...
1
16
17 package options
18
19 import (
20 "errors"
21 "fmt"
22 "strings"
23
24 apiextensionsapiserver "k8s.io/apiextensions-apiserver/pkg/apiserver"
25 genericfeatures "k8s.io/apiserver/pkg/features"
26 utilfeature "k8s.io/apiserver/pkg/util/feature"
27 aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme"
28 "k8s.io/kubernetes/pkg/features"
29
30 "k8s.io/kubernetes/pkg/api/legacyscheme"
31 )
32
33 func validateTokenRequest(options *Options) []error {
34 var errs []error
35
36 enableAttempted := options.ServiceAccountSigningKeyFile != "" ||
37 (len(options.Authentication.ServiceAccounts.Issuers) != 0 && options.Authentication.ServiceAccounts.Issuers[0] != "") ||
38 len(options.Authentication.APIAudiences) != 0
39
40 enableSucceeded := options.ServiceAccountIssuer != nil
41
42 if !enableAttempted {
43 errs = append(errs, errors.New("--service-account-signing-key-file and --service-account-issuer are required flags"))
44 }
45
46 if enableAttempted && !enableSucceeded {
47 errs = append(errs, errors.New("--service-account-signing-key-file, --service-account-issuer, and --api-audiences should be specified together"))
48 }
49
50 return errs
51 }
52
53 func validateAPIPriorityAndFairness(options *Options) []error {
54 if options.Features.EnablePriorityAndFairness {
55
56
57
58 enabledAPIString := options.APIEnablement.RuntimeConfig.String()
59 testConfigs := []string{"flowcontrol.apiserver.k8s.io/v1", "api/ga", "api/all"}
60 for _, testConfig := range testConfigs {
61 if strings.Contains(enabledAPIString, fmt.Sprintf("%s=false", testConfig)) {
62 return []error{fmt.Errorf("--runtime-config=%s=false conflicts with --enable-priority-and-fairness=true", testConfig)}
63 }
64 if strings.Contains(enabledAPIString, fmt.Sprintf("%s=true", testConfig)) {
65 return nil
66 }
67 }
68 }
69
70 return nil
71 }
72
73 func validateUnknownVersionInteroperabilityProxyFeature() []error {
74 if utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
75 if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StorageVersionAPI) {
76 return nil
77 }
78 return []error{fmt.Errorf("UnknownVersionInteroperabilityProxy feature requires StorageVersionAPI feature flag to be enabled")}
79 }
80 return nil
81 }
82
83 func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error {
84 err := []error{}
85 if !utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
86 if options.PeerCAFile != "" {
87 err = append(err, fmt.Errorf("--peer-ca-file requires UnknownVersionInteroperabilityProxy feature to be turned on"))
88 }
89 if options.PeerAdvertiseAddress.PeerAdvertiseIP != "" {
90 err = append(err, fmt.Errorf("--peer-advertise-ip requires UnknownVersionInteroperabilityProxy feature to be turned on"))
91 }
92 if options.PeerAdvertiseAddress.PeerAdvertisePort != "" {
93 err = append(err, fmt.Errorf("--peer-advertise-port requires UnknownVersionInteroperabilityProxy feature to be turned on"))
94 }
95 }
96 return err
97 }
98
99
100 func (s *Options) Validate() []error {
101 var errs []error
102
103 errs = append(errs, s.Etcd.Validate()...)
104 errs = append(errs, validateAPIPriorityAndFairness(s)...)
105 errs = append(errs, s.SecureServing.Validate()...)
106 errs = append(errs, s.Authentication.Validate()...)
107 errs = append(errs, s.Authorization.Validate()...)
108 errs = append(errs, s.Audit.Validate()...)
109 errs = append(errs, s.Admission.Validate()...)
110 errs = append(errs, s.APIEnablement.Validate(legacyscheme.Scheme, apiextensionsapiserver.Scheme, aggregatorscheme.Scheme)...)
111 errs = append(errs, validateTokenRequest(s)...)
112 errs = append(errs, s.Metrics.Validate()...)
113 errs = append(errs, validateUnknownVersionInteroperabilityProxyFeature()...)
114 errs = append(errs, validateUnknownVersionInteroperabilityProxyFlags(s)...)
115
116 return errs
117 }
118
View as plain text