1
16
17 package options
18
19 import (
20 "reflect"
21 "testing"
22 "time"
23
24 "github.com/google/go-cmp/cmp"
25 "github.com/google/go-cmp/cmp/cmpopts"
26 "github.com/spf13/pflag"
27 oteltrace "go.opentelemetry.io/otel/trace"
28
29 "k8s.io/apiserver/pkg/admission"
30 apiserveroptions "k8s.io/apiserver/pkg/server/options"
31 "k8s.io/apiserver/pkg/storage/etcd3"
32 "k8s.io/apiserver/pkg/storage/storagebackend"
33 auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered"
34 audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate"
35 cliflag "k8s.io/component-base/cli/flag"
36 "k8s.io/component-base/logs"
37 "k8s.io/component-base/metrics"
38 netutils "k8s.io/utils/net"
39
40 kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
41 )
42
43 func TestAddFlags(t *testing.T) {
44 fs := pflag.NewFlagSet("addflagstest", pflag.PanicOnError)
45 s := NewOptions()
46 var fss cliflag.NamedFlagSets
47 s.AddFlags(&fss)
48 for _, f := range fss.FlagSets {
49 fs.AddFlagSet(f)
50 }
51
52 args := []string{
53 "--enable-admission-plugins=AlwaysDeny",
54 "--admission-control-config-file=/admission-control-config",
55 "--advertise-address=192.168.10.10",
56 "--anonymous-auth=false",
57 "--audit-log-maxage=11",
58 "--audit-log-maxbackup=12",
59 "--audit-log-maxsize=13",
60 "--audit-log-path=/var/log",
61 "--audit-log-mode=blocking",
62 "--audit-log-batch-buffer-size=46",
63 "--audit-log-batch-max-size=47",
64 "--audit-log-batch-max-wait=48s",
65 "--audit-log-batch-throttle-enable=true",
66 "--audit-log-batch-throttle-qps=49.5",
67 "--audit-log-batch-throttle-burst=50",
68 "--audit-log-truncate-enabled=true",
69 "--audit-log-truncate-max-batch-size=45",
70 "--audit-log-truncate-max-event-size=44",
71 "--audit-log-version=audit.k8s.io/v1",
72 "--audit-policy-file=/policy",
73 "--audit-webhook-config-file=/webhook-config",
74 "--audit-webhook-mode=blocking",
75 "--audit-webhook-batch-buffer-size=42",
76 "--audit-webhook-batch-max-size=43",
77 "--audit-webhook-batch-max-wait=1s",
78 "--audit-webhook-batch-throttle-enable=false",
79 "--audit-webhook-batch-throttle-qps=43.5",
80 "--audit-webhook-batch-throttle-burst=44",
81 "--audit-webhook-truncate-enabled=true",
82 "--audit-webhook-truncate-max-batch-size=43",
83 "--audit-webhook-truncate-max-event-size=42",
84 "--audit-webhook-initial-backoff=2s",
85 "--audit-webhook-version=audit.k8s.io/v1",
86 "--authentication-token-webhook-cache-ttl=3m",
87 "--authentication-token-webhook-config-file=/token-webhook-config",
88 "--authorization-mode=AlwaysDeny,RBAC",
89 "--authorization-policy-file=/policy",
90 "--authorization-webhook-cache-authorized-ttl=3m",
91 "--authorization-webhook-cache-unauthorized-ttl=1m",
92 "--authorization-webhook-config-file=/webhook-config",
93 "--bind-address=192.168.10.20",
94 "--client-ca-file=/client-ca",
95 "--cors-allowed-origins=10.10.10.100,10.10.10.200",
96 "--contention-profiling=true",
97 "--egress-selector-config-file=/var/run/kubernetes/egress-selector/connectivity.yaml",
98 "--enable-aggregator-routing=true",
99 "--enable-priority-and-fairness=false",
100 "--enable-logs-handler=false",
101 "--etcd-keyfile=/var/run/kubernetes/etcd.key",
102 "--etcd-certfile=/var/run/kubernetes/etcdce.crt",
103 "--etcd-cafile=/var/run/kubernetes/etcdca.crt",
104 "--http2-max-streams-per-connection=42",
105 "--tracing-config-file=/var/run/kubernetes/tracing_config.yaml",
106 "--proxy-client-cert-file=/var/run/kubernetes/proxy.crt",
107 "--proxy-client-key-file=/var/run/kubernetes/proxy.key",
108 "--request-timeout=2m",
109 "--storage-backend=etcd3",
110 "--lease-reuse-duration-seconds=100",
111 }
112 fs.Parse(args)
113
114
115 expected := &Options{
116 GenericServerRunOptions: &apiserveroptions.ServerRunOptions{
117 AdvertiseAddress: netutils.ParseIPSloppy("192.168.10.10"),
118 CorsAllowedOriginList: []string{"10.10.10.100", "10.10.10.200"},
119 MaxRequestsInFlight: 400,
120 MaxMutatingRequestsInFlight: 200,
121 RequestTimeout: time.Duration(2) * time.Minute,
122 MinRequestTimeout: 1800,
123 JSONPatchMaxCopyBytes: int64(3 * 1024 * 1024),
124 MaxRequestBodyBytes: int64(3 * 1024 * 1024),
125 },
126 Admission: &kubeoptions.AdmissionOptions{
127 GenericAdmission: &apiserveroptions.AdmissionOptions{
128 RecommendedPluginOrder: s.Admission.GenericAdmission.RecommendedPluginOrder,
129 DefaultOffPlugins: s.Admission.GenericAdmission.DefaultOffPlugins,
130 EnablePlugins: []string{"AlwaysDeny"},
131 ConfigFile: "/admission-control-config",
132 Plugins: s.Admission.GenericAdmission.Plugins,
133 Decorators: s.Admission.GenericAdmission.Decorators,
134 },
135 },
136 Etcd: &apiserveroptions.EtcdOptions{
137 StorageConfig: storagebackend.Config{
138 Type: "etcd3",
139 Transport: storagebackend.TransportConfig{
140 ServerList: nil,
141 KeyFile: "/var/run/kubernetes/etcd.key",
142 TrustedCAFile: "/var/run/kubernetes/etcdca.crt",
143 CertFile: "/var/run/kubernetes/etcdce.crt",
144 TracerProvider: oteltrace.NewNoopTracerProvider(),
145 },
146 Prefix: "/registry",
147 CompactionInterval: storagebackend.DefaultCompactInterval,
148 CountMetricPollPeriod: time.Minute,
149 DBMetricPollInterval: storagebackend.DefaultDBMetricPollInterval,
150 HealthcheckTimeout: storagebackend.DefaultHealthcheckTimeout,
151 ReadycheckTimeout: storagebackend.DefaultReadinessTimeout,
152 LeaseManagerConfig: etcd3.LeaseManagerConfig{
153 ReuseDurationSeconds: 100,
154 MaxObjectCount: 1000,
155 },
156 },
157 DefaultStorageMediaType: "application/vnd.kubernetes.protobuf",
158 DeleteCollectionWorkers: 1,
159 EnableGarbageCollection: true,
160 EnableWatchCache: true,
161 DefaultWatchCacheSize: 100,
162 },
163 SecureServing: (&apiserveroptions.SecureServingOptions{
164 BindAddress: netutils.ParseIPSloppy("192.168.10.20"),
165 BindPort: 6443,
166 ServerCert: apiserveroptions.GeneratableKeyCert{
167 CertDirectory: "/var/run/kubernetes",
168 PairName: "apiserver",
169 },
170 HTTP2MaxStreamsPerConnection: 42,
171 Required: true,
172 }).WithLoopback(),
173 EventTTL: 1 * time.Hour,
174 Audit: &apiserveroptions.AuditOptions{
175 LogOptions: apiserveroptions.AuditLogOptions{
176 Path: "/var/log",
177 MaxAge: 11,
178 MaxBackups: 12,
179 MaxSize: 13,
180 Format: "json",
181 BatchOptions: apiserveroptions.AuditBatchOptions{
182 Mode: "blocking",
183 BatchConfig: auditbuffered.BatchConfig{
184 BufferSize: 46,
185 MaxBatchSize: 47,
186 MaxBatchWait: 48 * time.Second,
187 ThrottleEnable: true,
188 ThrottleQPS: 49.5,
189 ThrottleBurst: 50,
190 },
191 },
192 TruncateOptions: apiserveroptions.AuditTruncateOptions{
193 Enabled: true,
194 TruncateConfig: audittruncate.Config{
195 MaxBatchSize: 45,
196 MaxEventSize: 44,
197 },
198 },
199 GroupVersionString: "audit.k8s.io/v1",
200 },
201 WebhookOptions: apiserveroptions.AuditWebhookOptions{
202 ConfigFile: "/webhook-config",
203 BatchOptions: apiserveroptions.AuditBatchOptions{
204 Mode: "blocking",
205 BatchConfig: auditbuffered.BatchConfig{
206 BufferSize: 42,
207 MaxBatchSize: 43,
208 MaxBatchWait: 1 * time.Second,
209 ThrottleEnable: false,
210 ThrottleQPS: 43.5,
211 ThrottleBurst: 44,
212 AsyncDelegate: true,
213 },
214 },
215 TruncateOptions: apiserveroptions.AuditTruncateOptions{
216 Enabled: true,
217 TruncateConfig: audittruncate.Config{
218 MaxBatchSize: 43,
219 MaxEventSize: 42,
220 },
221 },
222 InitialBackoff: 2 * time.Second,
223 GroupVersionString: "audit.k8s.io/v1",
224 },
225 PolicyFile: "/policy",
226 },
227 Features: &apiserveroptions.FeatureOptions{
228 EnableProfiling: true,
229 EnableContentionProfiling: true,
230 },
231 Authentication: &kubeoptions.BuiltInAuthenticationOptions{
232 Anonymous: &kubeoptions.AnonymousAuthenticationOptions{
233 Allow: false,
234 },
235 ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{
236 ClientCA: "/client-ca",
237 },
238 WebHook: &kubeoptions.WebHookAuthenticationOptions{
239 CacheTTL: 180000000000,
240 ConfigFile: "/token-webhook-config",
241 Version: "v1beta1",
242 RetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
243 },
244 BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{},
245 OIDC: s.Authentication.OIDC,
246 RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{},
247 ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{
248 Lookup: true,
249 ExtendExpiration: true,
250 },
251 TokenFile: &kubeoptions.TokenFileAuthenticationOptions{},
252 TokenSuccessCacheTTL: 10 * time.Second,
253 TokenFailureCacheTTL: 0,
254 },
255 Authorization: &kubeoptions.BuiltInAuthorizationOptions{
256 Modes: []string{"AlwaysDeny", "RBAC"},
257 PolicyFile: "/policy",
258 WebhookConfigFile: "/webhook-config",
259 WebhookCacheAuthorizedTTL: 180000000000,
260 WebhookCacheUnauthorizedTTL: 60000000000,
261 WebhookVersion: "v1beta1",
262 WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(),
263 },
264 APIEnablement: &apiserveroptions.APIEnablementOptions{
265 RuntimeConfig: cliflag.ConfigurationMap{},
266 },
267 EgressSelector: &apiserveroptions.EgressSelectorOptions{
268 ConfigFile: "/var/run/kubernetes/egress-selector/connectivity.yaml",
269 },
270 EnableLogsHandler: false,
271 EnableAggregatorRouting: true,
272 ProxyClientKeyFile: "/var/run/kubernetes/proxy.key",
273 ProxyClientCertFile: "/var/run/kubernetes/proxy.crt",
274 Metrics: &metrics.Options{},
275 Logs: logs.NewOptions(),
276 Traces: &apiserveroptions.TracingOptions{
277 ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
278 },
279 AggregatorRejectForwardingRedirects: true,
280 }
281
282 expected.Authentication.OIDC.UsernameClaim = "sub"
283 expected.Authentication.OIDC.SigningAlgs = []string{"RS256"}
284
285 if !s.Authorization.AreLegacyFlagsSet() {
286 t.Errorf("expected legacy authorization flags to be set")
287 }
288
289 s.Authorization.AreLegacyFlagsSet = nil
290
291 if !reflect.DeepEqual(expected, s) {
292 t.Errorf("Got different run options than expected.\nDifference detected on:\n%s", cmp.Diff(expected, s, cmpopts.IgnoreUnexported(admission.Plugins{}, kubeoptions.OIDCAuthenticationOptions{})))
293 }
294 }
295
View as plain text