0
点赞
收藏
分享

微信扫一扫

kubectl源码分析之certificate approve and deny

青乌 2022-08-11 阅读 23


 欢迎关注我的公众号:

kubectl源码分析之certificate approve and deny_ios

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

​​istio多集群探秘,部署了50次多集群后我得出的结论​​

​​istio多集群链路追踪,附实操视频​​

​​istio防故障利器,你知道几个,istio新手不要读,太难!​​

​​istio业务权限控制,原来可以这么玩​​

​​istio实现非侵入压缩,微服务之间如何实现压缩​​

​​不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限​​

​​不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs​​

​​不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了​​

​​不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization​​

​​不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs​​

​​不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs​​

​​不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr​​

​​不懂envoyfilter也敢说精通istio系列-08-连接池和断路器​​

​​不懂envoyfilter也敢说精通istio系列-09-http-route filter​​

​​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​​

​​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​​

​​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​​

 

———————————————

//创建certificate命令
func NewCmdCertificate(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
cmd := &cobra.Command{//创建cobra命令
Use: "certificate SUBCOMMAND",
DisableFlagsInUseLine: true,
Short: i18n.T("Modify certificate resources."),
Long: "Modify certificate resources.",
Run: func(cmd *cobra.Command, args []string) {
cmd.Help()
},
}

cmd.AddCommand(NewCmdCertificateApprove(f, ioStreams))//添加approve子命令
cmd.AddCommand(NewCmdCertificateDeny(f, ioStreams))//添加deny子命令

return cmd
}

type CertificateOptions struct {//certificate结构体
resource.FilenameOptions

PrintFlags *genericclioptions.PrintFlags
PrintObj printers.ResourcePrinterFunc

csrNames []string
outputStyle string

clientSet certificatesv1beta1client.CertificatesV1beta1Interface
builder *resource.Builder

genericclioptions.IOStreams
}

func NewCertificateOptions(ioStreams genericclioptions.IOStreams) *CertificateOptions {
return &CertificateOptions{//初始化结构体
PrintFlags: genericclioptions.NewPrintFlags("approved").WithTypeSetter(scheme.Scheme),
IOStreams: ioStreams,
}
}

//准备函数
func (o *CertificateOptions) Complete(f cmdutil.Factory, cmd *cobra.Command, args []string) error {
o.csrNames = args//设置csrName
o.outputStyle = cmdutil.GetFlagString(cmd, "output")//获取输出格式

printer, err := o.PrintFlags.ToPrinter()//printflag转printer
if err != nil {
return err
}

o.PrintObj = func(obj runtime.Object, out io.Writer) error {//设置printObj函数
return printer.PrintObj(obj, out)
}

o.builder = f.NewBuilder()//设置builder

clientConfig, err := f.ToRESTConfig()//获取restConfig
if err != nil {
return err
}
o.clientSet, err = certificatesv1beta1client.NewForConfig(clientConfig)//设置clientSet
if err != nil {
return err
}

return nil
}

//校验
func (o *CertificateOptions) Validate() error {
if len(o.csrNames) < 1 && cmdutil.IsFilenameSliceEmpty(o.Filenames, o.Kustomize) {//资源和文件至少有一个
return fmt.Errorf("one or more CSRs must be specified as <name> or -f <filename>")
}
return nil
}

//创建approve命令
func NewCmdCertificateApprove(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
o := NewCertificateOptions(ioStreams)//初始化结构体

cmd := &cobra.Command{//创建cobra命令
Use: "approve (-f FILENAME | NAME)",
DisableFlagsInUseLine: true,
Short: i18n.T("Approve a certificate signing request"),
Long: templates.LongDesc(`
Approve a certificate signing request.

kubectl certificate approve allows a cluster admin to approve a certificate
signing request (CSR). This action tells a certificate signing controller to
issue a certificate to the requestor with the attributes requested in the CSR.

SECURITY NOTICE: Depending on the requested attributes, the issued certificate
can potentially grant a requester access to cluster resources or to authenticate
as a requested identity. Before approving a CSR, ensure you understand what the
signed certificate can do.
`),
Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(o.Complete(f, cmd, args))//准备
cmdutil.CheckErr(o.Validate())//校验
cmdutil.CheckErr(o.RunCertificateApprove(cmdutil.GetFlagBool(cmd, "force")))//运行
},
}

o.PrintFlags.AddFlags(cmd)//打印选项

cmd.Flags().Bool("force", false, "Update the CSR even if it is already approved.")
cmdutil.AddFilenameOptionFlags(cmd, &o.FilenameOptions, "identifying the resource to update")//force选项

return cmd
}

//运行approve
func (o *CertificateOptions) RunCertificateApprove(force bool) error {
return o.modifyCertificateCondition(o.builder, o.clientSet, force, func(csr *certificatesv1beta1.CertificateSigningRequest) (*certificatesv1beta1.CertificateSigningRequest, bool) {
var alreadyApproved bool//是否已经approve
for _, c := range csr.Status.Conditions {//遍历condition,判断是否已经approved
if c.Type == certificatesv1beta1.CertificateApproved {
alreadyApproved = true// 如果已经approved,则alreadyApproved设置为true
}
}
if alreadyApproved {//如果已经approved则返回true
return csr, true
}
csr.Status.Conditions = append(csr.Status.Conditions, certificatesv1beta1.CertificateSigningRequestCondition{//创建approved condition
Type: certificatesv1beta1.CertificateApproved,
Reason: "KubectlApprove",
Message: "This CSR was approved by kubectl certificate approve.",
LastUpdateTime: metav1.Now(),
})
return csr, false//返回false
})
}

//修改condition到服务端
func (o *CertificateOptions) modifyCertificateCondition(builder *resource.Builder, clientSet certificatesv1beta1client.CertificatesV1beta1Interface, force bool, modify func(csr *certificatesv1beta1.CertificateSigningRequest) (*certificatesv1beta1.CertificateSigningRequest, bool)) error {
var found int
r := builder.
WithScheme(scheme.Scheme, scheme.Scheme.PrioritizedVersionsAllGroups()...).
ContinueOnError().
FilenameParam(false, &o.FilenameOptions).
ResourceNames("certificatesigningrequest", o.csrNames...).
RequireObject(true).
Flatten().
Latest().
Do()//构造result对象
err := r.Visit(func(info *resource.Info, err error) error {//visit result
if err != nil {
return err
}
for i := 0; ; i++ {
csr := info.Object.(*certificatesv1beta1.CertificateSigningRequest)// obj转csr对象
csr, hasCondition := modify(csr)//运行修改方法
if !hasCondition || force {//如果修改方法返回为false,或force为true
csr, err = clientSet.CertificateSigningRequests().UpdateApproval(csr)//应用csr approve或deny到服务端
if errors.IsConflict(err) && i < 10 {//如果是冲突错误,并且i小于10,则重试
if err := info.Get(); err != nil {
return err
}
continue
}
if err != nil {
return err
}
}
break
}
found++

return o.PrintObj(info.Object, o.Out)//打印结果
})
if found == 0 {
fmt.Fprintf(o.Out, "No resources found\n")
}
return err
}

//创建deny命令
func NewCmdCertificateDeny(f cmdutil.Factory, ioStreams genericclioptions.IOStreams) *cobra.Command {
o := NewCertificateOptions(ioStreams)//初始化结构体

cmd := &cobra.Command{//创建cobra命令
Use: "deny (-f FILENAME | NAME)",
DisableFlagsInUseLine: true,
Short: i18n.T("Deny a certificate signing request"),
Long: templates.LongDesc(`
Deny a certificate signing request.

kubectl certificate deny allows a cluster admin to deny a certificate
signing request (CSR). This action tells a certificate signing controller to
not to issue a certificate to the requestor.
`),
Run: func(cmd *cobra.Command, args []string) {
cmdutil.CheckErr(o.Complete(f, cmd, args))//准备
cmdutil.CheckErr(o.Validate())//校验
cmdutil.CheckErr(o.RunCertificateDeny(cmdutil.GetFlagBool(cmd, "force")))//运行
},
}

o.PrintFlags.AddFlags(cmd)//打印选项

cmd.Flags().Bool("force", false, "Update the CSR even if it is already denied.")
cmdutil.AddFilenameOptionFlags(cmd, &o.FilenameOptions, "identifying the resource to update")//force选项

return cmd
}

//运行deny
func (o *CertificateOptions) RunCertificateDeny(force bool) error {
return o.modifyCertificateCondition(o.builder, o.clientSet, force, func(csr *certificatesv1beta1.CertificateSigningRequest) (*certificatesv1beta1.CertificateSigningRequest, bool) {
var alreadyDenied bool//已经deny
for _, c := range csr.Status.Conditions {//遍历condition
if c.Type == certificatesv1beta1.CertificateDenied {
alreadyDenied = true//如果已经deny,则alreadyDenied为true
}
}
if alreadyDenied {//如果已经deny,返回true
return csr, true
}
csr.Status.Conditions = append(csr.Status.Conditions, certificatesv1beta1.CertificateSigningRequestCondition{//创建deny condition
Type: certificatesv1beta1.CertificateDenied,
Reason: "KubectlDeny",
Message: "This CSR was denied by kubectl certificate deny.",
LastUpdateTime: metav1.Now(),
})
return csr, false//返回false
})
}

举报

相关推荐

0 条评论