get this started handler = genericapifilters.WithAudit(handler, c.RequestContextMapper, os.Stdout) handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, genericapifilters.Unauthorized(c.SupportsBasicAuth)) handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") handler = genericfilters.WithPanicRecovery(handler, c.RequestContextMapper) handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc) handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.RequestContextMapper, c.LongRunningFunc) handler = genericapifilters.WithRequestInfo(handler, genericapiserver.NewRequestInfoResolver(c), c.RequestContextMapper) handler = genericapirequest.WithRequestContext(handler, c.RequestContextMapper) return handler, nil }