scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-10-31 18:28:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #120985 from palnabarun/3221/fix-authorizer-name

Browse Source 
[StructuredAuthorizationConfiguration] Fix the level at which authorizer name is surfaced
This commit is contained in:
Kubernetes Prow Robot
2023-10-04 15:45:29 +02:00
committed by GitHub
parent f936f69cf9 3de0d9afbb
commit 6f5fa2eb2f
6 changed files with 143 additions and 193 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/kubeapiserver/options/authorization.go
View File

@@ -167,8 +167,8 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc
case authzmodes.ModeWebhook:
authorizers = append(authorizers, authzconfig.AuthorizerConfiguration{
Type: authzconfig.TypeWebhook,
Webhook: &authzconfig.WebhookConfiguration{
Name: defaultWebhookName,
Webhook: &authzconfig.WebhookConfiguration{
AuthorizedTTL: metav1.Duration{Duration: o.WebhookCacheAuthorizedTTL},
UnauthorizedTTL: metav1.Duration{Duration: o.WebhookCacheUnauthorizedTTL},
// Timeout and FailurePolicy are required for the new configuration.
@@ -183,9 +183,18 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc
},
})
default:
authorizers = append(authorizers, authzconfig.AuthorizerConfiguration{Type: authzconfig.AuthorizerType(mode)})
authorizers = append(authorizers, authzconfig.AuthorizerConfiguration{
Type: authzconfig.AuthorizerType(mode),
Name: getNameForAuthorizerMode(mode),
})
}
}
return &authzconfig.AuthorizationConfiguration{Authorizers: authorizers}, nil
}
// getNameForAuthorizerMode returns the name to be set for the mode in AuthorizationConfiguration
// For now, lower cases the mode name
func getNameForAuthorizerMode(mode string) string {
return strings.ToLower(mode)
}

13
staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go
View File

@@ -228,18 +228,19 @@ type AuthorizerConfiguration struct {
// types like Node, RBAC, ABAC, etc.
Type AuthorizerType
// Name used to describe the webhook
// This is explicitly used in monitoring machinery for metrics
// Note: Names must be DNS1123 labels like `myauthorizername` or
// subdomains like `myauthorizer.example.domain`
// Required, with no default
Name string
// Webhook defines the configuration for a Webhook authorizer
// Must be defined when Type=Webhook
Webhook *WebhookConfiguration
}
type WebhookConfiguration struct {
// Name used to describe the webhook
// This is explicitly used in monitoring machinery for metrics
// Note: Names must be DNS1123 labels like `mywebhookname` or
// subdomains like `webhookname.example.domain`
// Required, with no default
Name string
// The duration to cache 'authorized' responses from the webhook
// authorizer.
// Same as setting `--authorization-webhook-cache-authorized-ttl` flag

13
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/types.go
View File

@@ -298,6 +298,13 @@ type AuthorizerConfiguration struct {
// types like Node, RBAC, ABAC, etc.
Type string `json:"type"`
// Name used to describe the webhook
// This is explicitly used in monitoring machinery for metrics
// Note: Names must be DNS1123 labels like `myauthorizername` or
// subdomains like `myauthorizer.example.domain`
// Required, with no default
Name string `json:"name"`
// Webhook defines the configuration for a Webhook authorizer
// Must be defined when Type=Webhook
// Must not be defined when Type!=Webhook
@@ -305,12 +312,6 @@ type AuthorizerConfiguration struct {
}
type WebhookConfiguration struct {
// Name used to describe the webhook
// This is explicitly used in monitoring machinery for metrics
// Note: Names must be DNS1123 labels like `mywebhookname` or
// subdomains like `webhookname.example.domain`
// Required, with no default
Name string `json:"name"`
// The duration to cache 'authorized' responses from the webhook
// authorizer.
// Same as setting `--authorization-webhook-cache-authorized-ttl` flag

4
staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1alpha1/zz_generated.conversion.go generated
View File

@@ -335,6 +335,7 @@ func Convert_apiserver_AuthorizationConfiguration_To_v1alpha1_AuthorizationConfi
func autoConvert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfiguration(in *AuthorizerConfiguration, out *apiserver.AuthorizerConfiguration, s conversion.Scope) error {
out.Type = apiserver.AuthorizerType(in.Type)
out.Name = in.Name
out.Webhook = (*apiserver.WebhookConfiguration)(unsafe.Pointer(in.Webhook))
return nil
}
@@ -346,6 +347,7 @@ func Convert_v1alpha1_AuthorizerConfiguration_To_apiserver_AuthorizerConfigurati
func autoConvert_apiserver_AuthorizerConfiguration_To_v1alpha1_AuthorizerConfiguration(in *apiserver.AuthorizerConfiguration, out *AuthorizerConfiguration, s conversion.Scope) error {
out.Type = string(in.Type)
out.Name = in.Name
out.Webhook = (*WebhookConfiguration)(unsafe.Pointer(in.Webhook))
return nil
}
@@ -677,7 +679,6 @@ func Convert_apiserver_UDSTransport_To_v1alpha1_UDSTransport(in *apiserver.UDSTr
}
func autoConvert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in *WebhookConfiguration, out *apiserver.WebhookConfiguration, s conversion.Scope) error {
out.Name = in.Name
out.AuthorizedTTL = in.AuthorizedTTL
out.UnauthorizedTTL = in.UnauthorizedTTL
out.Timeout = in.Timeout
@@ -697,7 +698,6 @@ func Convert_v1alpha1_WebhookConfiguration_To_apiserver_WebhookConfiguration(in
}
func autoConvert_apiserver_WebhookConfiguration_To_v1alpha1_WebhookConfiguration(in *apiserver.WebhookConfiguration, out *WebhookConfiguration, s conversion.Scope) error {
out.Name = in.Name
out.AuthorizedTTL = in.AuthorizedTTL
out.UnauthorizedTTL = in.UnauthorizedTTL
out.Timeout = in.Timeout

25
staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
View File

@@ -18,6 +18,7 @@ package validation
import (
"fmt"
utilvalidation "k8s.io/apimachinery/pkg/util/validation"
"net/url"
"os"
"path/filepath"
@@ -28,7 +29,6 @@ import (
"k8s.io/api/authorization/v1beta1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/util/sets"
utilvalidation "k8s.io/apimachinery/pkg/util/validation"
"k8s.io/apimachinery/pkg/util/validation/field"
api "k8s.io/apiserver/pkg/apis/apiserver"
"k8s.io/client-go/util/cert"
@@ -220,7 +220,7 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio
}
seenAuthorizerTypes := sets.NewString()
seenWebhookNames := sets.NewString()
seenAuthorizerNames := sets.NewString()
for i, a := range c.Authorizers {
fldPath := fldPath.Child("authorizers").Index(i)
aType := string(a.Type)
@@ -238,13 +238,22 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio
}
seenAuthorizerTypes.Insert(aType)
if len(a.Name) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
} else if seenAuthorizerNames.Has(a.Name) {
allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), a.Name))
} else if errs := utilvalidation.IsDNS1123Subdomain(a.Name); len(errs) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), a.Name, fmt.Sprintf("authorizer name is invalid: %s", strings.Join(errs, ", "))))
}
seenAuthorizerNames.Insert(a.Name)
switch a.Type {
case api.TypeWebhook:
if a.Webhook == nil {
allErrs = append(allErrs, field.Required(fldPath.Child("webhook"), "required when type=Webhook"))
continue
}
allErrs = append(allErrs, ValidateWebhookConfiguration(fldPath, a.Webhook, seenWebhookNames)...)
allErrs = append(allErrs, ValidateWebhookConfiguration(fldPath, a.Webhook)...)
default:
if a.Webhook != nil {
allErrs = append(allErrs, field.Invalid(fldPath.Child("webhook"), "non-null", "may only be specified when type=Webhook"))
@@ -255,16 +264,8 @@ func ValidateAuthorizationConfiguration(fldPath *field.Path, c *api.Authorizatio
return allErrs
}
func ValidateWebhookConfiguration(fldPath *field.Path, c *api.WebhookConfiguration, seenNames sets.String) field.ErrorList {
func ValidateWebhookConfiguration(fldPath *field.Path, c *api.WebhookConfiguration) field.ErrorList {
allErrs := field.ErrorList{}
if len(c.Name) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
} else if seenNames.Has(c.Name) {
allErrs = append(allErrs, field.Duplicate(fldPath.Child("name"), c.Name))
} else if errs := utilvalidation.IsDNS1123Subdomain(c.Name); len(errs) != 0 {
allErrs = append(allErrs, field.Invalid(fldPath.Child("name"), c.Name, fmt.Sprintf("webhook name is invalid: %s", strings.Join(errs, ", "))))
}
seenNames.Insert(c.Name)
if c.Timeout.Duration == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("timeout"), ""))

268
staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation_test.go
View File

@@ -448,7 +448,7 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
repeatableTypes: sets.NewString(),
},
{
name: "type is required if an authorizer is defined",
name: "type and name are required if an authorizer is defined",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{},
@@ -458,14 +458,88 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
knownTypes: sets.NewString(string("Webhook")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "authorizer names should be of non-zero length",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Foo",
Name: "",
},
},
},
expectedErrList: field.ErrorList{field.Required(field.NewPath("name"), "")},
knownTypes: sets.NewString(string("Foo")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "authorizer names should be unique",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Foo",
Name: "foo",
},
{
Type: "Bar",
Name: "foo",
},
},
},
expectedErrList: field.ErrorList{field.Duplicate(field.NewPath("name"), "foo")},
knownTypes: sets.NewString(string("Foo"), string("Bar")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "authorizer names should be DNS1123 labels",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Foo",
Name: "myauthorizer",
},
},
},
expectedErrList: field.ErrorList{},
knownTypes: sets.NewString(string("Foo")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "authorizer names should be DNS1123 subdomains",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Foo",
Name: "foo.example.domain",
},
},
},
expectedErrList: field.ErrorList{},
knownTypes: sets.NewString(string("Foo")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "authorizer names should not be invalid DNS1123 labels or subdomains",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Foo",
Name: "FOO.example.domain",
},
},
},
expectedErrList: field.ErrorList{field.Invalid(field.NewPath("name"), "FOO.example.domain", "")},
knownTypes: sets.NewString(string("Foo")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "bare minimum configuration with Webhook",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -489,8 +563,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -504,8 +578,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
},
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "second-webhook",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -542,14 +616,16 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Foo",
Name: "foo-1",
},
{
Type: "Foo",
Name: "foo-2",
},
},
},
expectedErrList: field.ErrorList{field.Duplicate(field.NewPath("type"), "Foo")},
knownTypes: sets.NewString([]string{string("Foo"), string("Webhook")}...),
knownTypes: sets.NewString(string("Foo")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
@@ -558,6 +634,7 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Name: "default",
},
},
},
@@ -571,6 +648,7 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Foo",
Name: "foo",
Webhook: &api.WebhookConfiguration{},
},
},
@@ -579,154 +657,14 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
knownTypes: sets.NewString(string("Foo")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "webhook name should be of non-zero length",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
FailurePolicy: "NoOpinion",
SubjectAccessReviewVersion: "v1",
MatchConditionSubjectAccessReviewVersion: "v1",
ConnectionInfo: api.WebhookConnectionInfo{
Type: "InClusterConfig",
},
},
},
},
},
expectedErrList: field.ErrorList{field.Required(field.NewPath("name"), "")},
knownTypes: sets.NewString(string("Webhook")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "webhook names should be unique",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "name-1",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
FailurePolicy: "NoOpinion",
SubjectAccessReviewVersion: "v1",
MatchConditionSubjectAccessReviewVersion: "v1",
ConnectionInfo: api.WebhookConnectionInfo{
Type: "InClusterConfig",
},
},
},
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "name-1",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
FailurePolicy: "NoOpinion",
SubjectAccessReviewVersion: "v1",
MatchConditionSubjectAccessReviewVersion: "v1",
ConnectionInfo: api.WebhookConnectionInfo{
Type: "InClusterConfig",
},
},
},
},
},
expectedErrList: field.ErrorList{field.Duplicate(field.NewPath("name"), "name-1")},
knownTypes: sets.NewString(string("Webhook")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "webhook names should be DNS1123 labels",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "mywebhookname",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
FailurePolicy: "NoOpinion",
SubjectAccessReviewVersion: "v1",
MatchConditionSubjectAccessReviewVersion: "v1",
ConnectionInfo: api.WebhookConnectionInfo{
Type: "InClusterConfig",
},
},
},
},
},
expectedErrList: field.ErrorList{},
knownTypes: sets.NewString(string("Webhook")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "webhook names should be DNS1123 subdomains",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "webhookname.example.domain",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
FailurePolicy: "NoOpinion",
SubjectAccessReviewVersion: "v1",
MatchConditionSubjectAccessReviewVersion: "v1",
ConnectionInfo: api.WebhookConnectionInfo{
Type: "InClusterConfig",
},
},
},
},
},
expectedErrList: field.ErrorList{},
knownTypes: sets.NewString(string("Webhook")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "webhook names should not be invalid DNS1123 labels or subdomains",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "WEBHOOKNAME.example.domain",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
FailurePolicy: "NoOpinion",
SubjectAccessReviewVersion: "v1",
MatchConditionSubjectAccessReviewVersion: "v1",
ConnectionInfo: api.WebhookConnectionInfo{
Type: "InClusterConfig",
},
},
},
},
},
expectedErrList: field.ErrorList{field.Invalid(field.NewPath("name"), "WEBHOOKNAME.example.domain", "")},
knownTypes: sets.NewString(string("Webhook")),
repeatableTypes: sets.NewString(string("Webhook")),
},
{
name: "timeout should be specified",
configuration: api.AuthorizationConfiguration{
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -750,8 +688,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
Timeout: metav1.Duration{Duration: 0 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
@@ -775,8 +713,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
Timeout: metav1.Duration{Duration: -30 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
@@ -800,8 +738,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
Timeout: metav1.Duration{Duration: 60 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
@@ -825,8 +763,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
Timeout: metav1.Duration{Duration: 5 * time.Second},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -849,8 +787,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: -30 * time.Second},
@@ -874,8 +812,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
@@ -898,8 +836,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
FailurePolicy: "NoOpinion",
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
@@ -923,8 +861,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -947,8 +885,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -972,8 +910,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -996,8 +934,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1021,8 +959,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1045,8 +983,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1070,8 +1008,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1092,8 +1030,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1119,8 +1057,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1147,8 +1085,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1172,8 +1110,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
@@ -1198,8 +1136,8 @@ func TestValidateAuthorizationConfiguration(t *testing.T) {
Authorizers: []api.AuthorizerConfiguration{
{
Type: "Webhook",
Webhook: &api.WebhookConfiguration{
Name: "default",
Webhook: &api.WebhookConfiguration{
Timeout: metav1.Duration{Duration: 5 * time.Second},
AuthorizedTTL: metav1.Duration{Duration: 5 * time.Minute},
UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},