Merge pull request #45238 from deads2k/auth-04-expose-kubelet

Automatic merge from submit-queue (batch tested with PRs 45362, 45159, 45321, 45238)

expose kubelet authentication and authorization builders

The kubelet authentication and authorization builder methods are useful for consumers.

@liggitt

cmd/kubelet/app/auth.go

@@ -34,7 +34,8 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/server"
 )
 
-func buildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) {
+// BuildAuth creates an authenticator, an authorizer, and a matching authorizer attributes getter compatible with the kubelet's needs
+func BuildAuth(nodeName types.NodeName, client clientset.Interface, config componentconfig.KubeletConfiguration) (server.AuthInterface, error) {
 	// Get clients, if provided
 	var (
 		tokenClient authenticationclient.TokenReviewInterface
@@ -45,14 +46,14 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
 		sarClient = client.AuthorizationV1beta1().SubjectAccessReviews()
 	}
 
-	authenticator, err := buildAuthn(tokenClient, config.Authentication)
+	authenticator, err := BuildAuthn(tokenClient, config.Authentication)
 	if err != nil {
 		return nil, err
 	}
 
 	attributes := server.NewNodeAuthorizerAttributesGetter(nodeName)
 
-	authorizer, err := buildAuthz(sarClient, config.Authorization)
+	authorizer, err := BuildAuthz(sarClient, config.Authorization)
 	if err != nil {
 		return nil, err
 	}
@@ -60,7 +61,8 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo
 	return server.NewKubeletAuth(authenticator, attributes, authorizer), nil
 }
 
-func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
+// BuildAuthn creates an authenticator compatible with the kubelet's needs
+func BuildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) {
 	authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
 		Anonymous:    authn.Anonymous.Enabled,
 		CacheTTL:     authn.Webhook.CacheTTL.Duration,
@@ -78,7 +80,8 @@ func buildAuthn(client authenticationclient.TokenReviewInterface, authn componen
 	return authenticator, err
 }
 
-func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
+// BuildAuthz creates an authorizer compatible with the kubelet's needs
+func BuildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) {
 	switch authz.Mode {
 	case componentconfig.KubeletAuthorizationModeAlwaysAllow:
 		return authorizerfactory.NewAlwaysAllowAuthorizer(), nil

cmd/kubelet/app/server.go

@@ -490,7 +490,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
 	}
 
 	if kubeDeps.Auth == nil {
-		auth, err := buildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration)
+		auth, err := BuildAuth(nodeName, kubeDeps.ExternalKubeClient, s.KubeletConfiguration)
 		if err != nil {
 			return err
 		}