k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/controlplane/apiserver/options/options_test.go (about) 1 /* 2 Copyright 2023 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package options 18 19 import ( 20 "reflect" 21 "testing" 22 "time" 23 24 "github.com/google/go-cmp/cmp" 25 "github.com/google/go-cmp/cmp/cmpopts" 26 "github.com/spf13/pflag" 27 oteltrace "go.opentelemetry.io/otel/trace" 28 29 "k8s.io/apiserver/pkg/admission" 30 apiserveroptions "k8s.io/apiserver/pkg/server/options" 31 "k8s.io/apiserver/pkg/storage/etcd3" 32 "k8s.io/apiserver/pkg/storage/storagebackend" 33 auditbuffered "k8s.io/apiserver/plugin/pkg/audit/buffered" 34 audittruncate "k8s.io/apiserver/plugin/pkg/audit/truncate" 35 cliflag "k8s.io/component-base/cli/flag" 36 "k8s.io/component-base/logs" 37 "k8s.io/component-base/metrics" 38 netutils "k8s.io/utils/net" 39 40 kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options" 41 ) 42 43 func TestAddFlags(t *testing.T) { 44 fs := pflag.NewFlagSet("addflagstest", pflag.PanicOnError) 45 s := NewOptions() 46 var fss cliflag.NamedFlagSets 47 s.AddFlags(&fss) 48 for _, f := range fss.FlagSets { 49 fs.AddFlagSet(f) 50 } 51 52 args := []string{ 53 "--enable-admission-plugins=AlwaysDeny", 54 "--admission-control-config-file=/admission-control-config", 55 "--advertise-address=192.168.10.10", 56 "--anonymous-auth=false", 57 "--audit-log-maxage=11", 58 "--audit-log-maxbackup=12", 59 "--audit-log-maxsize=13", 60 "--audit-log-path=/var/log", 61 "--audit-log-mode=blocking", 62 "--audit-log-batch-buffer-size=46", 63 "--audit-log-batch-max-size=47", 64 "--audit-log-batch-max-wait=48s", 65 "--audit-log-batch-throttle-enable=true", 66 "--audit-log-batch-throttle-qps=49.5", 67 "--audit-log-batch-throttle-burst=50", 68 "--audit-log-truncate-enabled=true", 69 "--audit-log-truncate-max-batch-size=45", 70 "--audit-log-truncate-max-event-size=44", 71 "--audit-log-version=audit.k8s.io/v1", 72 "--audit-policy-file=/policy", 73 "--audit-webhook-config-file=/webhook-config", 74 "--audit-webhook-mode=blocking", 75 "--audit-webhook-batch-buffer-size=42", 76 "--audit-webhook-batch-max-size=43", 77 "--audit-webhook-batch-max-wait=1s", 78 "--audit-webhook-batch-throttle-enable=false", 79 "--audit-webhook-batch-throttle-qps=43.5", 80 "--audit-webhook-batch-throttle-burst=44", 81 "--audit-webhook-truncate-enabled=true", 82 "--audit-webhook-truncate-max-batch-size=43", 83 "--audit-webhook-truncate-max-event-size=42", 84 "--audit-webhook-initial-backoff=2s", 85 "--audit-webhook-version=audit.k8s.io/v1", 86 "--authentication-token-webhook-cache-ttl=3m", 87 "--authentication-token-webhook-config-file=/token-webhook-config", 88 "--authorization-mode=AlwaysDeny,RBAC", 89 "--authorization-policy-file=/policy", 90 "--authorization-webhook-cache-authorized-ttl=3m", 91 "--authorization-webhook-cache-unauthorized-ttl=1m", 92 "--authorization-webhook-config-file=/webhook-config", 93 "--bind-address=192.168.10.20", 94 "--client-ca-file=/client-ca", 95 "--cors-allowed-origins=10.10.10.100,10.10.10.200", 96 "--contention-profiling=true", 97 "--egress-selector-config-file=/var/run/kubernetes/egress-selector/connectivity.yaml", 98 "--enable-aggregator-routing=true", 99 "--enable-priority-and-fairness=false", 100 "--enable-logs-handler=false", 101 "--etcd-keyfile=/var/run/kubernetes/etcd.key", 102 "--etcd-certfile=/var/run/kubernetes/etcdce.crt", 103 "--etcd-cafile=/var/run/kubernetes/etcdca.crt", 104 "--http2-max-streams-per-connection=42", 105 "--tracing-config-file=/var/run/kubernetes/tracing_config.yaml", 106 "--proxy-client-cert-file=/var/run/kubernetes/proxy.crt", 107 "--proxy-client-key-file=/var/run/kubernetes/proxy.key", 108 "--request-timeout=2m", 109 "--storage-backend=etcd3", 110 "--lease-reuse-duration-seconds=100", 111 } 112 fs.Parse(args) 113 114 // This is a snapshot of expected options parsed by args. 115 expected := &Options{ 116 GenericServerRunOptions: &apiserveroptions.ServerRunOptions{ 117 AdvertiseAddress: netutils.ParseIPSloppy("192.168.10.10"), 118 CorsAllowedOriginList: []string{"10.10.10.100", "10.10.10.200"}, 119 MaxRequestsInFlight: 400, 120 MaxMutatingRequestsInFlight: 200, 121 RequestTimeout: time.Duration(2) * time.Minute, 122 MinRequestTimeout: 1800, 123 JSONPatchMaxCopyBytes: int64(3 * 1024 * 1024), 124 MaxRequestBodyBytes: int64(3 * 1024 * 1024), 125 }, 126 Admission: &kubeoptions.AdmissionOptions{ 127 GenericAdmission: &apiserveroptions.AdmissionOptions{ 128 RecommendedPluginOrder: s.Admission.GenericAdmission.RecommendedPluginOrder, 129 DefaultOffPlugins: s.Admission.GenericAdmission.DefaultOffPlugins, 130 EnablePlugins: []string{"AlwaysDeny"}, 131 ConfigFile: "/admission-control-config", 132 Plugins: s.Admission.GenericAdmission.Plugins, 133 Decorators: s.Admission.GenericAdmission.Decorators, 134 }, 135 }, 136 Etcd: &apiserveroptions.EtcdOptions{ 137 StorageConfig: storagebackend.Config{ 138 Type: "etcd3", 139 Transport: storagebackend.TransportConfig{ 140 ServerList: nil, 141 KeyFile: "/var/run/kubernetes/etcd.key", 142 TrustedCAFile: "/var/run/kubernetes/etcdca.crt", 143 CertFile: "/var/run/kubernetes/etcdce.crt", 144 TracerProvider: oteltrace.NewNoopTracerProvider(), 145 }, 146 Prefix: "/registry", 147 CompactionInterval: storagebackend.DefaultCompactInterval, 148 CountMetricPollPeriod: time.Minute, 149 DBMetricPollInterval: storagebackend.DefaultDBMetricPollInterval, 150 HealthcheckTimeout: storagebackend.DefaultHealthcheckTimeout, 151 ReadycheckTimeout: storagebackend.DefaultReadinessTimeout, 152 LeaseManagerConfig: etcd3.LeaseManagerConfig{ 153 ReuseDurationSeconds: 100, 154 MaxObjectCount: 1000, 155 }, 156 }, 157 DefaultStorageMediaType: "application/vnd.kubernetes.protobuf", 158 DeleteCollectionWorkers: 1, 159 EnableGarbageCollection: true, 160 EnableWatchCache: true, 161 DefaultWatchCacheSize: 100, 162 }, 163 SecureServing: (&apiserveroptions.SecureServingOptions{ 164 BindAddress: netutils.ParseIPSloppy("192.168.10.20"), 165 BindPort: 6443, 166 ServerCert: apiserveroptions.GeneratableKeyCert{ 167 CertDirectory: "/var/run/kubernetes", 168 PairName: "apiserver", 169 }, 170 HTTP2MaxStreamsPerConnection: 42, 171 Required: true, 172 }).WithLoopback(), 173 EventTTL: 1 * time.Hour, 174 Audit: &apiserveroptions.AuditOptions{ 175 LogOptions: apiserveroptions.AuditLogOptions{ 176 Path: "/var/log", 177 MaxAge: 11, 178 MaxBackups: 12, 179 MaxSize: 13, 180 Format: "json", 181 BatchOptions: apiserveroptions.AuditBatchOptions{ 182 Mode: "blocking", 183 BatchConfig: auditbuffered.BatchConfig{ 184 BufferSize: 46, 185 MaxBatchSize: 47, 186 MaxBatchWait: 48 * time.Second, 187 ThrottleEnable: true, 188 ThrottleQPS: 49.5, 189 ThrottleBurst: 50, 190 }, 191 }, 192 TruncateOptions: apiserveroptions.AuditTruncateOptions{ 193 Enabled: true, 194 TruncateConfig: audittruncate.Config{ 195 MaxBatchSize: 45, 196 MaxEventSize: 44, 197 }, 198 }, 199 GroupVersionString: "audit.k8s.io/v1", 200 }, 201 WebhookOptions: apiserveroptions.AuditWebhookOptions{ 202 ConfigFile: "/webhook-config", 203 BatchOptions: apiserveroptions.AuditBatchOptions{ 204 Mode: "blocking", 205 BatchConfig: auditbuffered.BatchConfig{ 206 BufferSize: 42, 207 MaxBatchSize: 43, 208 MaxBatchWait: 1 * time.Second, 209 ThrottleEnable: false, 210 ThrottleQPS: 43.5, 211 ThrottleBurst: 44, 212 AsyncDelegate: true, 213 }, 214 }, 215 TruncateOptions: apiserveroptions.AuditTruncateOptions{ 216 Enabled: true, 217 TruncateConfig: audittruncate.Config{ 218 MaxBatchSize: 43, 219 MaxEventSize: 42, 220 }, 221 }, 222 InitialBackoff: 2 * time.Second, 223 GroupVersionString: "audit.k8s.io/v1", 224 }, 225 PolicyFile: "/policy", 226 }, 227 Features: &apiserveroptions.FeatureOptions{ 228 EnableProfiling: true, 229 EnableContentionProfiling: true, 230 }, 231 Authentication: &kubeoptions.BuiltInAuthenticationOptions{ 232 Anonymous: &kubeoptions.AnonymousAuthenticationOptions{ 233 Allow: false, 234 }, 235 ClientCert: &apiserveroptions.ClientCertAuthenticationOptions{ 236 ClientCA: "/client-ca", 237 }, 238 WebHook: &kubeoptions.WebHookAuthenticationOptions{ 239 CacheTTL: 180000000000, 240 ConfigFile: "/token-webhook-config", 241 Version: "v1beta1", 242 RetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), 243 }, 244 BootstrapToken: &kubeoptions.BootstrapTokenAuthenticationOptions{}, 245 OIDC: s.Authentication.OIDC, 246 RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{}, 247 ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{ 248 Lookup: true, 249 ExtendExpiration: true, 250 }, 251 TokenFile: &kubeoptions.TokenFileAuthenticationOptions{}, 252 TokenSuccessCacheTTL: 10 * time.Second, 253 TokenFailureCacheTTL: 0, 254 }, 255 Authorization: &kubeoptions.BuiltInAuthorizationOptions{ 256 Modes: []string{"AlwaysDeny", "RBAC"}, 257 PolicyFile: "/policy", 258 WebhookConfigFile: "/webhook-config", 259 WebhookCacheAuthorizedTTL: 180000000000, 260 WebhookCacheUnauthorizedTTL: 60000000000, 261 WebhookVersion: "v1beta1", 262 WebhookRetryBackoff: apiserveroptions.DefaultAuthWebhookRetryBackoff(), 263 }, 264 APIEnablement: &apiserveroptions.APIEnablementOptions{ 265 RuntimeConfig: cliflag.ConfigurationMap{}, 266 }, 267 EgressSelector: &apiserveroptions.EgressSelectorOptions{ 268 ConfigFile: "/var/run/kubernetes/egress-selector/connectivity.yaml", 269 }, 270 EnableLogsHandler: false, 271 EnableAggregatorRouting: true, 272 ProxyClientKeyFile: "/var/run/kubernetes/proxy.key", 273 ProxyClientCertFile: "/var/run/kubernetes/proxy.crt", 274 Metrics: &metrics.Options{}, 275 Logs: logs.NewOptions(), 276 Traces: &apiserveroptions.TracingOptions{ 277 ConfigFile: "/var/run/kubernetes/tracing_config.yaml", 278 }, 279 AggregatorRejectForwardingRedirects: true, 280 SystemNamespaces: []string{"kube-system", "kube-public", "default"}, 281 } 282 283 expected.Authentication.OIDC.UsernameClaim = "sub" 284 expected.Authentication.OIDC.SigningAlgs = []string{"RS256"} 285 286 if !s.Authorization.AreLegacyFlagsSet() { 287 t.Errorf("expected legacy authorization flags to be set") 288 } 289 // setting the method to nil since methods can't be compared with reflect.DeepEqual 290 s.Authorization.AreLegacyFlagsSet = nil 291 292 if !reflect.DeepEqual(expected, s) { 293 t.Errorf("Got different run options than expected.\nDifference detected on:\n%s", cmp.Diff(expected, s, cmpopts.IgnoreUnexported(admission.Plugins{}, kubeoptions.OIDCAuthenticationOptions{}))) 294 } 295 }