admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix cannot create success login (#2576)

Browse Source 
Signed-off-by: Jeff <zw0948@gmail.com>
This commit is contained in:
zryfish
2020-07-24 13:09:38 +08:00
committed by GitHub
parent 06932926a0
commit f1146f5d6c
23 changed files with 2183 additions and 271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
config/crds/auditing.kubesphere.io_rules.yaml generated Normal file
View File

@@ -0,0 +1,92 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: rules.auditing.kubesphere.io
spec:
group: auditing.kubesphere.io
names:
kind: Rule
listKind: RuleList
plural: rules
singular: rule
scope: Namespaced
validation:
openAPIV3Schema:
description: Rule is the Schema for the rules API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AuditRuleSpec defines the desired state of Rule
properties:
rules:
items:
properties:
alias:
description: This effective When the rule type is alias
type: string
condition:
description: Rule condition This effective When the rule type
is rule
type: string
desc:
description: Rule describe
type: string
enable:
description: Is the rule enable
type: boolean
list:
description: This effective When the rule type is list
items:
type: string
type: array
macro:
description: This effective When the rule type is macro
type: string
name:
description: Rule name
type: string
output:
description: The output formater of message which send to user
type: string
priority:
description: Rule priority, DEBUG, INFO, WARNING
type: string
type:
description: Rule type, rule, macro,list,alias
type: string
required:
- enable
type: object
type: array
type: object
status:
description: AuditRuleStatus defines the observed state of Rule
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

915
config/crds/auditing.kubesphere.io_webhooks.yaml generated Normal file
View File

@@ -0,0 +1,915 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: webhooks.auditing.kubesphere.io
spec:
group: auditing.kubesphere.io
names:
kind: Webhook
listKind: WebhookList
plural: webhooks
singular: webhook
scope: Namespaced
validation:
openAPIV3Schema:
description: Webhook is the Schema for the webhooks API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: WebhookSpec defines the desired state of Webhook
properties:
affinity:
description: If specified, the pod's scheduling constraints
properties:
nodeAffinity:
description: Describes node affinity scheduling rules for the pod.
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes
that satisfy the affinity expressions specified by this field,
but it may choose a node that violates one or more of the
expressions. The node that is most preferred is the one with
the greatest sum of weights, i.e. for each node that meets
all of the scheduling requirements (resource request, requiredDuringScheduling
affinity expressions, etc.), compute a sum by iterating through
the elements of this field and adding "weight" to the sum
if the node matches the corresponding matchExpressions; the
node(s) with the highest sum are the most preferred.
items:
description: An empty preferred scheduling term matches all
objects with implicit weight 0 (i.e. it's a no-op). A null
preferred scheduling term matches no objects (i.e. is also
a no-op).
properties:
preference:
description: A node selector term, associated with the
corresponding weight.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: A node selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the
operator is In or NotIn, the values array
must be non-empty. If the operator is Exists
or DoesNotExist, the values array must be
empty. If the operator is Gt or Lt, the values
array must have a single element, which will
be interpreted as an integer. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: A node selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the
operator is In or NotIn, the values array
must be non-empty. If the operator is Exists
or DoesNotExist, the values array must be
empty. If the operator is Gt or Lt, the values
array must have a single element, which will
be interpreted as an integer. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
weight:
description: Weight associated with matching the corresponding
nodeSelectorTerm, in the range 1-100.
format: int32
type: integer
required:
- preference
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this
field are not met at scheduling time, the pod will not be
scheduled onto the node. If the affinity requirements specified
by this field cease to be met at some point during pod execution
(e.g. due to an update), the system may or may not try to
eventually evict the pod from its node.
properties:
nodeSelectorTerms:
description: Required. A list of node selector terms. The
terms are ORed.
items:
description: A null or empty node selector term matches
no objects. The requirements of them are ANDed. The
TopologySelectorTerm type implements a subset of the
NodeSelectorTerm.
properties:
matchExpressions:
description: A list of node selector requirements
by node's labels.
items:
description: A node selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the
operator is In or NotIn, the values array
must be non-empty. If the operator is Exists
or DoesNotExist, the values array must be
empty. If the operator is Gt or Lt, the values
array must have a single element, which will
be interpreted as an integer. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchFields:
description: A list of node selector requirements
by node's fields.
items:
description: A node selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: The label key that the selector
applies to.
type: string
operator:
description: Represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists, DoesNotExist. Gt, and Lt.
type: string
values:
description: An array of string values. If the
operator is In or NotIn, the values array
must be non-empty. If the operator is Exists
or DoesNotExist, the values array must be
empty. If the operator is Gt or Lt, the values
array must have a single element, which will
be interpreted as an integer. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
type: object
type: array
required:
- nodeSelectorTerms
type: object
type: object
podAffinity:
description: Describes pod affinity scheduling rules (e.g. co-locate
this pod in the same node, zone, etc. as some other pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes
that satisfy the affinity expressions specified by this field,
but it may choose a node that violates one or more of the
expressions. The node that is most preferred is the one with
the greatest sum of weights, i.e. for each node that meets
all of the scheduling requirements (resource request, requiredDuringScheduling
affinity expressions, etc.), compute a sum by iterating through
the elements of this field and adding "weight" to the sum
if the node has pods which matches the corresponding podAffinityTerm;
the node(s) with the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement is
a selector that contains values, a key, and
an operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If
the operator is Exists or DoesNotExist,
the values array must be empty. This array
is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces
the labelSelector applies to (matches against);
null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey matches
that of any node on which any of the selected pods
is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding
podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the affinity requirements specified by this
field are not met at scheduling time, the pod will not be
scheduled onto the node. If the affinity requirements specified
by this field cease to be met at some point during pod execution
(e.g. due to a pod label update), the system may or may not
try to eventually evict the pod from its node. When there
are multiple elements, the lists of nodes corresponding to
each podAffinityTerm are intersected, i.e. all terms must
be satisfied.
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s)) that
this pod should be co-located (affinity) or not co-located
(anti-affinity) with, where co-located is defined as running
on a node whose value of the label with key <topologyKey>
matches that of any node on which a pod of the set of pods
is running
properties:
labelSelector:
description: A label query over a set of resources, in
this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the
labelSelector applies to (matches against); null or
empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where
co-located is defined as running on a node whose value
of the label with key topologyKey matches that of any
node on which any of the selected pods is running. Empty
topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
podAntiAffinity:
description: Describes pod anti-affinity scheduling rules (e.g.
avoid putting this pod in the same node, zone, etc. as some other
pod(s)).
properties:
preferredDuringSchedulingIgnoredDuringExecution:
description: The scheduler will prefer to schedule pods to nodes
that satisfy the anti-affinity expressions specified by this
field, but it may choose a node that violates one or more
of the expressions. The node that is most preferred is the
one with the greatest sum of weights, i.e. for each node that
meets all of the scheduling requirements (resource request,
requiredDuringScheduling anti-affinity expressions, etc.),
compute a sum by iterating through the elements of this field
and adding "weight" to the sum if the node has pods which
matches the corresponding podAffinityTerm; the node(s) with
the highest sum are the most preferred.
items:
description: The weights of all of the matched WeightedPodAffinityTerm
fields are added per-node to find the most preferred node(s)
properties:
podAffinityTerm:
description: Required. A pod affinity term, associated
with the corresponding weight.
properties:
labelSelector:
description: A label query over a set of resources,
in this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: A label selector requirement is
a selector that contains values, a key, and
an operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's
relationship to a set of values. Valid
operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If
the operator is Exists or DoesNotExist,
the values array must be empty. This array
is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value".
The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces
the labelSelector applies to (matches against);
null or empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods
matching the labelSelector in the specified namespaces,
where co-located is defined as running on a node
whose value of the label with key topologyKey matches
that of any node on which any of the selected pods
is running. Empty topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
weight:
description: weight associated with matching the corresponding
podAffinityTerm, in the range 1-100.
format: int32
type: integer
required:
- podAffinityTerm
- weight
type: object
type: array
requiredDuringSchedulingIgnoredDuringExecution:
description: If the anti-affinity requirements specified by
this field are not met at scheduling time, the pod will not
be scheduled onto the node. If the anti-affinity requirements
specified by this field cease to be met at some point during
pod execution (e.g. due to a pod label update), the system
may or may not try to eventually evict the pod from its node.
When there are multiple elements, the lists of nodes corresponding
to each podAffinityTerm are intersected, i.e. all terms must
be satisfied.
items:
description: Defines a set of pods (namely those matching
the labelSelector relative to the given namespace(s)) that
this pod should be co-located (affinity) or not co-located
(anti-affinity) with, where co-located is defined as running
on a node whose value of the label with key <topologyKey>
matches that of any node on which a pod of the set of pods
is running
properties:
labelSelector:
description: A label query over a set of resources, in
this case pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector
that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In,
NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values.
If the operator is In or NotIn, the values
array must be non-empty. If the operator is
Exists or DoesNotExist, the values array must
be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs.
A single {key,value} in the matchLabels map is equivalent
to an element of matchExpressions, whose key field
is "key", the operator is "In", and the values array
contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: namespaces specifies which namespaces the
labelSelector applies to (matches against); null or
empty list means "this pod's namespace"
items:
type: string
type: array
topologyKey:
description: This pod should be co-located (affinity)
or not co-located (anti-affinity) with the pods matching
the labelSelector in the specified namespaces, where
co-located is defined as running on a node whose value
of the label with key topologyKey matches that of any
node on which any of the selected pods is running. Empty
topologyKey is not allowed.
type: string
required:
- topologyKey
type: object
type: array
type: object
type: object
args:
description: Arguments to the entrypoint.. It will be appended to the
args and replace the default value.
items:
type: string
type: array
auditLevel:
description: 'The Level that all requests are recorded at. available
options: None, Metadata, Request, RequestResponse default: Metadata'
type: string
auditSinkPolicy:
description: AuditSinkPolicy is a rule selector, only the rule matched
this selector will be taked effect.
properties:
alertingRuleSelector:
description: A label selector is a label query over a set of resources.
The result of matchLabels and matchExpressions are ANDed. An empty
label selector matches all objects. A null label selector matches
no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
archivingRuleSelector:
description: A label selector is a label query over a set of resources.
The result of matchLabels and matchExpressions are ANDed. An empty
label selector matches all objects. A null label selector matches
no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the
key and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a
strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
type: object
auditType:
description: Audit type, static or dynamic.
type: string
image:
description: The webhook docker image name.
type: string
imagePullPolicy:
description: 'Image pull policy. One of Always, Never, IfNotPresent.
Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images'
type: string
imagePullSecrets:
description: 'ImagePullSecrets is an optional list of references to
secrets in the same namespace to use for pulling any of the images
used by this PodSpec. If specified, these secrets will be passed to
individual puller implementations for them to use. For example, in
the case of docker, only DockerConfig type secrets are honored. More
info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod'
items:
description: LocalObjectReference contains enough information to let
you locate the referenced object inside the same namespace.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: array
k8sAuditingEnabled:
description: K8s auditing is enabled or not.
type: boolean
nodeSelector:
additionalProperties:
type: string
description: 'NodeSelector is a selector which must be true for the
pod to fit on a node. Selector which must match a node''s labels for
the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
type: object
priority:
description: Rule priority, DEBUG < INFO < WARNING Audit events will
be stored only when the priority of the audit rule matching the audit
event is greater than this.
type: string
receivers:
description: ' Receiver contains the information to make a connection
with the alertmanager'
items:
description: Receiver config which received the audit alert
properties:
config:
description: ClientConfig holds the connection parameters for
the webhook
properties:
caBundle:
description: '`caBundle` is a PEM encoded CA bundle which
will be used to validate the webhook''s server certificate.
If unspecified, system trust roots on the apiserver are
used.'
format: byte
type: string
service:
description: "`service` is a reference to the service for
this webhook. Either `service` or `url` must be specified.
\n If the webhook is running within the cluster, then you
should use `service`."
properties:
name:
description: '`name` is the name of the service. Required'
type: string
namespace:
description: '`namespace` is the namespace of the service.
Required'
type: string
path:
description: '`path` is an optional URL path which will
be sent in any request to this service.'
type: string
port:
description: If specified, the port on the service that
hosting webhook. Default to 443 for backward compatibility.
`port` should be a valid port number (1-65535, inclusive).
format: int32
type: integer
required:
- name
- namespace
type: object
url:
description: "`url` gives the location of the webhook, in
standard URL form (`scheme://host:port/path`). Exactly one
of `url` or `service` must be specified. \n The `host` should
not refer to a service running in the cluster; use the `service`
field instead. The host might be resolved via external DNS
in some apiservers (e.g., `kube-apiserver` cannot resolve
in-cluster DNS as that would be a layering violation). `host`
may also be an IP address. \n Please note that using `localhost`
or `127.0.0.1` as a `host` is risky unless you take great
care to run this webhook on all hosts which run an apiserver
which might need to make calls to this webhook. Such installs
are likely to be non-portable, i.e., not easy to turn up
in a new cluster. \n The scheme must be \"https\"; the URL
must begin with \"https://\". \n A path is optional, and
if present may be any string permissible in a URL. You may
use the path to pass an arbitrary string to the webhook,
for example, a cluster identifier. \n Attempting to use
a user or basic auth e.g. \"user:password@\" is not allowed.
Fragments (\"#...\") and query parameters (\"?...\") are
not allowed, either."
type: string
type: object
name:
description: Receiver name
type: string
type:
description: Receiver type, alertmanager or webhook
type: string
type: object
type: array
replicas:
description: Number of desired pods. This is a pointer to distinguish
between explicit zero and not specified. Defaults to 1.
format: int32
type: integer
resources:
description: 'Compute Resources required by this container. Cannot be
updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
properties:
limits:
additionalProperties:
type: string
description: 'Limits describes the maximum amount of compute resources
allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
requests:
additionalProperties:
type: string
description: 'Requests describes the minimum amount of compute resources
required. If Requests is omitted for a container, it defaults
to Limits if that is explicitly specified, otherwise to an implementation-defined
value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
type: object
type: object
tolerations:
description: If specified, the pod's tolerations.
items:
description: The pod this Toleration is attached to tolerates any
taint that matches the triple <key,value,effect> using the matching
operator <operator>.
properties:
effect:
description: Effect indicates the taint effect to match. Empty
means match all taint effects. When specified, allowed values
are NoSchedule, PreferNoSchedule and NoExecute.
type: string
key:
description: Key is the taint key that the toleration applies
to. Empty means match all taint keys. If the key is empty, operator
must be Exists; this combination means to match all values and
all keys.
type: string
operator:
description: Operator represents a key's relationship to the value.
Valid operators are Exists and Equal. Defaults to Equal. Exists
is equivalent to wildcard for value, so that a pod can tolerate
all taints of a particular category.
type: string
tolerationSeconds:
description: TolerationSeconds represents the period of time the
toleration (which must be of effect NoExecute, otherwise this
field is ignored) tolerates the taint. By default, it is not
set, which means tolerate the taint forever (do not evict).
Zero and negative values will be treated as 0 (evict immediately)
by the system.
format: int64
type: integer
value:
description: Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise
just a regular string.
type: string
type: object
type: array
type: object
status:
description: WebhookStatus defines the observed state of Webhook
type: object
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

4
config/crds/devops.kubesphere.io_pipelines.yaml generated
View File

@@ -71,7 +71,7 @@ spec:
scm_id:
type: string
type: object
descriptio:
description:
type: string
discarder:
properties:
@@ -188,7 +188,7 @@ spec:
type: object
pipeline:
properties:
descriptio:
description:
type: string
disable_concurrent:
type: boolean

127
config/crds/iam.kubesphere.io_federatedrolebindings.yaml generated Normal file
View File

@@ -0,0 +1,127 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: federatedrolebindings.iam.kubesphere.io
spec:
group: iam.kubesphere.io
names:
kind: FederatedRoleBinding
listKind: FederatedRoleBindingList
plural: federatedrolebindings
singular: federatedrolebinding
scope: Namespaced
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
placement:
properties:
clusterSelector:
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
clusters:
items:
properties:
name:
type: string
required:
- name
type: object
type: array
type: object
template:
properties:
metadata:
type: object
roleRef:
description: RoleRef contains information that points to the role
being used
properties:
apiGroup:
description: APIGroup is the group for the resource being referenced
type: string
kind:
description: Kind is the type of resource being referenced
type: string
name:
description: Name is the name of resource being referenced
type: string
required:
- apiGroup
- kind
- name
type: object
subjects:
items:
description: Subject contains a reference to the object or user
identities a role binding applies to. This can either hold
a direct API object reference, or a value for non-objects such
as user and group names.
properties:
apiGroup:
description: APIGroup holds the API group of the referenced
subject. Defaults to "" for ServiceAccount subjects. Defaults
to "rbac.authorization.k8s.io" for User and Group subjects.
type: string
kind:
description: Kind of object being referenced. Values defined
by this API group are "User", "Group", and "ServiceAccount".
If the Authorizer does not recognized the kind value, the
Authorizer should report an error.
type: string
name:
description: Name of the object being referenced.
type: string
namespace:
description: Namespace of the referenced object. If the object
kind is non-namespace, such as "User" or "Group", and this
value is not empty the Authorizer should report an error.
type: string
required:
- kind
- name
type: object
type: array
required:
- roleRef
type: object
required:
- placement
- template
type: object
required:
- spec
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

125
config/crds/iam.kubesphere.io_federatedroles.yaml generated Normal file
View File

@@ -0,0 +1,125 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: federatedroles.iam.kubesphere.io
spec:
group: iam.kubesphere.io
names:
kind: FederatedRole
listKind: FederatedRoleList
plural: federatedroles
singular: federatedrole
scope: Namespaced
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
placement:
properties:
clusterSelector:
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
clusters:
items:
properties:
name:
type: string
required:
- name
type: object
type: array
type: object
template:
properties:
metadata:
type: object
rules:
items:
description: PolicyRule holds information that describes a policy
rule, but does not contain information about who the rule applies
to or which namespace the rule applies to.
properties:
apiGroups:
description: APIGroups is the name of the APIGroup that contains
the resources. If multiple API groups are specified, any
action requested against one of the enumerated resources
in any API group will be allowed.
items:
type: string
type: array
nonResourceURLs:
description: NonResourceURLs is a set of partial urls that
a user should have access to. *s are allowed, but only
as the full, final step in the path Since non-resource URLs
are not namespaced, this field is only applicable for ClusterRoles
referenced from a ClusterRoleBinding. Rules can either apply
to API resources (such as "pods" or "secrets") or non-resource
URL paths (such as "/api"), but not both.
items:
type: string
type: array
resourceNames:
description: ResourceNames is an optional white list of names
that the rule applies to. An empty set means that everything
is allowed.
items:
type: string
type: array
resources:
description: Resources is a list of resources this rule applies
to. ResourceAll represents all resources.
items:
type: string
type: array
verbs:
description: Verbs is a list of Verbs that apply to ALL the
ResourceKinds and AttributeRestrictions contained in this
rule. VerbAll represents all kinds.
items:
type: string
type: array
required:
- verbs
type: object
type: array
type: object
required:
- placement
- template
type: object
required:
- spec
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

116
config/crds/iam.kubesphere.io_federatedusers.yaml generated Normal file
View File

@@ -0,0 +1,116 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: federatedusers.iam.kubesphere.io
spec:
group: iam.kubesphere.io
names:
kind: FederatedUser
listKind: FederatedUserList
plural: federatedusers
singular: federateduser
scope: Namespaced
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
placement:
properties:
clusterSelector:
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
clusters:
items:
properties:
name:
type: string
required:
- name
type: object
type: array
type: object
template:
properties:
metadata:
type: object
spec:
description: UserSpec defines the desired state of User
properties:
description:
description: Description of the user.
type: string
displayName:
type: string
email:
description: Unique email address(https://www.ietf.org/rfc/rfc5322.txt).
type: string
groups:
items:
type: string
type: array
lang:
description: The preferred written or spoken language for the
user.
type: string
password:
description: password will be encrypted by mutating admission
webhook
type: string
required:
- email
type: object
status:
description: UserStatus defines the observed state of User
properties:
lastTransitionTime:
format: date-time
type: string
reason:
type: string
state:
description: The user status
type: string
type: object
required:
- spec
type: object
required:
- placement
- template
type: object
required:
- spec
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

25
config/crds/iam.kubesphere.io_loginrecords.yaml generated
View File

@@ -12,7 +12,16 @@ spec:
- JSONPath: .spec.type
name: Type
type: string
- JSONPath: .status.reason
- JSONPath: .spec.provider
name: Provider
type: string
- JSONPath: .spec.sourceIP
name: From
type: string
- JSONPath: .spec.success
name: Success
type: string
- JSONPath: .spec.reason
name: Reason
type: string
- JSONPath: .metadata.creationTimestamp
@@ -45,15 +54,29 @@ spec:
type: object
spec:
properties:
provider:
description: Provider of authentication, Ldap/Github etc.
type: string
reason:
description: States failed login attempt reason
type: string
sourceIP:
description: Source IP of client
type: string
success:
description: Successful login attempt or not
type: boolean
type:
description: Which authentication method used, BasicAuth/OAuth
type: string
userAgent:
description: User agent of login attempt
type: string
required:
- provider
- reason
- sourceIP
- success
- type
type: object
required:

1
config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml generated
View File

@@ -101,7 +101,6 @@ spec:
description: CIDR is a string representing the IP Block
Valid examples are "192.168.1.1/24"
type: string
pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$
except:
description: Except is a slice of CIDRs that should
not be included within an IP Block Valid examples

145
config/crds/storage.kubesphere.io_provisionercapabilities.yaml generated
View File

@@ -1,99 +1,110 @@
# according to https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/,
# and https://kubernetes.io/docs/concepts/storage/storage-classes/#allow-volume-expansion
# volume expansion support for the following in-tree volume plugins:
# AWS-EBS, GCE-PD, Azure Disk, Azure File, Glusterfs, Cinder, Portworx, and Ceph RBD.
# online file system expansion support for the following in-tree plugin
# GCE-PD, AWS-EBS, Cinder, and Ceph RBD
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: provisionercapabilities.storage.kubesphere.io
spec:
group: storage.kubesphere.io
version: v1alpha1
preserveUnknownFields: false
names:
kind: ProvisionerCapability
listKind: ProvisionerCapabilityList
plural: provisionercapabilities
singular: provisionercapability
kind: ProvisionerCapability
shortNames:
- pcap
scope: Cluster
additionalPrinterColumns:
- name: Provisioner
type: string
description: The provisioner name should be the same as name
JSONPath: .spec.pluginInfo.name
- name: Expand
type: string
JSONPath: .spec.features.volume.expandMode
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
scope: Namespaced
validation:
openAPIV3Schema:
required:
- spec
type: object
description: ProvisionerCapability is the schema for the provisionercapability
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object.'
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents.'
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
metadata:
type: object
description: 'spec defines the desired characteristics of obejct'
spec:
description: ProvisionerCapabilitySpec defines the desired state of ProvisionerCapability
properties:
pluginInfo:
type: object
description: 'Plugininfo represents plugin metadata'
properties:
name:
description: 'provisioner name'
type: string
version:
description: 'plugin version'
type: string
features:
type: object
description: 'Features represents plugin capability'
description: CapabilityFeatures describe storage features
properties:
snapshot:
description: SnapshotFeature describe snapshot features
properties:
create:
type: boolean
list:
type: boolean
required:
- create
- list
type: object
topology:
description: 'topology determines whether a provisioner support topology by looking up GetPluginCapabilities.PluginCapability'
type: boolean
volume:
type: object
description: 'Volume represents whether plugin supports volume features'
description: VolumeFeature describe volume features
properties:
create:
description: 'Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
attach:
description: 'Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
list:
description: 'Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
clone:
description: 'Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
stats:
description: 'Determined by NodeGetCapabilities in NodeServer'
type: boolean
expandMode:
description: 'Determined by GetPluginCapabilities in IdentityServer'
type: string
items:
type: string
enum: ["UNKNOWN", "OFFLINE", "ONLINE"]
snapshot:
type: object
description: 'Snapshot represents whether plugin supports snapshot features'
properties:
create:
type: boolean
expandMode:
type: string
list:
type: boolean
type: boolean
stats:
type: boolean
required:
- attach
- clone
- create
- expandMode
- list
- stats
type: object
required:
- snapshot
- topology
- volume
type: object
pluginInfo:
description: PluginInfo describes plugin info
properties:
name:
type: string
version:
type: string
required:
- name
- version
type: object
required:
- features
- pluginInfo
type: object
required:
- spec
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

121
config/crds/storage.kubesphere.io_storageclasscapabilities.yaml generated
View File

@@ -1,86 +1,101 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: storageclasscapabilities.storage.kubesphere.io
spec:
group: storage.kubesphere.io
version: v1alpha1
names:
kind: StorageClassCapability
listKind: StorageClassCapabilityList
plural: storageclasscapabilities
singular: storageclasscapability
kind: StorageClassCapability
shortNames:
- sccap
preserveUnknownFields: false
additionalPrinterColumns:
- name: Provisioner
type: string
JSONPath: .spec.provisioner
- name: Volume
type: boolean
JSONPath: .spec.features.volume.create
- name: Expand
type: string
JSONPath: .spec.features.volume.expandMode
- name: Clone
type: boolean
JSONPath: .spec.features.volume.clone
- name: Snapshot
type: boolean
JSONPath: .spec.features.snapshot.create
- name: Age
type: date
JSONPath: .metadata.creationTimestamp
scope: Cluster
scope: Namespaced
validation:
openAPIV3Schema:
type: object
description: StorageClassCapability is the Schema for the storage class capability
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
description: StorageClassCapabilitySpec defines the desired state of StorageClassCapability
properties:
provisioner:
type: string
features:
type: object
description: CapabilityFeatures describe storage features
properties:
snapshot:
description: SnapshotFeature describe snapshot features
properties:
create:
type: boolean
list:
type: boolean
required:
- create
- list
type: object
topology:
description: topology determines whether a provisioner support topology by looking up GetPluginCapabilities.PluginCapability
type: boolean
volume:
type: object
description: VolumeFeature describe volume features
properties:
create:
description: 'Create/Delete volume. Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
attach:
description: 'CSI Plugin implement ControllerPublishVolume/ControllerUnpublishVolume. Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
list:
description: 'CSI Plugin implement ListVolume. Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
clone:
description: 'Determined by ControllerGetCapabilities in ControllerServer'
type: boolean
stats:
description: 'Determined by NodeGetCapabilities in NodeServer'
type: boolean
expandMode:
description: 'Determined by GetPluginCapabilities in IdentityServer and StorageClass AllowVolumeExpansion'
type: string
items:
type: string
enum: ["UNKNOWN", "OFFLINE", "ONLINE"]
snapshot:
type: object
properties:
create:
type: boolean
expandMode:
type: string
list:
type: boolean
type: boolean
stats:
type: boolean
required:
- attach
- clone
- create
- expandMode
- list
- stats
type: object
required:
- snapshot
- topology
- volume
type: object
provisioner:
type: string
required:
- features
- provisioner
type: object
required:
- spec
type: object
version: v1alpha1
versions:
- name: v1alpha1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

110
config/crds/tenant.kubesphere.io_federatedworkspaces.yaml generated Normal file
View File

@@ -0,0 +1,110 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: federatedworkspaces.tenant.kubesphere.io
spec:
group: tenant.kubesphere.io
names:
kind: FederatedWorkspace
listKind: FederatedWorkspaceList
plural: federatedworkspaces
singular: federatedworkspace
scope: Namespaced
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
overrides:
items:
properties:
clusterName:
type: string
clusterOverrides:
items:
properties:
op:
type: string
path:
type: string
value:
type: object
required:
- path
- value
type: object
type: array
required:
- clusterName
- clusterOverrides
type: object
type: array
placement:
properties:
clusterSelector:
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
clusters:
items:
properties:
name:
type: string
required:
- name
type: object
type: array
type: object
template:
properties:
metadata:
type: object
spec:
description: WorkspaceSpec defines the desired state of Workspace
properties:
manager:
type: string
networkIsolation:
type: boolean
type: object
required:
- spec
type: object
required:
- placement
- template
type: object
required:
- spec
type: object
version: v1alpha2
versions:
- name: v1alpha2
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

13
config/crds/tenant.kubesphere.io_workspacetemplates.yaml generated
View File

@@ -45,15 +45,10 @@ spec:
properties:
op:
type: string
path:
type: string
value:
anyOf:
- type: string
- type: integer
- type: boolean
- type: object
- type: array
path:
type: string
value:
type: object
required:
- path
- value

125
config/crds/types.kubefed.io_federatednamespaces.yaml generated Normal file
View File

@@ -0,0 +1,125 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: federatednamespaces.types.kubefed.io
spec:
group: types.kubefed.io
names:
kind: FederatedNamespace
listKind: FederatedNamespaceList
plural: federatednamespaces
singular: federatednamespace
scope: Namespaced
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
overrides:
items:
properties:
clusterName:
type: string
clusterOverrides:
items:
properties:
op:
type: string
path:
type: string
value:
type: object
required:
- path
- value
type: object
type: array
required:
- clusterName
- clusterOverrides
type: object
type: array
placement:
properties:
clusterSelector:
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
clusters:
items:
properties:
name:
type: string
required:
- name
type: object
type: array
type: object
template:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource
this object represents. Servers may infer this from the endpoint
the client submits requests to. Cannot be updated. In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: NamespaceSpec describes the attributes on a Namespace.
properties:
finalizers:
description: 'Finalizers is an opaque list of values that must
be empty to permanently remove object from storage. More info:
https://kubernetes.io/docs/tasks/administer-cluster/namespaces/'
items:
description: FinalizerName is the name identifying a finalizer
during namespace lifecycle.
type: string
type: array
type: object
type: object
required:
- placement
- template
type: object
required:
- spec
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

56
config/crds/types.kubefed.io_namespacetemplates.yaml generated Normal file
View File

@@ -0,0 +1,56 @@
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: namespacetemplates.types.kubefed.io
spec:
group: types.kubefed.io
names:
kind: NamespaceTemplate
listKind: NamespaceTemplateList
plural: namespacetemplates
singular: namespacetemplate
scope: Namespaced
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: NamespaceSpec describes the attributes on a Namespace.
properties:
finalizers:
description: 'Finalizers is an opaque list of values that must be empty
to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/'
items:
description: FinalizerName is the name identifying a finalizer during
namespace lifecycle.
type: string
type: array
type: object
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

154
pkg/apis/auditing/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,6 +1,7 @@
// +build !ignore_autogenerated
/*
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -20,15 +21,104 @@ limitations under the License.
package v1alpha1
import (
"k8s.io/apimachinery/pkg/runtime"
auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AuditSinkPolicy) DeepCopyInto(out *AuditSinkPolicy) {
*out = *in
if in.ArchivingRuleSelector != nil {
in, out := &in.ArchivingRuleSelector, &out.ArchivingRuleSelector
*out = new(v1.LabelSelector)
(*in).DeepCopyInto(*out)
}
if in.AlertingRuleSelector != nil {
in, out := &in.AlertingRuleSelector, &out.AlertingRuleSelector
*out = new(v1.LabelSelector)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSinkPolicy.
func (in *AuditSinkPolicy) DeepCopy() *AuditSinkPolicy {
if in == nil {
return nil
}
out := new(AuditSinkPolicy)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *DynamicAuditConfig) DeepCopyInto(out *DynamicAuditConfig) {
*out = *in
if in.Throttle != nil {
in, out := &in.Throttle, &out.Throttle
*out = new(auditregistrationv1alpha1.WebhookThrottleConfig)
(*in).DeepCopyInto(*out)
}
if in.Policy != nil {
in, out := &in.Policy, &out.Policy
*out = new(auditregistrationv1alpha1.Policy)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAuditConfig.
func (in *DynamicAuditConfig) DeepCopy() *DynamicAuditConfig {
if in == nil {
return nil
}
out := new(DynamicAuditConfig)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyRule) DeepCopyInto(out *PolicyRule) {
*out = *in
if in.List != nil {
in, out := &in.List, &out.List
*out = make([]string, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRule.
func (in *PolicyRule) DeepCopy() *PolicyRule {
if in == nil {
return nil
}
out := new(PolicyRule)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Receiver) DeepCopyInto(out *Receiver) {
*out = *in
in.ReceiverConfig.DeepCopyInto(&out.ReceiverConfig)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Receiver.
func (in *Receiver) DeepCopy() *Receiver {
if in == nil {
return nil
}
out := new(Receiver)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Rule) DeepCopyInto(out *Rule) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
}
@@ -85,6 +175,13 @@ func (in *RuleList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RuleSpec) DeepCopyInto(out *RuleSpec) {
*out = *in
if in.PolicyRules != nil {
in, out := &in.PolicyRules, &out.PolicyRules
*out = make([]PolicyRule, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleSpec.
@@ -117,7 +214,7 @@ func (in *Webhook) DeepCopyInto(out *Webhook) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
}
@@ -174,6 +271,57 @@ func (in *WebhookList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *WebhookSpec) DeepCopyInto(out *WebhookSpec) {
*out = *in
if in.Replicas != nil {
in, out := &in.Replicas, &out.Replicas
*out = new(int32)
**out = **in
}
if in.ImagePullSecrets != nil {
in, out := &in.ImagePullSecrets, &out.ImagePullSecrets
*out = make([]corev1.LocalObjectReference, len(*in))
copy(*out, *in)
}
if in.Args != nil {
in, out := &in.Args, &out.Args
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.NodeSelector != nil {
in, out := &in.NodeSelector, &out.NodeSelector
*out = make(map[string]string, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.Affinity != nil {
in, out := &in.Affinity, &out.Affinity
*out = new(corev1.Affinity)
(*in).DeepCopyInto(*out)
}
if in.Tolerations != nil {
in, out := &in.Tolerations, &out.Tolerations
*out = make([]corev1.Toleration, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.Resources != nil {
in, out := &in.Resources, &out.Resources
*out = new(corev1.ResourceRequirements)
(*in).DeepCopyInto(*out)
}
if in.Receivers != nil {
in, out := &in.Receivers, &out.Receivers
*out = make([]Receiver, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
if in.AuditSinkPolicy != nil {
in, out := &in.AuditSinkPolicy, &out.AuditSinkPolicy
*out = new(AuditSinkPolicy)
(*in).DeepCopyInto(*out)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookSpec.

31
pkg/apis/iam/v1alpha2/types.go
View File

@@ -125,9 +125,6 @@ const (
// UserDisabled means the user is disabled.
UserAuthLimitExceeded UserState = "AuthLimitExceeded"
LoginFailure LoginRecordType = "LoginFailure"
LoginSuccess LoginRecordType = "LoginSuccess"
AuthenticatedSuccessfully = "authenticated successfully"
)
@@ -290,7 +287,10 @@ type RoleBaseList struct {
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".spec.type"
// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason"
// +kubebuilder:printcolumn:name="Provider",type="string",JSONPath=".spec.provider"
// +kubebuilder:printcolumn:name="From",type="string",JSONPath=".spec.sourceIP"
// +kubebuilder:printcolumn:name="Success",type="string",JSONPath=".spec.success"
// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".spec.reason"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:resource:categories="iam",scope="Cluster"
type LoginRecord struct {
@@ -300,12 +300,27 @@ type LoginRecord struct {
}
type LoginRecordSpec struct {
SourceIP string `json:"sourceIP"`
Type LoginRecordType `json:"type"`
Reason string `json:"reason"`
// Which authentication method used, BasicAuth/OAuth
Type LoginType `json:"type"`
// Provider of authentication, Ldap/Github etc.
Provider string `json:"provider"`
// Source IP of client
SourceIP string `json:"sourceIP"`
// User agent of login attempt
UserAgent string `json:"userAgent,omitempty"`
// Successful login attempt or not
Success bool `json:"success"`
// States failed login attempt reason
Reason string `json:"reason"`
}
type LoginRecordType string
type LoginType string
const (
BasicAuth LoginType = "Basic"
OAuth LoginType = "OAuth"
Token LoginType = "Token"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

224
pkg/apis/storage/v1alpha1/zz_generated.deepcopy.go generated
View File

@@ -1,7 +1,7 @@
// +build !ignore_autogenerated
/*
Copyright The Kubernetes Authors.
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -16,37 +16,22 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by deepcopy-gen. DO NOT EDIT.
// Code generated by controller-gen. DO NOT EDIT.
package v1alpha1
import "k8s.io/apimachinery/pkg/runtime"
import (
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
func (in *PluginInfo) DeepCopyInto(out *PluginInfo) {
*out = *in
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapabilitySpecPluginInfo.
func (in *PluginInfo) DeepCopy() *PluginInfo {
if in == nil {
return nil
}
out := new(PluginInfo)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CapabilityFeatures) DeepCopyInto(out *CapabilityFeatures) {
*out = *in
out.Volume = in.Volume
out.Snapshot = in.Snapshot
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new CapabilityFeatures.
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapabilityFeatures.
func (in *CapabilityFeatures) DeepCopy() *CapabilityFeatures {
if in == nil {
return nil
@@ -56,93 +41,30 @@ func (in *CapabilityFeatures) DeepCopy() *CapabilityFeatures {
return out
}
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
func (in *StorageClassCapability) DeepCopyInto(out *StorageClassCapability) {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PluginInfo) DeepCopyInto(out *PluginInfo) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new StorageClassCapability.
func (in *StorageClassCapability) DeepCopy() *StorageClassCapability {
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PluginInfo.
func (in *PluginInfo) DeepCopy() *PluginInfo {
if in == nil {
return nil
}
out := new(StorageClassCapability)
out := new(PluginInfo)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object.
func (in *StorageClassCapability) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
func (in *StorageClassCapabilityList) DeepCopyInto(out *StorageClassCapabilityList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]StorageClassCapability, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new StorageClassCapabilityList.
func (in *StorageClassCapabilityList) DeepCopy() *StorageClassCapabilityList {
if in == nil {
return nil
}
out := new(StorageClassCapabilityList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object.
func (in *StorageClassCapabilityList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
func (in *StorageClassCapabilitySpec) DeepCopyInto(out *StorageClassCapabilitySpec) {
*out = *in
out.Features = in.Features
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new StorageClassCapabilitySpec.
func (in *StorageClassCapabilitySpec) DeepCopy() *StorageClassCapabilitySpec {
if in == nil {
return nil
}
out := new(StorageClassCapabilitySpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProvisionerCapability) DeepCopyInto(out *ProvisionerCapability) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapability.
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionerCapability.
func (in *ProvisionerCapability) DeepCopy() *ProvisionerCapability {
if in == nil {
return nil
@@ -152,7 +74,7 @@ func (in *ProvisionerCapability) DeepCopy() *ProvisionerCapability {
return out
}
// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object.
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ProvisionerCapability) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
@@ -160,7 +82,7 @@ func (in *ProvisionerCapability) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProvisionerCapabilityList) DeepCopyInto(out *ProvisionerCapabilityList) {
*out = *in
out.TypeMeta = in.TypeMeta
@@ -172,10 +94,9 @@ func (in *ProvisionerCapabilityList) DeepCopyInto(out *ProvisionerCapabilityList
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapabilityList.
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionerCapabilityList.
func (in *ProvisionerCapabilityList) DeepCopy() *ProvisionerCapabilityList {
if in == nil {
return nil
@@ -185,7 +106,7 @@ func (in *ProvisionerCapabilityList) DeepCopy() *ProvisionerCapabilityList {
return out
}
// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object.
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *ProvisionerCapabilityList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
@@ -193,15 +114,14 @@ func (in *ProvisionerCapabilityList) DeepCopyObject() runtime.Object {
return nil
}
// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil.
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProvisionerCapabilitySpec) DeepCopyInto(out *ProvisionerCapabilitySpec) {
*out = *in
out.PluginInfo = in.PluginInfo
out.Features = in.Features
return
}
// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapabilitySpec.
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionerCapabilitySpec.
func (in *ProvisionerCapabilitySpec) DeepCopy() *ProvisionerCapabilitySpec {
if in == nil {
return nil
@@ -210,3 +130,107 @@ func (in *ProvisionerCapabilitySpec) DeepCopy() *ProvisionerCapabilitySpec {
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SnapshotFeature) DeepCopyInto(out *SnapshotFeature) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotFeature.
func (in *SnapshotFeature) DeepCopy() *SnapshotFeature {
if in == nil {
return nil
}
out := new(SnapshotFeature)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *StorageClassCapability) DeepCopyInto(out *StorageClassCapability) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
out.Spec = in.Spec
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassCapability.
func (in *StorageClassCapability) DeepCopy() *StorageClassCapability {
if in == nil {
return nil
}
out := new(StorageClassCapability)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *StorageClassCapability) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *StorageClassCapabilityList) DeepCopyInto(out *StorageClassCapabilityList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]StorageClassCapability, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassCapabilityList.
func (in *StorageClassCapabilityList) DeepCopy() *StorageClassCapabilityList {
if in == nil {
return nil
}
out := new(StorageClassCapabilityList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *StorageClassCapabilityList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *StorageClassCapabilitySpec) DeepCopyInto(out *StorageClassCapabilitySpec) {
*out = *in
out.Features = in.Features
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassCapabilitySpec.
func (in *StorageClassCapabilitySpec) DeepCopy() *StorageClassCapabilitySpec {
if in == nil {
return nil
}
out := new(StorageClassCapabilitySpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *VolumeFeature) DeepCopyInto(out *VolumeFeature) {
*out = *in
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VolumeFeature.
func (in *VolumeFeature) DeepCopy() *VolumeFeature {
if in == nil {
return nil
}
out := new(VolumeFeature)
in.DeepCopyInto(out)
return out
}

5
pkg/apiserver/authentication/request/basictoken/basic_token.go
View File

@@ -43,11 +43,6 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R
}
resp, ok, err := a.auth.AuthenticatePassword(req.Context(), username, password)
// if we authenticated successfully, go ahead and remove the bearer token so that no one
// is ever tempted to use it inside of the API server
if ok {
req.Header.Del("Authorization")
}
// If the token authenticator didn't error, provide a default error
if !ok && err == nil {

28
pkg/apiserver/filters/authentication.go
View File

@@ -26,12 +26,16 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
"k8s.io/klog"
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
"kubesphere.io/kubesphere/pkg/apiserver/request"
"kubesphere.io/kubesphere/pkg/models/iam/im"
"net/http"
"strings"
)
// WithAuthentication installs authentication handler to handler chain.
// The following part is a little bit ugly, WithAuthentication also logs user failed login attempt
// if using basic auth. But only treats request with requestURI `/oauth/authorize` as login attempt
func WithAuthentication(handler http.Handler, auth authenticator.Request, loginRecorder im.LoginRecorder) http.Handler {
if auth == nil {
klog.Warningf("Authentication is disabled")
@@ -41,15 +45,24 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
resp, ok, err := auth.AuthenticateRequest(req)
username, _, usingBasicAuth := req.BasicAuth()
defer func() {
// if we authenticated successfully, go ahead and remove the bearer token so that no one
// is ever tempted to use it inside of the API server
if usingBasicAuth && ok {
req.Header.Del("Authorization")
}
}()
if err != nil || !ok {
if err != nil {
klog.Errorf("Unable to authenticate the request due to error: %v", err)
if err.Error() == im.AuthFailedIncorrectPassword.Error() { // log failed login attempts
username, _, _ := req.BasicAuth()
if usingBasicAuth { // log failed login attempts
go func(user string) {
if loginRecorder != nil && len(user) != 0 {
err = loginRecorder.RecordLogin(user, err, req)
klog.Errorf("Failed to record unsuccessful login attempt for user %s", user)
err = loginRecorder.RecordLogin(user, iamv1alpha2.BasicAuth, "", err, req)
klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", user, err)
}
}(username)
}
@@ -67,6 +80,13 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR
return
}
go func() {
if loginRecorder != nil && usingBasicAuth && strings.HasPrefix(req.URL.Path, "/oauth/authorize") {
err = loginRecorder.RecordLogin(username, iamv1alpha2.BasicAuth, "", nil, req)
klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", username, err)
}
}()
req = req.WithContext(request.WithUser(req.Context(), resp.User))
handler.ServeHTTP(w, req)
})

6
pkg/controller/user/user_controller.go
View File

@@ -528,8 +528,7 @@ func (c *Controller) deleteRoleBindings(user *iamv1alpha2.User) error {
return err
} else {
for _, namespace := range result.Items {
if err := c.k8sClient.RbacV1().RoleBindings(namespace.Name).
DeleteCollection(deleteOptions, listOptions); err != nil {
if err = c.k8sClient.RbacV1().RoleBindings(namespace.Name).DeleteCollection(deleteOptions, listOptions); err != nil {
klog.Error(err)
return err
}
@@ -590,8 +589,7 @@ func (c *Controller) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User,
now := time.Now()
failedLoginAttempts := 0
for _, loginRecord := range records {
if loginRecord.Spec.Type == iamv1alpha2.LoginFailure &&
loginRecord.CreationTimestamp.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).After(now) {
if !loginRecord.Spec.Success && loginRecord.CreationTimestamp.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).After(now) {
failedLoginAttempts++
}
}

14
pkg/kapis/oauth/handler.go
View File

@@ -133,7 +133,7 @@ func (h *handler) Authorize(req *restful.Request, resp *restful.Response) {
http.Redirect(resp, req.Request, redirectURL, http.StatusFound)
}
func (h *handler) OAuthCallBack(req *restful.Request, resp *restful.Response) {
func (h *handler) oAuthCallBack(req *restful.Request, resp *restful.Response) {
code := req.QueryParameter("code")
name := req.PathParameter("callback")
@@ -161,7 +161,7 @@ func (h *handler) OAuthCallBack(req *restful.Request, resp *restful.Response) {
identity, err := oauthIdentityProvider.IdentityExchange(code)
if err != nil {
err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
err = apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
resp.WriteError(http.StatusUnauthorized, err)
return
}
@@ -217,7 +217,7 @@ func (h *handler) OAuthCallBack(req *restful.Request, resp *restful.Response) {
return
}
if err = h.loginRecorder.RecordLogin(authenticated.Name, nil, req.Request); err != nil {
if err = h.loginRecorder.RecordLogin(authenticated.Name, iamv1alpha2.OAuth, providerOptions.Name, nil, req.Request); err != nil {
klog.Error(err)
err := apierrors.NewInternalError(err)
resp.WriteError(http.StatusInternalServerError, err)
@@ -273,9 +273,9 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R
authenticated, err := h.authenticator.Authenticate(username, password)
if err != nil {
if err == im.AuthFailedIncorrectPassword {
if err := h.loginRecorder.RecordLogin(username, err, req.Request); err != nil {
if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, "", err, req.Request); err != nil {
klog.Error(err)
err := apierrors.NewInternalError(err)
err = apierrors.NewInternalError(err)
response.WriteError(http.StatusInternalServerError, err)
return
}
@@ -284,7 +284,7 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R
err == im.AuthFailedIdentityMappingNotMatch ||
err == im.AuthRateLimitExceeded {
klog.V(4).Info(err)
err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
err = apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err))
response.WriteError(http.StatusUnauthorized, err)
return
}
@@ -302,7 +302,7 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R
return
}
if err = h.loginRecorder.RecordLogin(authenticated.GetName(), nil, req.Request); err != nil {
if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Token, "", nil, req.Request); err != nil {
klog.Error(err)
err := apierrors.NewInternalError(err)
response.WriteError(http.StatusInternalServerError, err)

2
pkg/kapis/oauth/register.go
View File

@@ -91,7 +91,7 @@ func AddToContainer(c *restful.Container, im im.IdentityManagementInterface, tok
"otherwise, REQUIRED. The scope of the access token as described by [RFC6479] Section 3.3.").Required(false)).
Param(ws.QueryParameter("state", "if the \"state\" parameter was present in the client authorization request."+
"The exact value received from the client.").Required(true)).
To(handler.OAuthCallBack).
To(handler.oAuthCallBack).
Returns(http.StatusOK, api.StatusOK, oauth.Token{}))
c.Add(ws)

15
pkg/models/iam/im/login_recoder.go
View File

@@ -29,7 +29,7 @@ import (
)
type LoginRecorder interface {
RecordLogin(username string, authErr error, req *http.Request) error
RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, authErr error, req *http.Request) error
}
type loginRecorder struct {
@@ -42,7 +42,7 @@ func NewLoginRecorder(ksClient kubesphere.Interface) LoginRecorder {
}
}
func (l *loginRecorder) RecordLogin(username string, authErr error, req *http.Request) error {
func (l *loginRecorder) RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, authErr error, req *http.Request) error {
loginEntry := &iamv1alpha2.LoginRecord{
ObjectMeta: metav1.ObjectMeta{
GenerateName: fmt.Sprintf("%s-", username),
@@ -51,14 +51,17 @@ func (l *loginRecorder) RecordLogin(username string, authErr error, req *http.Re
},
},
Spec: iamv1alpha2.LoginRecordSpec{
SourceIP: net.GetRequestIP(req),
Type: iamv1alpha2.LoginSuccess,
Reason: iamv1alpha2.AuthenticatedSuccessfully,
Type: loginType,
Provider: provider,
Success: true,
Reason: iamv1alpha2.AuthenticatedSuccessfully,
SourceIP: net.GetRequestIP(req),
UserAgent: req.UserAgent(),
},
}
if authErr != nil {
loginEntry.Spec.Type = iamv1alpha2.LoginFailure
loginEntry.Spec.Success = false
loginEntry.Spec.Reason = authErr.Error()
}