upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-03-10 18:40:55 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/pkg/kubectl/cmd/proxy/proxy.go

164 lines
6.5 KiB
Go
Raw Normal View History

kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
/*
Remove "All rights reserved" from all the headers.
2016-06-02 20:25:58 -04:00
Copyright 2014 The Kubernetes Authors.
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Move each kubectl command to a separate directory
2018-10-05 07:06:12 -04:00
package proxy
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
import (
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
"errors"
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
"fmt"
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
"io"
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
"net"
Log warning when invalid dir passed to kubectl proxy --www
2017-04-26 05:53:54 -04:00
"os"
kubectl proxy: make static prefix configurable
2015-02-04 04:31:39 -05:00
"strings"
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
"github.com/spf13/cobra"
Create cli-runtime staging repository
2018-08-21 06:46:39 -04:00
"k8s.io/cli-runtime/pkg/genericclioptions"
Move from glog to klog - Move from the old github.com/golang/glog to k8s.io/klog - klog as explicit InitFlags() so we add them as necessary - we update the other repositories that we vendor that made a similar change from glog to klog * github.com/kubernetes/repo-infra * k8s.io/gengo/ * k8s.io/kube-openapi/ * github.com/google/cadvisor - Entirely remove all references to glog - Fix some tests by explicit InitFlags in their init() methods Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
2018-11-09 13:49:10 -05:00
"k8s.io/klog"
run gofmt on everything we touched
2015-08-05 18:05:17 -04:00
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
Ensure proxy server code is logically distinct
2017-07-12 23:21:03 -04:00
"k8s.io/kubernetes/pkg/kubectl/proxy"
move i18n to kubectl/util
2017-07-07 00:04:11 -04:00
"k8s.io/kubernetes/pkg/kubectl/util/i18n"
Move pkg/kubectl/cmd/templates -> pkg/kubectl/util/temlpates
2018-10-10 14:29:30 -04:00
"k8s.io/kubernetes/pkg/kubectl/util/templates"
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
)
Use dedent for the kubectl commands The one side effect is that for the "kubectl help" commands a newline is prepended to output, which will alter the yaml output. Here we use dedent to format the code to match the output. hack/update-generated-docs.sh has been run and the affected files have been added. Note: for describe.go we added a period to the end of an output message.
2016-05-20 13:49:56 -04:00
var (
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn> rename variables to make sure that they conform to golang variable name convention
2017-02-15 22:47:00 -05:00
defaultPort = 8001
proxyLong = templates.LongDesc(i18n.T(`
Move each kubectl command to a separate directory
2018-10-05 07:06:12 -04:00
Creates a proxy server or application-level gateway between localhost and
the Kubernetes API Server. It also allows serving static content over specified
HTTP path. All incoming data enters through one port and gets forwarded to
kubectl: fixes issues #45736 and #45737 Adds long description from #45902
2017-05-13 18:03:23 -04:00
the remote kubernetes API Server port, except for the path matching the static content path.`))
proxyExample = templates.Examples(i18n.T(`
# To proxy all of the kubernetes api and nothing else, use:
Use our own normalizers for cmd examples and descriptions
2016-10-07 18:24:42 -04:00
$ kubectl proxy --api-prefix=/
kubectl: fixes issues #45736 and #45737 Adds long description from #45902
2017-05-13 18:03:23 -04:00
# To proxy only part of the kubernetes api and also some static files:
Use our own normalizers for cmd examples and descriptions
2016-10-07 18:24:42 -04:00
$ kubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/
kubectl: fixes issues #45736 and #45737 Adds long description from #45902
2017-05-13 18:03:23 -04:00
# The above lets you 'curl localhost:8001/api/v1/pods'.
Use our own normalizers for cmd examples and descriptions
2016-10-07 18:24:42 -04:00
kubectl: fixes issues #45736 and #45737 Adds long description from #45902
2017-05-13 18:03:23 -04:00
# To proxy the entire kubernetes api at a different root, use:
Use our own normalizers for cmd examples and descriptions
2016-10-07 18:24:42 -04:00
$ kubectl proxy --api-prefix=/custom/
kubectl: fixes issues #45736 and #45737 Adds long description from #45902
2017-05-13 18:03:23 -04:00
# The above lets you 'curl localhost:8001/custom/api/v1/pods'
Use our own normalizers for cmd examples and descriptions
2016-10-07 18:24:42 -04:00
Use dedent for the kubectl commands The one side effect is that for the "kubectl help" commands a newline is prepended to output, which will alter the yaml output. Here we use dedent to format the code to match the output. hack/update-generated-docs.sh has been run and the affected files have been added. Note: for describe.go we added a period to the end of an output message.
2016-05-20 13:49:56 -04:00
# Run a proxy to kubernetes apiserver on port 8011, serving static content from ./local/www/
kubectl proxy --port=8011 --www=./local/www/
Fix md generation for kubectl docs Display usage string, not long help, as code, remove angle brackets from output (.md interprets as tags and hides).
2015-03-11 13:22:08 -04:00
Use dedent for the kubectl commands The one side effect is that for the "kubectl help" commands a newline is prepended to output, which will alter the yaml output. Here we use dedent to format the code to match the output. hack/update-generated-docs.sh has been run and the affected files have been added. Note: for describe.go we added a period to the end of an output message.
2016-05-20 13:49:56 -04:00
# Run a proxy to kubernetes apiserver on an arbitrary local port.
# The chosen port for the server will be output to stdout.
kubectl proxy --port=0
Make `kubectl proxy` support picking a random port
2015-07-07 01:04:39 -04:00
Use dedent for the kubectl commands The one side effect is that for the "kubectl help" commands a newline is prepended to output, which will alter the yaml output. Here we use dedent to format the code to match the output. hack/update-generated-docs.sh has been run and the affected files have been added. Note: for describe.go we added a period to the end of an output message.
2016-05-20 13:49:56 -04:00
# Run a proxy to kubernetes apiserver, changing the api prefix to k8s-api
fix typo in `kubectl proxy` command line help fixed port from 8011 to 8001 (the default) because in that particular line no specific port is specified and thus the default is going to be used.
2016-11-29 06:54:48 -05:00
# This makes e.g. the pods api available at localhost:8001/k8s-api/v1/pods/
Extract a bunch more strings from kubectl
2017-03-14 23:49:10 -04:00
kubectl proxy --api-prefix=/k8s-api`))
Fix md generation for kubectl docs Display usage string, not long help, as code, remove angle brackets from output (.md interprets as tags and hides).
2015-03-11 13:22:08 -04:00
)
use IOStreams for cli commands
2018-05-08 09:02:34 -04:00
func NewCmdProxy(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command {
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
cmd := &cobra.Command{
Update gofmt for go1.11
2018-10-05 15:59:38 -04:00
Use: "proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix]",
some code change fix wrong required flags disable the addition of [flags] to the usage, use customized useline fix function rename
2017-10-11 02:26:02 -04:00
DisableFlagsInUseLine: true,
Update gofmt for go1.11
2018-10-05 15:59:38 -04:00
Short: i18n.T("Run a proxy to the Kubernetes API server"),
Long: proxyLong,
Example: proxyExample,
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
Run: func(cmd *cobra.Command, args []string) {
use IOStreams for cli commands
2018-05-08 09:02:34 -04:00
err := RunProxy(f, streams.Out, cmd)
refactor to move kubectl.cmd.Factory to kubect/cmd/util
2015-04-07 14:21:25 -04:00
cmdutil.CheckErr(err)
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
},
}
Clean up kubectl help for auto-gen'd kubectl.md
2015-02-03 12:59:21 -05:00
cmd.Flags().StringP("www", "w", "", "Also serve static files from the given directory under the specified prefix.")
cmd.Flags().StringP("www-prefix", "P", "/static/", "Prefix to serve static files under, if static file directory is specified.")
Change kubectl proxy --api-prefix default to allow /apis/
2015-10-09 15:02:16 -04:00
cmd.Flags().StringP("api-prefix", "", "/", "Prefix to serve the proxied API under.")
Ensure proxy server code is logically distinct
2017-07-12 23:21:03 -04:00
cmd.Flags().String("accept-paths", proxy.DefaultPathAcceptRE, "Regular expression for paths that the proxy should accept.")
cmd.Flags().String("reject-paths", proxy.DefaultPathRejectRE, "Regular expression for paths that the proxy should reject. Paths specified here will be rejected even accepted by --accept-paths.")
cmd.Flags().String("accept-hosts", proxy.DefaultHostAcceptRE, "Regular expression for hosts that the proxy should accept.")
cmd.Flags().String("reject-methods", proxy.DefaultMethodRejectRE, "Regular expression for HTTP methods that the proxy should reject (example --reject-methods='POST,PUT,PATCH'). ")
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn> rename variables to make sure that they conform to golang variable name convention
2017-02-15 22:47:00 -05:00
cmd.Flags().IntP("port", "p", defaultPort, "The port on which to run the proxy. Set to 0 to pick a random port.")
Add --address to kubectl proxy
2015-09-30 06:14:00 -04:00
cmd.Flags().StringP("address", "", "127.0.0.1", "The IP address on which to serve on.")
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
cmd.Flags().Bool("disable-filter", false, "If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port.")
cmd.Flags().StringP("unix-socket", "u", "", "Unix socket on which to run the proxy.")
Enable kubectl proxy to set tcp keepalive
2018-05-14 08:11:43 -04:00
cmd.Flags().Duration("keepalive", 0, "keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable keepalive.")
kubectl: kubecfg rewrite for better modularity and improved UX
2014-10-05 21:24:19 -04:00
return cmd
}
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
update various commands to adapt the new Factory interface
2016-10-12 20:18:39 -04:00
func RunProxy(f cmdutil.Factory, out io.Writer, cmd *cobra.Command) error {
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
path := cmdutil.GetFlagString(cmd, "unix-socket")
refactor to move kubectl.cmd.Factory to kubect/cmd/util
2015-04-07 14:21:25 -04:00
port := cmdutil.GetFlagInt(cmd, "port")
Add --address to kubectl proxy
2015-09-30 06:14:00 -04:00
address := cmdutil.GetFlagString(cmd, "address")
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
Signed-off-by: bruceauyeung <ouyang.qinhua@zte.com.cn> rename variables to make sure that they conform to golang variable name convention
2017-02-15 22:47:00 -05:00
if port != defaultPort && path != "" {
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
return errors.New("Don't specify both --unix-socket and --port")
}
update factory interface to overlap with lower RESTClientGetter
2018-05-16 10:54:42 -04:00
clientConfig, err := f.ToRESTConfig()
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
if err != nil {
return err
}
refactor to move kubectl.cmd.Factory to kubect/cmd/util
2015-04-07 14:21:25 -04:00
staticPrefix := cmdutil.GetFlagString(cmd, "www-prefix")
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
if !strings.HasSuffix(staticPrefix, "/") {
staticPrefix += "/"
}
Log warning when invalid dir passed to kubectl proxy --www
2017-04-26 05:53:54 -04:00
staticDir := cmdutil.GetFlagString(cmd, "www")
if staticDir != "" {
fileInfo, err := os.Stat(staticDir)
if err != nil {
Move from glog to klog - Move from the old github.com/golang/glog to k8s.io/klog - klog as explicit InitFlags() so we add them as necessary - we update the other repositories that we vendor that made a similar change from glog to klog * github.com/kubernetes/repo-infra * k8s.io/gengo/ * k8s.io/kube-openapi/ * github.com/google/cadvisor - Entirely remove all references to glog - Fix some tests by explicit InitFlags in their init() methods Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
2018-11-09 13:49:10 -05:00
klog.Warning("Failed to stat static file directory "+staticDir+": ", err)
Log warning when invalid dir passed to kubectl proxy --www
2017-04-26 05:53:54 -04:00
} else if !fileInfo.IsDir() {
Move from glog to klog - Move from the old github.com/golang/glog to k8s.io/klog - klog as explicit InitFlags() so we add them as necessary - we update the other repositories that we vendor that made a similar change from glog to klog * github.com/kubernetes/repo-infra * k8s.io/gengo/ * k8s.io/kube-openapi/ * github.com/google/cadvisor - Entirely remove all references to glog - Fix some tests by explicit InitFlags in their init() methods Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
2018-11-09 13:49:10 -05:00
klog.Warning("Static file directory " + staticDir + " is not a directory")
Log warning when invalid dir passed to kubectl proxy --www
2017-04-26 05:53:54 -04:00
}
}
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
refactor to move kubectl.cmd.Factory to kubect/cmd/util
2015-04-07 14:21:25 -04:00
apiProxyPrefix := cmdutil.GetFlagString(cmd, "api-prefix")
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
if !strings.HasSuffix(apiProxyPrefix, "/") {
apiProxyPrefix += "/"
}
Ensure proxy server code is logically distinct
2017-07-12 23:21:03 -04:00
filter := &proxy.FilterServer{
AcceptPaths: proxy.MakeRegexpArrayOrDie(cmdutil.GetFlagString(cmd, "accept-paths")),
RejectPaths: proxy.MakeRegexpArrayOrDie(cmdutil.GetFlagString(cmd, "reject-paths")),
AcceptHosts: proxy.MakeRegexpArrayOrDie(cmdutil.GetFlagString(cmd, "accept-hosts")),
RejectMethods: proxy.MakeRegexpArrayOrDie(cmdutil.GetFlagString(cmd, "reject-methods")),
Add some XSRF protection to kubectl proxy.
2015-06-04 19:21:11 -04:00
}
if cmdutil.GetFlagBool(cmd, "disable-filter") {
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
if path == "" {
Move from glog to klog - Move from the old github.com/golang/glog to k8s.io/klog - klog as explicit InitFlags() so we add them as necessary - we update the other repositories that we vendor that made a similar change from glog to klog * github.com/kubernetes/repo-infra * k8s.io/gengo/ * k8s.io/kube-openapi/ * github.com/google/cadvisor - Entirely remove all references to glog - Fix some tests by explicit InitFlags in their init() methods Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
2018-11-09 13:49:10 -05:00
klog.Warning("Request filter disabled, your proxy is vulnerable to XSRF attacks, please be cautious")
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
}
Add some XSRF protection to kubectl proxy.
2015-06-04 19:21:11 -04:00
filter = nil
}
Enable kubectl proxy to set tcp keepalive
2018-05-14 08:11:43 -04:00
keepalive := cmdutil.GetFlagDuration(cmd, "keepalive")
server, err := proxy.NewServer(staticDir, apiProxyPrefix, staticPrefix, filter, clientConfig, keepalive)
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
Make `kubectl proxy` support picking a random port
2015-07-07 01:04:39 -04:00
// Separate listening from serving so we can report the bound port
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
// when it is chosen by os (eg: port == 0)
var l net.Listener
if path == "" {
Add --address to kubectl proxy
2015-09-30 06:14:00 -04:00
l, err = server.Listen(address, port)
kubectl: Add proxy --unix-socket=/file/path option Proxies on a TCP port are accessible outside the current security context (eg: uid). Add support for having the proxy listen on a unix socket, which has permissions applied to it. We make sure the socket starts its life only accessible by the current user using Umask. This is useful for applications like Cockpit and other tools which want the help of kubectl to handle authentication, configuration and transport security, but also want to not make that accessible to all users on a multi-user system.
2015-07-01 04:17:53 -04:00
} else {
l, err = server.ListenUnix(path)
}
Make `kubectl proxy` support picking a random port
2015-07-07 01:04:39 -04:00
if err != nil {
Move from glog to klog - Move from the old github.com/golang/glog to k8s.io/klog - klog as explicit InitFlags() so we add them as necessary - we update the other repositories that we vendor that made a similar change from glog to klog * github.com/kubernetes/repo-infra * k8s.io/gengo/ * k8s.io/kube-openapi/ * github.com/google/cadvisor - Entirely remove all references to glog - Fix some tests by explicit InitFlags in their init() methods Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
2018-11-09 13:49:10 -05:00
klog.Fatal(err)
Make `kubectl proxy` support picking a random port
2015-07-07 01:04:39 -04:00
}
Use the UpgradeAwareProxy in `kubectl proxy` Requires a separate transport that is guaranteed not to be HTTP/2 for exec/attach/portforward, because otherwise the Go client attempts to upgrade us to HTTP/2 first.
2017-07-24 23:37:19 -04:00
fmt.Fprintf(out, "Starting to serve on %s\n", l.Addr().String())
Move from glog to klog - Move from the old github.com/golang/glog to k8s.io/klog - klog as explicit InitFlags() so we add them as necessary - we update the other repositories that we vendor that made a similar change from glog to klog * github.com/kubernetes/repo-infra * k8s.io/gengo/ * k8s.io/kube-openapi/ * github.com/google/cadvisor - Entirely remove all references to glog - Fix some tests by explicit InitFlags in their init() methods Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
2018-11-09 13:49:10 -05:00
klog.Fatal(server.ServeOnListener(l))
Make kubectl commands return errors and centralize exit handling
2015-03-09 18:08:16 -04:00
return nil
}
Reference in a new issue Copy permalink