k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/controlplane/apiserver/options/validation.go

k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/controlplane/apiserver/options/validation.go (about)

     1  /*
     2  Copyright 2023 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package options
    18  
    19  import (
    20  	"errors"
    21  	"fmt"
    22  	"strings"
    23  
    24  	apiextensionsapiserver "k8s.io/apiextensions-apiserver/pkg/apiserver"
    25  	genericfeatures "k8s.io/apiserver/pkg/features"
    26  	utilfeature "k8s.io/apiserver/pkg/util/feature"
    27  	aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme"
    28  	"k8s.io/kubernetes/pkg/features"
    29  
    30  	"k8s.io/kubernetes/pkg/api/legacyscheme"
    31  )
    32  
    33  func validateTokenRequest(options *Options) []error {
    34  	var errs []error
    35  
    36  	enableAttempted := options.ServiceAccountSigningKeyFile != "" ||
    37  		(len(options.Authentication.ServiceAccounts.Issuers) != 0 && options.Authentication.ServiceAccounts.Issuers[0] != "") ||
    38  		len(options.Authentication.APIAudiences) != 0
    39  
    40  	enableSucceeded := options.ServiceAccountIssuer != nil
    41  
    42  	if !enableAttempted {
    43  		errs = append(errs, errors.New("--service-account-signing-key-file and --service-account-issuer are required flags"))
    44  	}
    45  
    46  	if enableAttempted && !enableSucceeded {
    47  		errs = append(errs, errors.New("--service-account-signing-key-file, --service-account-issuer, and --api-audiences should be specified together"))
    48  	}
    49  
    50  	return errs
    51  }
    52  
    53  func validateAPIPriorityAndFairness(options *Options) []error {
    54  	if options.Features.EnablePriorityAndFairness {
    55  		// If none of the following runtime config options are specified,
    56  		// APF is assumed to be turned on. The internal APF controller uses
    57  		// v1 so it should be enabled.
    58  		enabledAPIString := options.APIEnablement.RuntimeConfig.String()
    59  		testConfigs := []string{"flowcontrol.apiserver.k8s.io/v1", "api/ga", "api/all"} // in the order of precedence
    60  		for _, testConfig := range testConfigs {
    61  			if strings.Contains(enabledAPIString, fmt.Sprintf("%s=false", testConfig)) {
    62  				return []error{fmt.Errorf("--runtime-config=%s=false conflicts with --enable-priority-and-fairness=true", testConfig)}
    63  			}
    64  			if strings.Contains(enabledAPIString, fmt.Sprintf("%s=true", testConfig)) {
    65  				return nil
    66  			}
    67  		}
    68  	}
    69  
    70  	return nil
    71  }
    72  
    73  func validateUnknownVersionInteroperabilityProxyFeature() []error {
    74  	if utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
    75  		if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StorageVersionAPI) {
    76  			return nil
    77  		}
    78  		return []error{fmt.Errorf("UnknownVersionInteroperabilityProxy feature requires StorageVersionAPI feature flag to be enabled")}
    79  	}
    80  	return nil
    81  }
    82  
    83  func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error {
    84  	err := []error{}
    85  	if !utilfeature.DefaultFeatureGate.Enabled(features.UnknownVersionInteroperabilityProxy) {
    86  		if options.PeerCAFile != "" {
    87  			err = append(err, fmt.Errorf("--peer-ca-file requires UnknownVersionInteroperabilityProxy feature to be turned on"))
    88  		}
    89  		if options.PeerAdvertiseAddress.PeerAdvertiseIP != "" {
    90  			err = append(err, fmt.Errorf("--peer-advertise-ip requires UnknownVersionInteroperabilityProxy feature to be turned on"))
    91  		}
    92  		if options.PeerAdvertiseAddress.PeerAdvertisePort != "" {
    93  			err = append(err, fmt.Errorf("--peer-advertise-port requires UnknownVersionInteroperabilityProxy feature to be turned on"))
    94  		}
    95  	}
    96  	return err
    97  }
    98  
    99  // Validate checks Options and return a slice of found errs.
   100  func (s *Options) Validate() []error {
   101  	var errs []error
   102  
   103  	errs = append(errs, s.Etcd.Validate()...)
   104  	errs = append(errs, validateAPIPriorityAndFairness(s)...)
   105  	errs = append(errs, s.SecureServing.Validate()...)
   106  	errs = append(errs, s.Authentication.Validate()...)
   107  	errs = append(errs, s.Authorization.Validate()...)
   108  	errs = append(errs, s.Audit.Validate()...)
   109  	errs = append(errs, s.Admission.Validate()...)
   110  	errs = append(errs, s.APIEnablement.Validate(legacyscheme.Scheme, apiextensionsapiserver.Scheme, aggregatorscheme.Scheme)...)
   111  	errs = append(errs, validateTokenRequest(s)...)
   112  	errs = append(errs, s.Metrics.Validate()...)
   113  	errs = append(errs, validateUnknownVersionInteroperabilityProxyFeature()...)
   114  	errs = append(errs, validateUnknownVersionInteroperabilityProxyFlags(s)...)
   115  
   116  	return errs
   117  }