k8s \u7684 apiserver \u4f5c\u4e3a\u6240\u6709\u7ec4\u4ef6\u901a\u4fe1\u7684\u67a2\u7ebd\uff0c\u5176\u91cd\u8981\u6027\u4e0d\u8a00\u800c\u55bb\u3002apiserver \u53ef\u4ee5\u5bf9\u5916\u63d0\u4f9b\u57fa\u4e8e HTTP \u7684\u670d\u52a1\uff0c\u90a3\u4e48\u4e00\u4e2a\u8bf7\u6c42\u4ece\u53d1\u51fa\u5230\u5904\u7406\uff0c\u5177\u4f53\u8981\u7ecf\u8fc7\u54ea\u4e9b\u6b65\u9aa4\u5462\uff1f\u4e0b\u9762\u4f1a\u6839\u636e\u4ee3\u7801\u5c06\u6574\u4e2a\u8fc7\u7a0b\u7b80\u5355\u7684\u53d9\u8ff0\u4e00\u904d\uff0c\u8ba9\u5927\u5bb6\u53ef\u4ee5\u5bf9\u8fd9\u4e2a\u8fc7\u7a0b\u7531\u5927\u6982\u7684\u5370\u8c61\u3002<\/p>\n
\u56e0\u4e3a apiserver \u7684\u4ee3\u7801\u7ed3\u6784\u5e76\u4e0d\u7b80\u5355\uff0c\u56e0\u6b64\u4f1a\u5c3d\u91cf\u5c11\u7684\u8d34\u4ee3\u7801\u3002\u4ee5\u4e0b\u5206\u6790\u57fa\u4e8e k8s 1.18<\/p>\n
\/\/ \u6784\u5efa\u8bf7\u6c42\u7684\u5904\u7406\u94fe\nfunc DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {\n handler := genericapifilters.WithAuthorization(apiHandler, c.Authorization.Authorizer, c.Serializer)\n if c.FlowControl != nil {\n handler = genericfilters.WithPriorityAndFairness(handler, c.LongRunningFunc, c.FlowControl)\n } else {\n handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)\n }\n handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer)\n handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)\n failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)\n failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)\n handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)\n handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, \"true\")\n handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)\n handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)\n handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver)\n if c.SecureServing != nil && !c.SecureServing.DisableHTTP2 && c.GoawayChance > 0 {\n handler = genericfilters.WithProbabilisticGoaway(handler, c.GoawayChance)\n }\n handler = genericfilters.WithPanicRecovery(handler)\n return handler\n}\n<\/code><\/pre>\n\u8fd9\u4e2a\u8bf7\u6c42\u7684\u5904\u7406\u94fe\u662f\u4ece\u540e\u5411\u524d\u6267\u884c\u7684\u3002\u56e0\u6b64\u8bf7\u6c42\u7ecf\u8fc7\u7684 handler \u4e3a:<\/p>\n
\n- PanicRecovery<\/li>\n
- ProbabilisticGoaway<\/li>\n
- RequestInfo<\/li>\n
- WaitGroup<\/li>\n
- TimeoutForNonLongRunningRequests<\/li>\n
- CORS<\/li>\n
- Authentication<\/li>\n
- failedHandler: FailedAuthenticationAudit<\/li>\n
- failedHandler: Unauthorized<\/li>\n
- Audit<\/li>\n
- Impersonation<\/li>\n
- PriorityAndFairness \/ MaxInFlightLimit<\/li>\n
- Authorization<\/li>\n<\/ul>\n
\u4e4b\u540e\u4f20\u9012\u5230 director\uff0c\u7531 director \u5206\u5230 gorestfulContainer \u6216 nonGoRestfulMux\u3002gorestfulContainer \u662f apiserver \u4e3b\u8981\u90e8\u5206\u3002<\/p>\n
director := director{\n name: name,\n goRestfulContainer: gorestfulContainer,\n nonGoRestfulMux: nonGoRestfulMux,\n}\n<\/code><\/pre>\nPanicRecovery<\/h3>\n
runtime.HandleCrash \u9632\u6b62 panic\uff0c\u5e76\u6253\u4e86\u65e5\u5fd7\u8bb0\u5f55 panic \u7684\u8bf7\u6c42\u8be6\u60c5<\/p>\n
ProbabilisticGoaway<\/h3>\n
\u56e0\u4e3a client \u548c apiserver \u662f\u4f7f\u7528 http2 \u957f\u8fde\u63a5\u7684\u3002\u8fd9\u6837\u5373\u4f7f apiserver \u6709\u8d1f\u8f7d\u5747\u8861\uff0c\u90e8\u5206 client \u7684\u8bf7\u6c42\u4e5f\u4f1a\u4e00\u76f4\u547d\u4e2d\u5230\u540c\u4e00\u4e2a apiserver \u4e0a\u3002goaway \u4f1a\u914d\u7f6e\u4e00\u4e2a\u5f88\u5c0f\u7684\u51e0\u7387\uff0c\u5728 apiserver \u6536\u5230\u8bf7\u6c42\u540e\u54cd\u5e94 GOWAY \u7ed9 client\uff0c\u8fd9\u6837 client \u5c31\u4f1a\u65b0\u5efa\u4e00\u4e2a tcp \u8fde\u63a5\u8d1f\u8f7d\u5747\u8861\u5230\u4e0d\u540c\u7684 apiserver \u4e0a\u3002\u8fd9\u4e2a\u51e0\u7387\u7684\u53d6\u503c\u8303\u56f4\u662f 0~0.02<\/p>\n
\u76f8\u5173\u7684 PR\uff1ahttps:\/\/github.com\/kubernetes\/kubernetes\/pull\/88567<\/p>\n
RequestInfo<\/h3>\n
RequestInfo \u4f1a\u6839\u636e HTTP \u8bf7\u6c42\u8fdb\u884c\u89e3\u6790\u5904\u7406\u3002\u5f97\u5230\u4ee5\u4e0b\u7684\u4fe1\u606f\uff1a<\/p>\n
\/\/ RequestInfo holds information parsed from the http.Request\ntype RequestInfo struct {\n \/\/ IsResourceRequest indicates whether or not the request is for an API resource or subresource\n IsResourceRequest bool\n \/\/ Path is the URL path of the request\n Path string\n \/\/ Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch.\n \/\/ for non-resource requests, this is the lowercase http verb\n Verb string\n\n APIPrefix string\n APIGroup string\n APIVersion string\n Namespace string\n \/\/ Resource is the name of the resource being requested. This is not the kind. For example: pods\n Resource string\n \/\/ Subresource is the name of the subresource being requested. This is a different resource, scoped to the parent resource, but it may have a different kind.\n \/\/ For instance, \/pods has the resource \"pods\" and the kind \"Pod\", while \/pods\/foo\/status has the resource \"pods\", the sub resource \"status\", and the kind \"Pod\"\n \/\/ (because status operates on pods). The binding resource for a pod though may be \/pods\/foo\/binding, which has resource \"pods\", subresource \"binding\", and kind \"Binding\".\n Subresource string\n \/\/ Name is empty for some verbs, but if the request directly indicates a name (not in body content) then this field is filled in.\n Name string\n \/\/ Parts are the path parts for the request, always starting with \/{resource}\/{name}\n Parts []string\n}\n<\/code><\/pre>\nWaitGroup<\/h3>\n
waitgroup \u7528\u6765\u5904\u7406\u77ed\u8fde\u63a5\u9000\u51fa\u7684\u3002<\/p>\n
\u5982\u4f55\u5224\u65ad\u662f\u4e0d\u662f\u4e00\u4e2a\u957f\u8fde\u63a5\u5462\uff1f\u8fd9\u91cc\u662f\u901a\u8fc7\u8bf7\u6c42\u7684\u52a8\u4f5c\u6216\u8005 subresource \u6765\u5224\u65ad\u7684\u3002watch \u548c proxy \u8fd9\u4e24\u4e2a\u52a8\u4f5c\u662f\u5728 requestinfo \u4e0a\u901a\u8fc7\u8bf7\u6c42\u7684 path \u6765\u5224\u65ad\u7684\u3002<\/p>\n
serverConfig.LongRunningFunc = filters.BasicLongRunningRequestCheck(\n sets.NewString(\"watch\", \"proxy\"),\n sets.NewString(\"attach\", \"exec\", \"proxy\", \"log\", \"portforward\"),\n)\n\n\/\/ BasicLongRunningRequestCheck returns true if the given request has one of the specified verbs or one of the specified subresources, or is a profiler request.\nfunc BasicLongRunningRequestCheck(longRunningVerbs, longRunningSubresources sets.String) apirequest.LongRunningRequestCheck {\n return func(r *http.Request, requestInfo *apirequest.RequestInfo) bool {\n if longRunningVerbs.Has(requestInfo.Verb) {\n return true\n }\n if requestInfo.IsResourceRequest && longRunningSubresources.Has(requestInfo.Subresource) {\n return true\n }\n if !requestInfo.IsResourceRequest && strings.HasPrefix(requestInfo.Path, \"\/debug\/pprof\/\") {\n return true\n }\n return false\n }\n}\n<\/code><\/pre>\n\u8fd9\u6837\u4e4b\u540e\u7684 handler \u5168\u90e8\u9000\u51fa\u540e\uff0c\u8fd9\u4e2a waitgroup \u7684 handler \u624d\u4f1a done\u3002\u8fd9\u6837\u5c31\u80fd\u5b9e\u73b0\u4f18\u96c5\u9000\u51fa\u4e86\u3002<\/p>\n
TimeoutForNonLongRunningRequests<\/h3>\n
\u5bf9\u4e8e\u975e\u957f\u8fde\u63a5\u7684\u8bf7\u6c42\uff0c\u4f7f\u7528 ctx \u7684 cancel \u6765\u5728\u8d85\u65f6\u540e\u53d6\u6d88\u8bf7\u6c42\u3002<\/p>\n
CORS<\/h3>\n
\u8bbe\u7f6e\u4e00\u4e9b\u8de8\u57df\u7684\u54cd\u5e94\u5934<\/p>\n
Authentication<\/h3>\n
\u5f00\u59cb\u8ba4\u8bc1\u7528\u6237\u3002\u8ba4\u8bc1\u6210\u529f\u4f1a\u4ece\u8bf7\u6c42\u4e2d\u79fb\u9664 Authorization<\/code>\u3002\u7136\u540e\u5c06\u8bf7\u6c42\u4ea4\u7ed9\u4e0b\u4e00\u4e2a handler\uff0c\u5426\u5219\u5c06\u8bf7\u6c42\u4ea4\u7ed9\u4e0b\u4e00\u4e2a failed handler\u3002<\/p>\n\u5904\u7406\u7684\u65b9\u5f0f\u6709\u5f88\u591a\u4e2d\u3002\u5305\u62ec\uff1a<\/p>\n
\n- Requestheader\uff0c\u8d1f\u8d23\u4ece\u8bf7\u6c42\u4e2d\u53d6\u51fa X-Remote-User\uff0cX-Remote-Group\uff0cX-Remote-Extra<\/li>\n
- X509 \u8bc1\u4e66\u6821\u9a8c\uff0c<\/li>\n
- BearerToken<\/li>\n
- WebSocket<\/li>\n
- Anonymous: \u5728\u5141\u8bb8\u533f\u540d\u7684\u60c5\u51b5\u4e0b<\/li>\n<\/ul>\n
\u8fd8\u6709\u4e00\u90e8\u5206\u662f\u4ee5\u63d2\u4ef6\u7684\u5f62\u5f0f\u63d0\u4f9b\u4e86\u8ba4\u8bc1\uff1a<\/p>\n
\n- bootstrap token<\/p>\n<\/li>\n
- \n
Basic auth<\/p>\n<\/li>\n
- password<\/li>\n
- OIDC<\/li>\n
- Webhook<\/li>\n<\/ul>\n
\u5982\u679c\u6709\u4e00\u4e2a\u8ba4\u8bc1\u6210\u529f\u7684\u8bdd\uff0c\u5c31\u8ba4\u4e3a\u8ba4\u8bc1\u6210\u529f\u3002\u5e76\u4e14\u5982\u679c\u7528\u6237\u662f system:anonymous<\/code> \u6216 \u7528\u6237\u7ec4\u4e2d\u5305\u542b system:unauthenticated<\/code> \u548c system:authenticated<\/code>\u3002\u5c31\u76f4\u63a5\u8fd4\u56de\uff0c\u5426\u5219\u4fee\u6539\u7528\u6237\u4fe1\u606f\u5e76\u8fd4\u56de\uff1a<\/p>\nr.User = &user.DefaultInfo{\n Name: r.User.GetName(),\n UID: r.User.GetUID(),\n Groups: append(r.User.GetGroups(), user.AllAuthenticated),\n Extra: r.User.GetExtra(),\n }\n<\/code><\/pre>\n\u6ce8\u610f\u5230\uff0cuser \u73b0\u5728\u5df2\u7ecf\u5c5e\u4e8e system:authenticated<\/code>\u3002\u4e5f\u5c31\u662f\u8ba4\u8bc1\u8fc7\u4e86\u3002<\/p>\nFailedAuthenticationAudit<\/h3>\n
\u8fd9\u4e2a\u53ea\u4f1a\u5728\u8ba4\u8bc1\u5931\u8d25\u540e\u624d\u4f1a\u6267\u884c\u3002\u4e3b\u8981\u662f\u63d0\u4f9b\u4e86\u5ba1\u8ba1\u7684\u529f\u80fd\u3002<\/p>\n
Unauthorized<\/h3>\n
\u672a\u6388\u6743\u7684\u5904\u7406\uff0c\u5728 FailedAuthenticationAudit \u4e4b\u540e\u8c03\u7528<\/p>\n
Audit<\/h3>\n
\u63d0\u4f9b\u8bf7\u6c42\u7684\u5ba1\u8ba1\u529f\u80fd<\/p>\n
Impersonation<\/h3>\n
impersonation \u662f\u4e00\u4e2a\u5c06\u5f53\u524d\u7528\u6237\u626e\u6f14\u4e3a\u53e6\u5916\u4e00\u4e2a\u7528\u6237\u7684\u7279\u6027\uff0c\u8fd9\u4e2a\u7279\u6027\u6709\u52a9\u4e8e\u7ba1\u7406\u5458\u6765\u6d4b\u8bd5\u4e0d\u540c\u7528\u6237\u7684\u6743\u9650\u662f\u5426\u914d\u7f6e\u6b63\u786e\u7b49\u7b49\u3002\u53d6\u5f97 header \u7684 key \u662f\uff1a<\/p>\n
\n- Impersonate-User\uff1a\u7528\u6237<\/li>\n
- Impersonate-Group\uff1a\u7ec4<\/li>\n
- Impersonate-Extra-\uff1a\u989d\u5916\u4fe1\u606f<\/li>\n<\/ul>\n
\u7528\u6237\u5206\u4e3a service account \u548c user\u3002\u6839\u636e\u683c\u5f0f\u533a\u5206\uff0cservice account \u7684\u683c\u5f0f\u662f namespace\/name\uff0c\u5426\u5219\u5c31\u662f\u5f53\u4f5c user \u5bf9\u5f85\u3002<\/p>\n
Service account \u6700\u7ec8\u7684\u683c\u5f0f\u662f\uff1a system:serviceaccount:namespace:name<\/p>\n
PriorityAndFairness \/ MaxInFlightLimit<\/h3>\n
\u5982\u679c\u8bbe\u7f6e\u4e86\u6d41\u63a7\uff0c\u5c31\u4f7f\u7528 PriorityAndFairness\uff0c\u5426\u5219\u4f7f\u7528 MaxInFlightLimit\u3002<\/p>\n
PriorityAndFairness\uff1a\u4f1a\u5bf9\u8bf7\u6c42\u505a\u4f18\u5148\u7ea7\u7684\u6392\u5e8f\u3002\u540c\u4f18\u5148\u7ea7\u7684\u8bf7\u6c42\u4f1a\u6709\u516c\u5e73\u6027\u76f8\u5173\u7684\u63a7\u5236\u3002<\/p>\n
MaxInFlightLimit\uff1a\u5728\u7ed9\u5b9a\u65f6\u95f4\u5185\u8fdb\u884c\u4e2d\u4e0d\u53ef\u53d8\u8bf7\u6c42\u7684\u6700\u5927\u6570\u91cf\u3002\u5f53\u8d85\u8fc7\u8be5\u503c\u65f6\uff0c\u670d\u52a1\u5c06\u62d2\u7edd\u6240\u6709\u8bf7\u6c42\u30020 \u503c\u8868\u793a\u6ca1\u6709\u9650\u5236\u3002\uff08\u9ed8\u8ba4\u503c 400\uff09<\/p>\n
\u53c2\u8003\u8d44\u6599\uff1ahttps:\/\/kubernetes.io\/zh\/docs\/concepts\/cluster-administration\/flow-control\/<\/p>\n
Authorization<\/h3>\n\/\/ AttributesRecord implements Attributes interface.\ntype AttributesRecord struct {\n User user.Info\n Verb string\n Namespace string\n APIGroup string\n APIVersion string\n Resource string\n Subresource string\n Name string\n ResourceRequest bool\n Path string\n}\n<\/code><\/pre>\n\u9274\u6743\u7684\u65f6\u5019\u4f1a\u4ece context \u4e2d\u53d6\u51fa\u4e0a\u9762\u8fd9\u4e2a\u7ed3\u6784\u4f53\u9700\u8981\u7684\u4fe1\u606f\uff0c\u7136\u540e\u8fdb\u884c\u8ba4\u8bc1\u3002\u652f\u6301\u7684\u8ba4\u8bc1\u65b9\u5f0f\u6709\uff1a<\/p>\n
\n- Always allow<\/li>\n
- Always deny<\/li>\n
- Path: \u5141\u8bb8\u90e8\u5206\u8def\u5f84\u603b\u662f\u53ef\u4ee5\u88ab\u8bbf\u95ee<\/li>\n<\/ul>\n
\u5176\u4ed6\u7684\u4e00\u4e9b\u5e38\u7528\u7684\u8ba4\u8bc1\u65b9\u5f0f\u4e3b\u8981\u662f\u901a\u8fc7\u63d2\u4ef6\u63d0\u4f9b\uff1a<\/p>\n
\n- Webhook<\/li>\n
- RBAC<\/li>\n
- Node<\/li>\n<\/ul>\n
\u5176\u4e2d Node \u4e13\u95e8\u4e3a kubelet \u8bbe\u8ba1\u7684\uff0c\u8282\u70b9\u9274\u6743\u5668\u5141\u8bb8 kubelet \u6267\u884c API \u64cd\u4f5c\u3002\u5305\u62ec\uff1a<\/p>\n
\u8bfb\u53d6\u64cd\u4f5c\uff1a<\/p>\n
\n- services<\/li>\n
- endpoints<\/li>\n
- nodes<\/li>\n
- pods<\/li>\n
- secrets\u3001configmaps\u3001pvcs \u4ee5\u53ca\u7ed1\u5b9a\u5230 kubelet \u8282\u70b9\u7684\u4e0e pod \u76f8\u5173\u7684\u6301\u4e45\u5377<\/li>\n<\/ul>\n
\u5199\u5165\u64cd\u4f5c\uff1a<\/p>\n
\n- \u8282\u70b9\u548c\u8282\u70b9\u72b6\u6001\uff08\u542f\u7528
NodeRestriction<\/code> \u51c6\u5165\u63d2\u4ef6\u4ee5\u9650\u5236 kubelet \u53ea\u80fd\u4fee\u6539\u81ea\u5df1\u7684\u8282\u70b9\uff09<\/li>\n- Pod \u548c Pod \u72b6\u6001 (\u542f\u7528
NodeRestriction<\/code> \u51c6\u5165\u63d2\u4ef6\u4ee5\u9650\u5236 kubelet \u53ea\u80fd\u4fee\u6539\u7ed1\u5b9a\u5230\u81ea\u8eab\u7684 Pod)<\/li>\n- \u4e8b\u4ef6<\/li>\n<\/ul>\n
\u9274\u6743\u76f8\u5173\u64cd\u4f5c\uff1a<\/p>\n
\n- \u5bf9\u4e8e\u57fa\u4e8e TLS \u7684\u542f\u52a8\u5f15\u5bfc\u8fc7\u7a0b\u65f6\u4f7f\u7528\u7684 certificationsigningrequests API \u7684\u8bfb\/\u5199\u6743\u9650<\/li>\n
- \u4e3a\u59d4\u6d3e\u7684\u8eab\u4efd\u9a8c\u8bc1\/\u6388\u6743\u68c0\u67e5\u521b\u5efa tokenreviews \u548c subjectaccessreviews \u7684\u80fd\u529b<\/li>\n<\/ul>\n
\u5728\u5c06\u6765\u7684\u7248\u672c\u4e2d\uff0c\u8282\u70b9\u9274\u6743\u5668\u53ef\u80fd\u4f1a\u6dfb\u52a0\u6216\u5220\u9664\u6743\u9650\uff0c\u4ee5\u786e\u4fdd kubelet \u5177\u6709\u6b63\u786e\u64cd\u4f5c\u6240\u9700\u7684\u6700\u5c0f\u6743\u9650\u96c6\u3002<\/p>\n