Merge pull request kubernetes#120985 from palnabarun/3221/fix-authorizer-name

k8s-ci-robot · web-flow · commit 6f5fa2eb2f4d · 2023-10-04T15:45:29.000+02:00
[StructuredAuthorizationConfiguration] Fix the level at which authorizer name is surfaced
diff --git a/pkg/kubeapiserver/options/authorization.go b/pkg/kubeapiserver/options/authorization.go
@@ -167,8 +167,8 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc
 		case authzmodes.ModeWebhook:
 			authorizers = append(authorizers, authzconfig.AuthorizerConfiguration{
 				Type: authzconfig.TypeWebhook,
+				Name: defaultWebhookName,
 				Webhook: &authzconfig.WebhookConfiguration{
-					Name:            defaultWebhookName,
 					AuthorizedTTL:   metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL},
 					UnauthorizedTTL: metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL},
 					// Timeout and FailurePolicy are required for the new configuration.
@@ -183,9 +183,18 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc
 				},
 			})
 		default:
-			authorizers = append(authorizers, authzconfig.AuthorizerConfiguration{Type: authzconfig.AuthorizerType(mode)})
+			authorizers = append(authorizers, authzconfig.AuthorizerConfiguration{
+				Type: authzconfig.AuthorizerType(mode),
+				Name: getNameForAuthorizerMode(mode),
+			})
 		}
 	}
 
 	return &authzconfig.AuthorizationConfiguration{Authorizers: authorizers}, nil
 }
+
+// getNameForAuthorizerMode returns the name to be set for the mode in AuthorizationConfiguration
+// For now, lower cases the mode name
+func getNameForAuthorizerMode(mode string) string {
+	return strings.ToLower(mode)
+}
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go
@@ -228,18 +228,19 @@ type AuthorizerConfiguration struct {
 	// types like Node, RBAC, ABAC, etc.
 	Type AuthorizerType
 
+	// Name used to describe the webhook
+	// This is explicitly used in monitoring machinery for metrics
+	// Note: Names must be DNS1123 labels like `myauthorizername` or
+	//		 subdomains like `myauthorizer.example.domain`
+	// Required, with no default
+	Name string
+
 	// Webhook defines the configuration for a Webhook authorizer
 	// Must be defined when Type=Webhook
 	Webhook *WebhookConfiguration
 }
 
 type WebhookConfiguration struct {
-	// Name used to describe the webhook
-	// This is explicitly used in monitoring machinery for metrics
-	// Note: Names must be DNS1123 labels like `mywebhookname` or
-	//		 subdomains like `webhookname.example.domain`
-	// Required, with no default
-	Name string
 	// The duration to cache 'authorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go
@@ -298,19 +298,20 @@ type AuthorizerConfiguration struct {
 	// types like Node, RBAC, ABAC, etc.
 	Type string `json:"type"`
 
+	// Name used to describe the webhook
+	// This is explicitly used in monitoring machinery for metrics
+	// Note: Names must be DNS1123 labels like `myauthorizername` or
+	//		 subdomains like `myauthorizer.example.domain`
+	// Required, with no default
+	Name string `json:"name"`
+
 	// Webhook defines the configuration for a Webhook authorizer
 	// Must be defined when Type=Webhook
 	// Must not be defined when Type!=Webhook
 	Webhook *WebhookConfiguration `json:"webhook,omitempty"`
 }
 
 type WebhookConfiguration struct {
-	// Name used to describe the webhook
-	// This is explicitly used in monitoring machinery for metrics
-	// Note: Names must be DNS1123 labels like `mywebhookname` or
-	//		 subdomains like `webhookname.example.domain`
-	// Required, with no default
-	Name string `json:"name"`
 	// The duration to cache 'authorized' responses from the webhook
 	// authorizer.
 	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
@@ -18,6 +18,7 @@ package validation
 
 import (
 	"fmt"
+	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -28,7 +29,6 @@ import (
 	"k8s.io/api/authorization/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/sets"
-	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	api "k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/client-go/util/cert"
@@ -220,7 +220,7 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio
 	}
 
 	seenAuthorizerTypes := sets.NewString()
-	seenWebhookNames := sets.NewString()
+	seenAuthorizerNames := sets.NewString()
 	for i, a := range c.Authorizers {
 		fldPath := fldPath.Child("authorizers").Index(i)
 		aType := string(a.Type)
@@ -238,13 +238,22 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio
 		}
 		seenAuthorizerTypes.Insert(aType)
 
+		if len(a.Name) == 0 {
+			allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
+		} else if seenAuthorizerNames.Has(a.Name) {
+			allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), a.Name))
+		} else if errs := utilvalidation.IsDNS1123Subdomain(a.Name); len(errs) != 0 {
+			allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), a.Name, fmt.Sprintf("authorizer name is invalid: %s", strings.Join(errs, ", "))))
+		}
+		seenAuthorizerNames.Insert(a.Name)
+
 		switch a.Type {
 		case api.TypeWebhook:
 			if a.Webhook == nil {
 				allErrs = append(allErrs, field.Required(fldPath.Child("webhook"), "required when type=Webhook"))
 				continue
 			}
-			allErrs = append(allErrs, ValidateWebhookConfiguration(fldPath, a.Webhook, seenWebhookNames)...)
+			allErrs = append(allErrs, ValidateWebhookConfiguration(fldPath, a.Webhook)...)
 		default:
 			if a.Webhook != nil {
 				allErrs = append(allErrs, field.Invalid(fldPath.Child("webhook"), "non-null", "may only be specified when type=Webhook"))
@@ -255,16 +264,8 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio
 	return allErrs
 }
 
-func ValidateWebhookConfiguration(fldPath *field.Path, c *api.WebhookConfiguration, seenNames sets.String) field.ErrorList {
+func ValidateWebhookConfiguration(fldPath *field.Path, c *api.WebhookConfiguration) field.ErrorList {
 	allErrs := field.ErrorList{}
-	if len(c.Name) == 0 {
-		allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
-	} else if seenNames.Has(c.Name) {
-		allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), c.Name))
-	} else if errs := utilvalidation.IsDNS1123Subdomain(c.Name); len(errs) != 0 {
-		allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), c.Name, fmt.Sprintf("webhook name is invalid: %s", strings.Join(errs, ", "))))
-	}
-	seenNames.Insert(c.Name)
 
 	if c.Timeout.Duration == 0 {
 		allErrs = append(allErrs, field.Required(fldPath.Child("timeout"), ""))
diff --git a/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go b/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
