Properly authorize controller API requests

We were using the wrong client when the controller authorizes
openshift · Jul 25, 2017 · 57515d8 · 57515d8
1 parent cb4bddd
commit 57515d8
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/pkg/cmd/server/origin/master.go b/pkg/cmd/server/origin/master.go
@@ -21,7 +21,6 @@ import (
 	genericroutes "k8s.io/apiserver/pkg/server/routes"
 	authzwebhook "k8s.io/apiserver/plugin/pkg/authorizer/webhook"
 	clientgoclientset "k8s.io/client-go/kubernetes"
-	kclientsetinternal "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	kubeapiserver "k8s.io/kubernetes/pkg/master"
 	kcorestorage "k8s.io/kubernetes/pkg/registry/core/rest"
 
@@ -257,7 +256,7 @@ func (c *MasterConfig) buildHandlerChain(assetConfig *AssetConfig) (func(http.Ha
 }
 
 // TODO refactor this out of this package and split apiserver and controllers for good!
-func RunControllerServer(servingInfo configapi.HTTPServingInfo, kubeInternal kclientsetinternal.Interface) error {
+func RunControllerServer(servingInfo configapi.HTTPServingInfo, kubeExternal clientgoclientset.Interface) error {
 	clientCAs, err := getClientCertCAPool(servingInfo)
 	if err != nil {
 		return err
@@ -271,12 +270,12 @@ func RunControllerServer(servingInfo configapi.HTTPServingInfo, kubeInternal kcl
 	genericroutes.MetricsWithReset{}.Install(mux)
 
 	// TODO: replace me with a service account for controller manager
-	tokenReview := clientgoclientset.New(kubeInternal.Authentication().RESTClient()).AuthenticationV1beta1().TokenReviews()
+	tokenReview := kubeExternal.AuthenticationV1beta1().TokenReviews()
 	authn, err := serverauthenticator.NewRemoteAuthenticator(tokenReview, clientCAs, 5*time.Minute)
 	if err != nil {
 		return err
 	}
-	sarClient := clientgoclientset.New(kubeInternal.Authorization().RESTClient()).AuthorizationV1beta1().SubjectAccessReviews()
+	sarClient := kubeExternal.AuthorizationV1beta1().SubjectAccessReviews()
 	remoteAuthz, err := authzwebhook.NewFromInterface(sarClient, 5*time.Minute, 5*time.Minute)
 	if err != nil {
 		return err

diff --git a/pkg/cmd/server/start/start_master.go b/pkg/cmd/server/start/start_master.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilwait "k8s.io/apimachinery/pkg/util/wait"
+	clientgoclientset "k8s.io/client-go/kubernetes"
 	aggregatorinstall "k8s.io/kube-aggregator/pkg/apis/apiregistration/install"
 	kapi "k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/capabilities"
@@ -422,7 +423,11 @@ func (m *Master) Start() error {
 		if err != nil {
 			return err
 		}
-		kubeInternal, _, err := configapi.GetInternalKubeClient(m.config.MasterClients.OpenShiftLoopbackKubeConfig, m.config.MasterClients.OpenShiftLoopbackClientConnectionOverrides)
+		_, config, err := configapi.GetExternalKubeClient(m.config.MasterClients.OpenShiftLoopbackKubeConfig, m.config.MasterClients.OpenShiftLoopbackClientConnectionOverrides)
+		if err != nil {
+			return err
+		}
+		clientGoKubeExternal, err := clientgoclientset.NewForConfig(config)
 		if err != nil {
 			return err
 		}
@@ -439,7 +444,7 @@ func (m *Master) Start() error {
 			}
 			glog.Infof("Using images from %q", imageTemplate.ExpandOrDie("<component>"))
 
-			if err := origin.RunControllerServer(m.config.ServingInfo, kubeInternal); err != nil {
+			if err := origin.RunControllerServer(m.config.ServingInfo, clientGoKubeExternal); err != nil {
 				return err
 			}
 		}