...

Source file src/k8s.io/kubernetes/pkg/controlplane/apiserver/options/options_test.go

Documentation: k8s.io/kubernetes/pkg/controlplane/apiserver/options

     1  /*
     2  Copyright 2023 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package options
    18  
    19  import (
    20  	"reflect"
    21  	"testing"
    22  	"time"
    23  
    24  	"github.com/google/go-cmp/cmp"
    25  	"github.com/google/go-cmp/cmp/cmpopts"
    26  	"github.com/spf13/pflag"
    27  	oteltrace "go.opentelemetry.io/otel/trace"
    28  
    29  	"k8s.io/apiserver/pkg/admission"
    30  	apiserveroptions "k8s.io/apiserver/pkg/server/options"
    31  	"k8s.io/apiserver/pkg/storage/etcd3"
    32  	"k8s.io/apiserver/pkg/storage/storagebackend"
    33  	auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered"
    34  	audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate"
    35  	cliflag "k8s.io/component-base/cli/flag"
    36  	"k8s.io/component-base/logs"
    37  	"k8s.io/component-base/metrics"
    38  	netutils "k8s.io/utils/net"
    39  
    40  	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
    41  )
    42  
    43  func TestAddFlags(t *testing.T) {
    44  	fs := pflag.NewFlagSet("addflagstest", pflag.PanicOnError)
    45  	s := NewOptions()
    46  	var fss cliflag.NamedFlagSets
    47  	s.AddFlags(&fss)
    48  	for _, f := range fss.FlagSets {
    49  		fs.AddFlagSet(f)
    50  	}
    51  
    52  	args := []string{
    53  		"--enable-admission-plugins=AlwaysDeny",
    54  		"--admission-control-config-file=/admission-control-config",
    55  		"--advertise-address=192.168.10.10",
    56  		"--anonymous-auth=false",
    57  		"--audit-log-maxage=11",
    58  		"--audit-log-maxbackup=12",
    59  		"--audit-log-maxsize=13",
    60  		"--audit-log-path=/var/log",
    61  		"--audit-log-mode=blocking",
    62  		"--audit-log-batch-buffer-size=46",
    63  		"--audit-log-batch-max-size=47",
    64  		"--audit-log-batch-max-wait=48s",
    65  		"--audit-log-batch-throttle-enable=true",
    66  		"--audit-log-batch-throttle-qps=49.5",
    67  		"--audit-log-batch-throttle-burst=50",
    68  		"--audit-log-truncate-enabled=true",
    69  		"--audit-log-truncate-max-batch-size=45",
    70  		"--audit-log-truncate-max-event-size=44",
    71  		"--audit-log-version=audit.k8s.io/v1",
    72  		"--audit-policy-file=/policy",
    73  		"--audit-webhook-config-file=/webhook-config",
    74  		"--audit-webhook-mode=blocking",
    75  		"--audit-webhook-batch-buffer-size=42",
    76  		"--audit-webhook-batch-max-size=43",
    77  		"--audit-webhook-batch-max-wait=1s",
    78  		"--audit-webhook-batch-throttle-enable=false",
    79  		"--audit-webhook-batch-throttle-qps=43.5",
    80  		"--audit-webhook-batch-throttle-burst=44",
    81  		"--audit-webhook-truncate-enabled=true",
    82  		"--audit-webhook-truncate-max-batch-size=43",
    83  		"--audit-webhook-truncate-max-event-size=42",
    84  		"--audit-webhook-initial-backoff=2s",
    85  		"--audit-webhook-version=audit.k8s.io/v1",
    86  		"--authentication-token-webhook-cache-ttl=3m",
    87  		"--authentication-token-webhook-config-file=/token-webhook-config",
    88  		"--authorization-mode=AlwaysDeny,RBAC",
    89  		"--authorization-policy-file=/policy",
    90  		"--authorization-webhook-cache-authorized-ttl=3m",
    91  		"--authorization-webhook-cache-unauthorized-ttl=1m",
    92  		"--authorization-webhook-config-file=/webhook-config",
    93  		"--bind-address=192.168.10.20",
    94  		"--client-ca-file=/client-ca",
    95  		"--cors-allowed-origins=10.10.10.100,10.10.10.200",
    96  		"--contention-profiling=true",
    97  		"--egress-selector-config-file=/var/run/kubernetes/egress-selector/connectivity.yaml",
    98  		"--enable-aggregator-routing=true",
    99  		"--enable-priority-and-fairness=false",
   100  		"--enable-logs-handler=false",
   101  		"--etcd-keyfile=/var/run/kubernetes/etcd.key",
   102  		"--etcd-certfile=/var/run/kubernetes/etcdce.crt",
   103  		"--etcd-cafile=/var/run/kubernetes/etcdca.crt",
   104  		"--http2-max-streams-per-connection=42",
   105  		"--tracing-config-file=/var/run/kubernetes/tracing_config.yaml",
   106  		"--proxy-client-cert-file=/var/run/kubernetes/proxy.crt",
   107  		"--proxy-client-key-file=/var/run/kubernetes/proxy.key",
   108  		"--request-timeout=2m",
   109  		"--storage-backend=etcd3",
   110  		"--lease-reuse-duration-seconds=100",
   111  	}
   112  	fs.Parse(args)
   113  
   114  	// This is a snapshot of expected options parsed by args.
   115  	expected := &Options{
   116  		GenericServerRunOptions: &apiserveroptions.ServerRunOptions{
   117  			AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
   118  			CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
   119  			MaxRequestsInFlight:         400,
   120  			MaxMutatingRequestsInFlight: 200,
   121  			RequestTimeout:              time.Duration(2) * time.Minute,
   122  			MinRequestTimeout:           1800,
   123  			JSONPatchMaxCopyBytes:       int64(3 * 1024 * 1024),
   124  			MaxRequestBodyBytes:         int64(3 * 1024 * 1024),
   125  		},
   126  		Admission: &kubeoptions.AdmissionOptions{
   127  			GenericAdmission: &apiserveroptions.AdmissionOptions{
   128  				RecommendedPluginOrder: s.Admission.GenericAdmission.RecommendedPluginOrder,
   129  				DefaultOffPlugins:      s.Admission.GenericAdmission.DefaultOffPlugins,
   130  				EnablePlugins:          []string{"AlwaysDeny"},
   131  				ConfigFile:             "/admission-control-config",
   132  				Plugins:                s.Admission.GenericAdmission.Plugins,
   133  				Decorators:             s.Admission.GenericAdmission.Decorators,
   134  			},
   135  		},
   136  		Etcd: &apiserveroptions.EtcdOptions{
   137  			StorageConfig: storagebackend.Config{
   138  				Type: "etcd3",
   139  				Transport: storagebackend.TransportConfig{
   140  					ServerList:     nil,
   141  					KeyFile:        "/var/run/kubernetes/etcd.key",
   142  					TrustedCAFile:  "/var/run/kubernetes/etcdca.crt",
   143  					CertFile:       "/var/run/kubernetes/etcdce.crt",
   144  					TracerProvider: oteltrace.NewNoopTracerProvider(),
   145  				},
   146  				Prefix:                "/registry",
   147  				CompactionInterval:    storagebackend.DefaultCompactInterval,
   148  				CountMetricPollPeriod: time.Minute,
   149  				DBMetricPollInterval:  storagebackend.DefaultDBMetricPollInterval,
   150  				HealthcheckTimeout:    storagebackend.DefaultHealthcheckTimeout,
   151  				ReadycheckTimeout:     storagebackend.DefaultReadinessTimeout,
   152  				LeaseManagerConfig: etcd3.LeaseManagerConfig{
   153  					ReuseDurationSeconds: 100,
   154  					MaxObjectCount:       1000,
   155  				},
   156  			},
   157  			DefaultStorageMediaType: "application/vnd.kubernetes.protobuf",
   158  			DeleteCollectionWorkers: 1,
   159  			EnableGarbageCollection: true,
   160  			EnableWatchCache:        true,
   161  			DefaultWatchCacheSize:   100,
   162  		},
   163  		SecureServing: (&apiserveroptions.SecureServingOptions{
   164  			BindAddress: netutils.ParseIPSloppy("192.168.10.20"),
   165  			BindPort:    6443,
   166  			ServerCert: apiserveroptions.GeneratableKeyCert{
   167  				CertDirectory: "/var/run/kubernetes",
   168  				PairName:      "apiserver",
   169  			},
   170  			HTTP2MaxStreamsPerConnection: 42,
   171  			Required:                     true,
   172  		}).WithLoopback(),
   173  		EventTTL: 1 * time.Hour,
   174  		Audit: &apiserveroptions.AuditOptions{
   175  			LogOptions: apiserveroptions.AuditLogOptions{
   176  				Path:       "/var/log",
   177  				MaxAge:     11,
   178  				MaxBackups: 12,
   179  				MaxSize:    13,
   180  				Format:     "json",
   181  				BatchOptions: apiserveroptions.AuditBatchOptions{
   182  					Mode: "blocking",
   183  					BatchConfig: auditbuffered.BatchConfig{
   184  						BufferSize:     46,
   185  						MaxBatchSize:   47,
   186  						MaxBatchWait:   48 * time.Second,
   187  						ThrottleEnable: true,
   188  						ThrottleQPS:    49.5,
   189  						ThrottleBurst:  50,
   190  					},
   191  				},
   192  				TruncateOptions: apiserveroptions.AuditTruncateOptions{
   193  					Enabled: true,
   194  					TruncateConfig: audittruncate.Config{
   195  						MaxBatchSize: 45,
   196  						MaxEventSize: 44,
   197  					},
   198  				},
   199  				GroupVersionString: "audit.k8s.io/v1",
   200  			},
   201  			WebhookOptions: apiserveroptions.AuditWebhookOptions{
   202  				ConfigFile: "/webhook-config",
   203  				BatchOptions: apiserveroptions.AuditBatchOptions{
   204  					Mode: "blocking",
   205  					BatchConfig: auditbuffered.BatchConfig{
   206  						BufferSize:     42,
   207  						MaxBatchSize:   43,
   208  						MaxBatchWait:   1 * time.Second,
   209  						ThrottleEnable: false,
   210  						ThrottleQPS:    43.5,
   211  						ThrottleBurst:  44,
   212  						AsyncDelegate:  true,
   213  					},
   214  				},
   215  				TruncateOptions: apiserveroptions.AuditTruncateOptions{
   216  					Enabled: true,
   217  					TruncateConfig: audittruncate.Config{
   218  						MaxBatchSize: 43,
   219  						MaxEventSize: 42,
   220  					},
   221  				},
   222  				InitialBackoff:     2 * time.Second,
   223  				GroupVersionString: "audit.k8s.io/v1",
   224  			},
   225  			PolicyFile: "/policy",
   226  		},
   227  		Features: &apiserveroptions.FeatureOptions{
   228  			EnableProfiling:           true,
   229  			EnableContentionProfiling: true,
   230  		},
   231  		Authentication: &kubeoptions.BuiltInAuthenticationOptions{
   232  			Anonymous: &kubeoptions.AnonymousAuthenticationOptions{
   233  				Allow: false,
   234  			},
   235  			ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{
   236  				ClientCA: "/client-ca",
   237  			},
   238  			WebHook: &kubeoptions.WebHookAuthenticationOptions{
   239  				CacheTTL:     180000000000,
   240  				ConfigFile:   "/token-webhook-config",
   241  				Version:      "v1beta1",
   242  				RetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
   243  			},
   244  			BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{},
   245  			OIDC:           s.Authentication.OIDC,
   246  			RequestHeader:  &apiserveroptions.RequestHeaderAuthenticationOptions{},
   247  			ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{
   248  				Lookup:           true,
   249  				ExtendExpiration: true,
   250  			},
   251  			TokenFile:            &kubeoptions.TokenFileAuthenticationOptions{},
   252  			TokenSuccessCacheTTL: 10 * time.Second,
   253  			TokenFailureCacheTTL: 0,
   254  		},
   255  		Authorization: &kubeoptions.BuiltInAuthorizationOptions{
   256  			Modes:                       []string{"AlwaysDeny", "RBAC"},
   257  			PolicyFile:                  "/policy",
   258  			WebhookConfigFile:           "/webhook-config",
   259  			WebhookCacheAuthorizedTTL:   180000000000,
   260  			WebhookCacheUnauthorizedTTL: 60000000000,
   261  			WebhookVersion:              "v1beta1",
   262  			WebhookRetryBackoff:         apiserveroptions.DefaultAuthWebhookRetryBackoff(),
   263  		},
   264  		APIEnablement: &apiserveroptions.APIEnablementOptions{
   265  			RuntimeConfig: cliflag.ConfigurationMap{},
   266  		},
   267  		EgressSelector: &apiserveroptions.EgressSelectorOptions{
   268  			ConfigFile: "/var/run/kubernetes/egress-selector/connectivity.yaml",
   269  		},
   270  		EnableLogsHandler:       false,
   271  		EnableAggregatorRouting: true,
   272  		ProxyClientKeyFile:      "/var/run/kubernetes/proxy.key",
   273  		ProxyClientCertFile:     "/var/run/kubernetes/proxy.crt",
   274  		Metrics:                 &metrics.Options{},
   275  		Logs:                    logs.NewOptions(),
   276  		Traces: &apiserveroptions.TracingOptions{
   277  			ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
   278  		},
   279  		AggregatorRejectForwardingRedirects: true,
   280  	}
   281  
   282  	expected.Authentication.OIDC.UsernameClaim = "sub"
   283  	expected.Authentication.OIDC.SigningAlgs = []string{"RS256"}
   284  
   285  	if !s.Authorization.AreLegacyFlagsSet() {
   286  		t.Errorf("expected legacy authorization flags to be set")
   287  	}
   288  	// setting the method to nil since methods can't be compared with reflect.DeepEqual
   289  	s.Authorization.AreLegacyFlagsSet = nil
   290  
   291  	if !reflect.DeepEqual(expected, s) {
   292  		t.Errorf("Got different run options than expected.\nDifference detected on:\n%s", cmp.Diff(expected, s, cmpopts.IgnoreUnexported(admission.Plugins{}, kubeoptions.OIDCAuthenticationOptions{})))
   293  	}
   294  }
   295  

View as plain text