k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cmd/kube-apiserver/app/options/options_test.go (about) 1 /* 2 Copyright 2014 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package options 18 19 import ( 20 "net" 21 "reflect" 22 "testing" 23 "time" 24 25 "github.com/google/go-cmp/cmp" 26 "github.com/google/go-cmp/cmp/cmpopts" 27 "github.com/spf13/pflag" 28 oteltrace "go.opentelemetry.io/otel/trace" 29 30 "k8s.io/apiserver/pkg/admission" 31 apiserveroptions "k8s.io/apiserver/pkg/server/options" 32 "k8s.io/apiserver/pkg/storage/etcd3" 33 "k8s.io/apiserver/pkg/storage/storagebackend" 34 auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" 35 audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate" 36 cliflag "k8s.io/component-base/cli/flag" 37 "k8s.io/component-base/logs" 38 "k8s.io/component-base/metrics" 39 kapi "k8s.io/kubernetes/pkg/apis/core" 40 controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver/options" 41 "k8s.io/kubernetes/pkg/controlplane/reconcilers" 42 kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options" 43 kubeletclient "k8s.io/kubernetes/pkg/kubelet/client" 44 netutils "k8s.io/utils/net" 45 ) 46 47 func TestAddFlags(t *testing.T) { 48 fs := pflag.NewFlagSet("addflagstest", pflag.PanicOnError) 49 s := NewServerRunOptions() 50 for _, f := range s.Flags().FlagSets { 51 fs.AddFlagSet(f) 52 } 53 54 args := []string{ 55 "--enable-admission-plugins=AlwaysDeny", 56 "--admission-control-config-file=/admission-control-config", 57 "--advertise-address=192.168.10.10", 58 "--allow-privileged=false", 59 "--anonymous-auth=false", 60 "--apiserver-count=5", 61 "--audit-log-maxage=11", 62 "--audit-log-maxbackup=12", 63 "--audit-log-maxsize=13", 64 "--audit-log-path=/var/log", 65 "--audit-log-mode=blocking", 66 "--audit-log-batch-buffer-size=46", 67 "--audit-log-batch-max-size=47", 68 "--audit-log-batch-max-wait=48s", 69 "--audit-log-batch-throttle-enable=true", 70 "--audit-log-batch-throttle-qps=49.5", 71 "--audit-log-batch-throttle-burst=50", 72 "--audit-log-truncate-enabled=true", 73 "--audit-log-truncate-max-batch-size=45", 74 "--audit-log-truncate-max-event-size=44", 75 "--audit-log-version=audit.k8s.io/v1", 76 "--audit-policy-file=/policy", 77 "--audit-webhook-config-file=/webhook-config", 78 "--audit-webhook-mode=blocking", 79 "--audit-webhook-batch-buffer-size=42", 80 "--audit-webhook-batch-max-size=43", 81 "--audit-webhook-batch-max-wait=1s", 82 "--audit-webhook-batch-throttle-enable=false", 83 "--audit-webhook-batch-throttle-qps=43.5", 84 "--audit-webhook-batch-throttle-burst=44", 85 "--audit-webhook-truncate-enabled=true", 86 "--audit-webhook-truncate-max-batch-size=43", 87 "--audit-webhook-truncate-max-event-size=42", 88 "--audit-webhook-initial-backoff=2s", 89 "--audit-webhook-version=audit.k8s.io/v1", 90 "--authentication-token-webhook-cache-ttl=3m", 91 "--authentication-token-webhook-config-file=/token-webhook-config", 92 "--authorization-mode=AlwaysDeny,RBAC", 93 "--authorization-policy-file=/policy", 94 "--authorization-webhook-cache-authorized-ttl=3m", 95 "--authorization-webhook-cache-unauthorized-ttl=1m", 96 "--authorization-webhook-config-file=/webhook-config", 97 "--bind-address=192.168.10.20", 98 "--client-ca-file=/client-ca", 99 "--cloud-config=/cloud-config", 100 "--cloud-provider=azure", 101 "--cors-allowed-origins=10.10.10.100,10.10.10.200", 102 "--contention-profiling=true", 103 "--egress-selector-config-file=/var/run/kubernetes/egress-selector/connectivity.yaml", 104 "--enable-aggregator-routing=true", 105 "--enable-priority-and-fairness=false", 106 "--enable-logs-handler=false", 107 "--endpoint-reconciler-type=" + string(reconcilers.LeaseEndpointReconcilerType), 108 "--etcd-keyfile=/var/run/kubernetes/etcd.key", 109 "--etcd-certfile=/var/run/kubernetes/etcdce.crt", 110 "--etcd-cafile=/var/run/kubernetes/etcdca.crt", 111 "--http2-max-streams-per-connection=42", 112 "--kubelet-read-only-port=10255", 113 "--kubelet-timeout=5s", 114 "--kubelet-client-certificate=/var/run/kubernetes/ceserver.crt", 115 "--kubelet-client-key=/var/run/kubernetes/server.key", 116 "--kubelet-certificate-authority=/var/run/kubernetes/caserver.crt", 117 "--tracing-config-file=/var/run/kubernetes/tracing_config.yaml", 118 "--proxy-client-cert-file=/var/run/kubernetes/proxy.crt", 119 "--proxy-client-key-file=/var/run/kubernetes/proxy.key", 120 "--request-timeout=2m", 121 "--storage-backend=etcd3", 122 "--service-cluster-ip-range=192.168.128.0/17", 123 "--lease-reuse-duration-seconds=100", 124 } 125 fs.Parse(args) 126 127 // This is a snapshot of expected options parsed by args. 128 expected := &ServerRunOptions{ 129 Options: &controlplaneapiserver.Options{ 130 GenericServerRunOptions: &apiserveroptions.ServerRunOptions{ 131 AdvertiseAddress: netutils.ParseIPSloppy("192.168.10.10"), 132 CorsAllowedOriginList: []string{"10.10.10.100", "10.10.10.200"}, 133 MaxRequestsInFlight: 400, 134 MaxMutatingRequestsInFlight: 200, 135 RequestTimeout: time.Duration(2) * time.Minute, 136 MinRequestTimeout: 1800, 137 JSONPatchMaxCopyBytes: int64(3 * 1024 * 1024), 138 MaxRequestBodyBytes: int64(3 * 1024 * 1024), 139 }, 140 Admission: &kubeoptions.AdmissionOptions{ 141 GenericAdmission: &apiserveroptions.AdmissionOptions{ 142 RecommendedPluginOrder: s.Options.Admission.GenericAdmission.RecommendedPluginOrder, 143 DefaultOffPlugins: s.Options.Admission.GenericAdmission.DefaultOffPlugins, 144 EnablePlugins: []string{"AlwaysDeny"}, 145 ConfigFile: "/admission-control-config", 146 Plugins: s.Options.Admission.GenericAdmission.Plugins, 147 Decorators: s.Options.Admission.GenericAdmission.Decorators, 148 }, 149 }, 150 Etcd: &apiserveroptions.EtcdOptions{ 151 StorageConfig: storagebackend.Config{ 152 Type: "etcd3", 153 Transport: storagebackend.TransportConfig{ 154 ServerList: nil, 155 KeyFile: "/var/run/kubernetes/etcd.key", 156 TrustedCAFile: "/var/run/kubernetes/etcdca.crt", 157 CertFile: "/var/run/kubernetes/etcdce.crt", 158 TracerProvider: oteltrace.NewNoopTracerProvider(), 159 }, 160 Prefix: "/registry", 161 CompactionInterval: storagebackend.DefaultCompactInterval, 162 CountMetricPollPeriod: time.Minute, 163 DBMetricPollInterval: storagebackend.DefaultDBMetricPollInterval, 164 HealthcheckTimeout: storagebackend.DefaultHealthcheckTimeout, 165 ReadycheckTimeout: storagebackend.DefaultReadinessTimeout, 166 LeaseManagerConfig: etcd3.LeaseManagerConfig{ 167 ReuseDurationSeconds: 100, 168 MaxObjectCount: 1000, 169 }, 170 }, 171 DefaultStorageMediaType: "application/vnd.kubernetes.protobuf", 172 DeleteCollectionWorkers: 1, 173 EnableGarbageCollection: true, 174 EnableWatchCache: true, 175 DefaultWatchCacheSize: 100, 176 }, 177 SecureServing: (&apiserveroptions.SecureServingOptions{ 178 BindAddress: netutils.ParseIPSloppy("192.168.10.20"), 179 BindPort: 6443, 180 ServerCert: apiserveroptions.GeneratableKeyCert{ 181 CertDirectory: "/var/run/kubernetes", 182 PairName: "apiserver", 183 }, 184 HTTP2MaxStreamsPerConnection: 42, 185 Required: true, 186 }).WithLoopback(), 187 EventTTL: 1 * time.Hour, 188 Audit: &apiserveroptions.AuditOptions{ 189 LogOptions: apiserveroptions.AuditLogOptions{ 190 Path: "/var/log", 191 MaxAge: 11, 192 MaxBackups: 12, 193 MaxSize: 13, 194 Format: "json", 195 BatchOptions: apiserveroptions.AuditBatchOptions{ 196 Mode: "blocking", 197 BatchConfig: auditbuffered.BatchConfig{ 198 BufferSize: 46, 199 MaxBatchSize: 47, 200 MaxBatchWait: 48 * time.Second, 201 ThrottleEnable: true, 202 ThrottleQPS: 49.5, 203 ThrottleBurst: 50, 204 }, 205 }, 206 TruncateOptions: apiserveroptions.AuditTruncateOptions{ 207 Enabled: true, 208 TruncateConfig: audittruncate.Config{ 209 MaxBatchSize: 45, 210 MaxEventSize: 44, 211 }, 212 }, 213 GroupVersionString: "audit.k8s.io/v1", 214 }, 215 WebhookOptions: apiserveroptions.AuditWebhookOptions{ 216 ConfigFile: "/webhook-config", 217 BatchOptions: apiserveroptions.AuditBatchOptions{ 218 Mode: "blocking", 219 BatchConfig: auditbuffered.BatchConfig{ 220 BufferSize: 42, 221 MaxBatchSize: 43, 222 MaxBatchWait: 1 * time.Second, 223 ThrottleEnable: false, 224 ThrottleQPS: 43.5, 225 ThrottleBurst: 44, 226 AsyncDelegate: true, 227 }, 228 }, 229 TruncateOptions: apiserveroptions.AuditTruncateOptions{ 230 Enabled: true, 231 TruncateConfig: audittruncate.Config{ 232 MaxBatchSize: 43, 233 MaxEventSize: 42, 234 }, 235 }, 236 InitialBackoff: 2 * time.Second, 237 GroupVersionString: "audit.k8s.io/v1", 238 }, 239 PolicyFile: "/policy", 240 }, 241 Features: &apiserveroptions.FeatureOptions{ 242 EnableProfiling: true, 243 EnableContentionProfiling: true, 244 }, 245 Authentication: &kubeoptions.BuiltInAuthenticationOptions{ 246 Anonymous: &kubeoptions.AnonymousAuthenticationOptions{ 247 Allow: false, 248 }, 249 ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{ 250 ClientCA: "/client-ca", 251 }, 252 WebHook: &kubeoptions.WebHookAuthenticationOptions{ 253 CacheTTL: 180000000000, 254 ConfigFile: "/token-webhook-config", 255 Version: "v1beta1", 256 RetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), 257 }, 258 BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{}, 259 OIDC: s.Authentication.OIDC, 260 RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{}, 261 ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{ 262 Lookup: true, 263 ExtendExpiration: true, 264 }, 265 TokenFile: &kubeoptions.TokenFileAuthenticationOptions{}, 266 TokenSuccessCacheTTL: 10 * time.Second, 267 TokenFailureCacheTTL: 0, 268 }, 269 Authorization: &kubeoptions.BuiltInAuthorizationOptions{ 270 Modes: []string{"AlwaysDeny", "RBAC"}, 271 PolicyFile: "/policy", 272 WebhookConfigFile: "/webhook-config", 273 WebhookCacheAuthorizedTTL: 180000000000, 274 WebhookCacheUnauthorizedTTL: 60000000000, 275 WebhookVersion: "v1beta1", 276 WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), 277 }, 278 APIEnablement: &apiserveroptions.APIEnablementOptions{ 279 RuntimeConfig: cliflag.ConfigurationMap{}, 280 }, 281 EgressSelector: &apiserveroptions.EgressSelectorOptions{ 282 ConfigFile: "/var/run/kubernetes/egress-selector/connectivity.yaml", 283 }, 284 EnableLogsHandler: false, 285 EnableAggregatorRouting: true, 286 ProxyClientKeyFile: "/var/run/kubernetes/proxy.key", 287 ProxyClientCertFile: "/var/run/kubernetes/proxy.crt", 288 Metrics: &metrics.Options{}, 289 Logs: logs.NewOptions(), 290 Traces: &apiserveroptions.TracingOptions{ 291 ConfigFile: "/var/run/kubernetes/tracing_config.yaml", 292 }, 293 AggregatorRejectForwardingRedirects: true, 294 SystemNamespaces: []string{"kube-system", "kube-public", "default", "kube-node-lease"}, 295 }, 296 297 Extra: Extra{ 298 ServiceNodePortRange: kubeoptions.DefaultServiceNodePortRange, 299 ServiceClusterIPRanges: (&net.IPNet{IP: netutils.ParseIPSloppy("192.168.128.0"), Mask: net.CIDRMask(17, 32)}).String(), 300 EndpointReconcilerType: string(reconcilers.LeaseEndpointReconcilerType), 301 AllowPrivileged: false, 302 KubeletConfig: kubeletclient.KubeletClientConfig{ 303 Port: 10250, 304 ReadOnlyPort: 10255, 305 PreferredAddressTypes: []string{ 306 string(kapi.NodeHostName), 307 string(kapi.NodeInternalDNS), 308 string(kapi.NodeInternalIP), 309 string(kapi.NodeExternalDNS), 310 string(kapi.NodeExternalIP), 311 }, 312 HTTPTimeout: time.Duration(5) * time.Second, 313 TLSClientConfig: kubeletclient.KubeletTLSConfig{ 314 CertFile: "/var/run/kubernetes/ceserver.crt", 315 KeyFile: "/var/run/kubernetes/server.key", 316 CAFile: "/var/run/kubernetes/caserver.crt", 317 }, 318 }, 319 MasterCount: 5, 320 }, 321 CloudProvider: &kubeoptions.CloudProviderOptions{ 322 CloudConfigFile: "/cloud-config", 323 CloudProvider: "azure", 324 }, 325 } 326 327 expected.Authentication.OIDC.UsernameClaim = "sub" 328 expected.Authentication.OIDC.SigningAlgs = []string{"RS256"} 329 330 if !s.Authorization.AreLegacyFlagsSet() { 331 t.Errorf("expected legacy authorization flags to be set") 332 } 333 334 // setting the method to nil since methods can't be compared with reflect.DeepEqual 335 s.Authorization.AreLegacyFlagsSet = nil 336 337 if !reflect.DeepEqual(expected, s) { 338 t.Errorf("Got different run options than expected.\nDifference detected on:\n%s", cmp.Diff(expected, s, cmpopts.IgnoreUnexported(admission.Plugins{}, kubeoptions.OIDCAuthenticationOptions{}))) 339 } 340 }