add trimmed down version of the built-in k8s authorizer options to the kcp options

On-behalf-of: @SAP [email protected]

Author: xrstf

cmd/kcp/kcp.go

@@ -117,7 +117,9 @@ func main() {
 			logger := klog.FromContext(cmd.Context())
 			logger.Info("running with selected batteries", "batteries", strings.Join(completed.Server.Extra.BatteriesIncluded, ","))
 
-			config, err := server.NewConfig(completed.Server)
+			ctx := genericapiserver.SetupSignalContext()
+
+			serverConfig, err := server.NewConfig(ctx, completed.Server)
 			if err != nil {
 				return err
 			}
@@ -127,8 +129,6 @@ func main() {
 				return err
 			}
 
-			ctx := genericapiserver.SetupSignalContext()
-
 			// the etcd server must be up before NewServer because storage decorators access it right away
 			if completedConfig.EmbeddedEtcd.Config != nil {
 				if err := embeddedetcd.NewServer(completedConfig.EmbeddedEtcd).Run(ctx); err != nil {

pkg/server/config.go

@@ -175,7 +175,7 @@ func (c *Config) Complete() (CompletedConfig, error) {
 
 const KcpBootstrapperUserName = "system:kcp:bootstrapper"
 
-func NewConfig(opts kcpserveroptions.CompletedOptions) (*Config, error) {
+func NewConfig(ctx context.Context, opts kcpserveroptions.CompletedOptions) (*Config, error) {
 	c := &Config{
 		Options: opts,
 	}
@@ -324,7 +324,7 @@ func NewConfig(opts kcpserveroptions.CompletedOptions) (*Config, error) {
 		return nil, err
 	}
 
-	if err := opts.Authorization.ApplyTo(c.GenericConfig, c.KubeSharedInformerFactory, c.CacheKubeSharedInformerFactory, c.KcpSharedInformerFactory, c.CacheKcpSharedInformerFactory); err != nil {
+	if err := opts.Authorization.ApplyTo(ctx, c.GenericConfig, c.KubeSharedInformerFactory, c.CacheKubeSharedInformerFactory, c.KcpSharedInformerFactory, c.CacheKcpSharedInformerFactory); err != nil {
 		return nil, err
 	}
 	var userToken string

pkg/server/options/authorization.go

@@ -17,6 +17,8 @@ limitations under the License.
 package options
 
 import (
+	"context"
+
 	kcpkubernetesinformers "github.com/kcp-dev/client-go/informers"
 	"github.com/spf13/pflag"
 
@@ -25,7 +27,11 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
 	"k8s.io/apiserver/pkg/authorization/path"
 	"k8s.io/apiserver/pkg/authorization/union"
+	"k8s.io/apiserver/pkg/informerfactoryhack"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	"k8s.io/apiserver/pkg/server/egressselector"
+	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
+	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
 
 	authz "github.com/kcp-dev/kcp/pkg/authorization"
 	kcpinformers "github.com/kcp-dev/kcp/sdk/client/informers/externalversions"
@@ -38,6 +44,10 @@ type Authorization struct {
 
 	// AlwaysAllowGroups are groups which are allowed to take any actions.  In kube, this is privileged system group.
 	AlwaysAllowGroups []string
+
+	// Webhook contains flags to enable an external HTTPS webhook to perform
+	// authorization against. Note that not all built-in options are supported by kcp.
+	Webhook *kubeoptions.BuiltInAuthorizationOptions
 }
 
 func NewAuthorization() *Authorization {
@@ -46,6 +56,7 @@ func NewAuthorization() *Authorization {
 		// This field can be cleared by callers if they don't want this behavior.
 		AlwaysAllowPaths:  []string{"/healthz", "/readyz", "/livez"},
 		AlwaysAllowGroups: []string{user.SystemPrivilegedGroup},
+		Webhook:           kubeoptions.NewBuiltInAuthorizationOptions(),
 	}
 }
 
@@ -61,13 +72,35 @@ func (s *Authorization) WithAlwaysAllowPaths(paths ...string) *Authorization {
 	return s
 }
 
+func (s *Authorization) Complete() error {
+	if s == nil {
+		return nil
+	}
+
+	// kcp only supports optionally specifying an external authorization webhook
+	// in addition to the built-in authorization logic.
+	if s.Webhook.WebhookConfigFile != "" {
+		s.Webhook.Modes = []string{authzmodes.ModeWebhook}
+	} else {
+		s.Webhook = nil
+	}
+
+	return nil
+}
+
 func (s *Authorization) Validate() []error {
 	if s == nil {
 		return nil
 	}
 
 	allErrors := []error{}
 
+	if s.Webhook != nil {
+		if errs := s.Webhook.Validate(); len(errs) > 0 {
+			allErrors = append(allErrors, errs...)
+		}
+	}
+
 	return allErrors
 }
 
@@ -79,11 +112,48 @@ func (s *Authorization) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&s.AlwaysAllowPaths, "authorization-always-allow-paths", s.AlwaysAllowPaths,
 		"A list of HTTP paths to skip during authorization, i.e. these are authorized without "+
 			"contacting the 'core' kubernetes server.")
+
+	// Only surface selected, webhook-related CLI flags
+
+	fs.StringVar(&s.Webhook.WebhookConfigFile, "authorization-webhook-config-file", s.Webhook.WebhookConfigFile,
+		"File with optional webhook configuration in kubeconfig format. The API server will query the remote service to determine access on the API server's secure port.")
+
+	fs.StringVar(&s.Webhook.WebhookVersion, "authorization-webhook-version", s.Webhook.WebhookVersion,
+		"The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook.")
+
+	fs.DurationVar(&s.Webhook.WebhookCacheAuthorizedTTL, "authorization-webhook-cache-authorized-ttl", s.Webhook.WebhookCacheAuthorizedTTL,
+		"The duration to cache 'authorized' responses from the webhook authorizer.")
+
+	fs.DurationVar(&s.Webhook.WebhookCacheUnauthorizedTTL, "authorization-webhook-cache-unauthorized-ttl", s.Webhook.WebhookCacheUnauthorizedTTL,
+		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
 }
 
-func (s *Authorization) ApplyTo(config *genericapiserver.Config, kubeInformers, globalKubeInformers kcpkubernetesinformers.SharedInformerFactory, kcpInformers, globalKcpInformers kcpinformers.SharedInformerFactory) error {
+func (s *Authorization) ApplyTo(ctx context.Context, config *genericapiserver.Config, kubeInformers, globalKubeInformers kcpkubernetesinformers.SharedInformerFactory, kcpInformers, globalKcpInformers kcpinformers.SharedInformerFactory) error {
 	var authorizers []authorizer.Authorizer
 
+	// re-use the authorizer from the generic control plane (this is only set for webhooks)
+	if webhook := s.Webhook; webhook != nil && webhook.WebhookConfigFile != "" {
+		authorizationConfig, err := webhook.ToAuthorizationConfig(informerfactoryhack.Wrap(kubeInformers))
+		if err != nil {
+			return err
+		}
+
+		if config.EgressSelector != nil {
+			egressDialer, err := config.EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
+			if err != nil {
+				return err
+			}
+			authorizationConfig.CustomDial = egressDialer
+		}
+
+		authorizer, _, err := authorizationConfig.New(ctx, config.APIServerID)
+		if err != nil {
+			return err
+		}
+
+		authorizers = append(authorizers, authorizer)
+	}
+
 	localLogicalClusterLister := kcpInformers.Core().V1alpha1().LogicalClusters().Lister()
 	globalLogicalClusterLister := globalKcpInformers.Core().V1alpha1().LogicalClusters().Lister()
 

pkg/server/options/options.go

@@ -29,7 +29,7 @@ import (
 	genericapiserveroptions "k8s.io/apiserver/pkg/server/options"
 	cliflag "k8s.io/component-base/cli/flag"
 	controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver/options"
-	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
+	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 
 	kcpadmission "github.com/kcp-dev/kcp/pkg/admission"
 	etcdoptions "github.com/kcp-dev/kcp/pkg/embeddedetcd/options"
@@ -251,6 +251,10 @@ func (o *Options) Complete(rootDir string) (*CompletedOptions, error) {
 		o.EmbeddedEtcd.Enabled = true
 	}
 
+	if err := o.Authorization.Complete(); err != nil {
+		return nil, err
+	}
+
 	var err error
 	if !filepath.IsAbs(o.EmbeddedEtcd.Directory) {
 		o.EmbeddedEtcd.Directory, err = filepath.Abs(o.EmbeddedEtcd.Directory)
@@ -311,8 +315,6 @@ func (o *Options) Complete(rootDir string) (*CompletedOptions, error) {
 	}
 	if o.GenericControlPlane.ServiceAccountSigningKeyFile == "" {
 		o.GenericControlPlane.ServiceAccountSigningKeyFile = o.Controllers.SAController.ServiceAccountKeyFile
-	}
-
 	completedGenericServerRunOptions, err := o.GenericControlPlane.Complete(nil, nil)
 	if err != nil {
 		return nil, err

test/e2e/framework/kcp.go

@@ -655,7 +655,7 @@ func (c *kcpServer) Run(opts ...RunOption) error {
 			return apierrors.NewAggregate(errs)
 		}
 
-		config, err := server.NewConfig(completed.Server)
+		config, err := server.NewConfig(ctx, completed.Server)
 		if err != nil {
 			cleanup()
 			return err