git subrepo clone (merge) https://github.com/kubernetes-incubator/metrics-server.git metrics-server
subrepo:
subdir: "metrics-server"
merged: "92d8412"
upstream:
origin: "https://github.com/kubernetes-incubator/metrics-server.git"
branch: "master"
commit: "92d8412"
git-subrepo:
version: "0.4.0"
origin: "???"
commit: "???"
diff --git a/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go
new file mode 100644
index 0000000..95ade00
--- /dev/null
+++ b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizer/interfaces.go
@@ -0,0 +1,158 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizer
+
+import (
+ "net/http"
+
+ "k8s.io/apiserver/pkg/authentication/user"
+)
+
+// Attributes is an interface used by an Authorizer to get information about a request
+// that is used to make an authorization decision.
+type Attributes interface {
+ // GetUser returns the user.Info object to authorize
+ GetUser() user.Info
+
+ // GetVerb returns the kube verb associated with API requests (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy),
+ // or the lowercased HTTP verb associated with non-API requests (this includes get, put, post, patch, and delete)
+ GetVerb() string
+
+ // When IsReadOnly() == true, the request has no side effects, other than
+ // caching, logging, and other incidentals.
+ IsReadOnly() bool
+
+ // The namespace of the object, if a request is for a REST object.
+ GetNamespace() string
+
+ // The kind of object, if a request is for a REST object.
+ GetResource() string
+
+ // GetSubresource returns the subresource being requested, if present
+ GetSubresource() string
+
+ // GetName returns the name of the object as parsed off the request. This will not be present for all request types, but
+ // will be present for: get, update, delete
+ GetName() string
+
+ // The group of the resource, if a request is for a REST object.
+ GetAPIGroup() string
+
+ // GetAPIVersion returns the version of the group requested, if a request is for a REST object.
+ GetAPIVersion() string
+
+ // IsResourceRequest returns true for requests to API resources, like /api/v1/nodes,
+ // and false for non-resource endpoints like /api, /healthz, and /swaggerapi
+ IsResourceRequest() bool
+
+ // GetPath returns the path of the request
+ GetPath() string
+}
+
+// Authorizer makes an authorization decision based on information gained by making
+// zero or more calls to methods of the Attributes interface. It returns nil when an action is
+// authorized, otherwise it returns an error.
+type Authorizer interface {
+ Authorize(a Attributes) (authorized Decision, reason string, err error)
+}
+
+type AuthorizerFunc func(a Attributes) (Decision, string, error)
+
+func (f AuthorizerFunc) Authorize(a Attributes) (Decision, string, error) {
+ return f(a)
+}
+
+// RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace.
+type RuleResolver interface {
+ // RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors.
+ RulesFor(user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error)
+}
+
+// RequestAttributesGetter provides a function that extracts Attributes from an http.Request
+type RequestAttributesGetter interface {
+ GetRequestAttributes(user.Info, *http.Request) Attributes
+}
+
+// AttributesRecord implements Attributes interface.
+type AttributesRecord struct {
+ User user.Info
+ Verb string
+ Namespace string
+ APIGroup string
+ APIVersion string
+ Resource string
+ Subresource string
+ Name string
+ ResourceRequest bool
+ Path string
+}
+
+func (a AttributesRecord) GetUser() user.Info {
+ return a.User
+}
+
+func (a AttributesRecord) GetVerb() string {
+ return a.Verb
+}
+
+func (a AttributesRecord) IsReadOnly() bool {
+ return a.Verb == "get" || a.Verb == "list" || a.Verb == "watch"
+}
+
+func (a AttributesRecord) GetNamespace() string {
+ return a.Namespace
+}
+
+func (a AttributesRecord) GetResource() string {
+ return a.Resource
+}
+
+func (a AttributesRecord) GetSubresource() string {
+ return a.Subresource
+}
+
+func (a AttributesRecord) GetName() string {
+ return a.Name
+}
+
+func (a AttributesRecord) GetAPIGroup() string {
+ return a.APIGroup
+}
+
+func (a AttributesRecord) GetAPIVersion() string {
+ return a.APIVersion
+}
+
+func (a AttributesRecord) IsResourceRequest() bool {
+ return a.ResourceRequest
+}
+
+func (a AttributesRecord) GetPath() string {
+ return a.Path
+}
+
+type Decision int
+
+const (
+ // DecisionDeny means that an authorizer decided to deny the action.
+ DecisionDeny Decision = iota
+ // DecisionAllow means that an authorizer decided to allow the action.
+ DecisionAllow
+ // DecisionNoOpionion means that an authorizer has no opinion on whether
+ // to allow or deny an action.
+ DecisionNoOpinion
+)
diff --git a/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizer/rule.go b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizer/rule.go
new file mode 100644
index 0000000..8f7d9d9
--- /dev/null
+++ b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizer/rule.go
@@ -0,0 +1,73 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizer
+
+type ResourceRuleInfo interface {
+ // GetVerbs returns a list of kubernetes resource API verbs.
+ GetVerbs() []string
+ // GetAPIGroups return the names of the APIGroup that contains the resources.
+ GetAPIGroups() []string
+ // GetResources return a list of resources the rule applies to.
+ GetResources() []string
+ // GetResourceNames return a white list of names that the rule applies to.
+ GetResourceNames() []string
+}
+
+// DefaultResourceRuleInfo holds information that describes a rule for the resource
+type DefaultResourceRuleInfo struct {
+ Verbs []string
+ APIGroups []string
+ Resources []string
+ ResourceNames []string
+}
+
+func (i *DefaultResourceRuleInfo) GetVerbs() []string {
+ return i.Verbs
+}
+
+func (i *DefaultResourceRuleInfo) GetAPIGroups() []string {
+ return i.APIGroups
+}
+
+func (i *DefaultResourceRuleInfo) GetResources() []string {
+ return i.Resources
+}
+
+func (i *DefaultResourceRuleInfo) GetResourceNames() []string {
+ return i.ResourceNames
+}
+
+type NonResourceRuleInfo interface {
+ // GetVerbs returns a list of kubernetes resource API verbs.
+ GetVerbs() []string
+ // GetNonResourceURLs return a set of partial urls that a user should have access to.
+ GetNonResourceURLs() []string
+}
+
+// DefaultNonResourceRuleInfo holds information that describes a rule for the non-resource
+type DefaultNonResourceRuleInfo struct {
+ Verbs []string
+ NonResourceURLs []string
+}
+
+func (i *DefaultNonResourceRuleInfo) GetVerbs() []string {
+ return i.Verbs
+}
+
+func (i *DefaultNonResourceRuleInfo) GetNonResourceURLs() []string {
+ return i.NonResourceURLs
+}
diff --git a/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS
new file mode 100755
index 0000000..63cf972
--- /dev/null
+++ b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/OWNERS
@@ -0,0 +1,4 @@
+reviewers:
+- deads2k
+- dims
+- ericchiang
diff --git a/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go
new file mode 100644
index 0000000..fc36bc0
--- /dev/null
+++ b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/builtin.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizerfactory
+
+import (
+ "errors"
+
+ "k8s.io/apiserver/pkg/authentication/user"
+ "k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+// alwaysAllowAuthorizer is an implementation of authorizer.Attributes
+// which always says yes to an authorization request.
+// It is useful in tests and when using kubernetes in an open manner.
+type alwaysAllowAuthorizer struct{}
+
+func (alwaysAllowAuthorizer) Authorize(a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+ return authorizer.DecisionAllow, "", nil
+}
+
+func (alwaysAllowAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
+ return []authorizer.ResourceRuleInfo{
+ &authorizer.DefaultResourceRuleInfo{
+ Verbs: []string{"*"},
+ APIGroups: []string{"*"},
+ Resources: []string{"*"},
+ },
+ }, []authorizer.NonResourceRuleInfo{
+ &authorizer.DefaultNonResourceRuleInfo{
+ Verbs: []string{"*"},
+ NonResourceURLs: []string{"*"},
+ },
+ }, false, nil
+}
+
+func NewAlwaysAllowAuthorizer() *alwaysAllowAuthorizer {
+ return new(alwaysAllowAuthorizer)
+}
+
+// alwaysDenyAuthorizer is an implementation of authorizer.Attributes
+// which always says no to an authorization request.
+// It is useful in unit tests to force an operation to be forbidden.
+type alwaysDenyAuthorizer struct{}
+
+func (alwaysDenyAuthorizer) Authorize(a authorizer.Attributes) (decision authorizer.Decision, reason string, err error) {
+ return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil
+}
+
+func (alwaysDenyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
+ return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil
+}
+
+func NewAlwaysDenyAuthorizer() *alwaysDenyAuthorizer {
+ return new(alwaysDenyAuthorizer)
+}
+
+type privilegedGroupAuthorizer struct {
+ groups []string
+}
+
+func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (authorizer.Decision, string, error) {
+ if attr.GetUser() == nil {
+ return authorizer.DecisionNoOpinion, "Error", errors.New("no user on request.")
+ }
+ for _, attr_group := range attr.GetUser().GetGroups() {
+ for _, priv_group := range r.groups {
+ if priv_group == attr_group {
+ return authorizer.DecisionAllow, "", nil
+ }
+ }
+ }
+ return authorizer.DecisionNoOpinion, "", nil
+}
+
+// NewPrivilegedGroups is for use in loopback scenarios
+func NewPrivilegedGroups(groups ...string) *privilegedGroupAuthorizer {
+ return &privilegedGroupAuthorizer{
+ groups: groups,
+ }
+}
diff --git a/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go
new file mode 100644
index 0000000..25b5aa9
--- /dev/null
+++ b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory/delegating.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authorizerfactory
+
+import (
+ "time"
+
+ "k8s.io/apiserver/pkg/authorization/authorizer"
+ authorizationclient "k8s.io/client-go/kubernetes/typed/authorization/v1beta1"
+
+ "k8s.io/apiserver/plugin/pkg/authorizer/webhook"
+)
+
+// DelegatingAuthorizerConfig is the minimal configuration needed to create an authenticator
+// built to delegate authorization to a kube API server
+type DelegatingAuthorizerConfig struct {
+ SubjectAccessReviewClient authorizationclient.SubjectAccessReviewInterface
+
+ // AllowCacheTTL is the length of time that a successful authorization response will be cached
+ AllowCacheTTL time.Duration
+
+ // DenyCacheTTL is the length of time that an unsuccessful authorization response will be cached.
+ // You generally want more responsive, "deny, try again" flows.
+ DenyCacheTTL time.Duration
+}
+
+func (c DelegatingAuthorizerConfig) New() (authorizer.Authorizer, error) {
+ return webhook.NewFromInterface(
+ c.SubjectAccessReviewClient,
+ c.AllowCacheTTL,
+ c.DenyCacheTTL,
+ )
+}
diff --git a/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/union/union.go b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/union/union.go
new file mode 100644
index 0000000..1575378
--- /dev/null
+++ b/metrics-server/vendor/k8s.io/apiserver/pkg/authorization/union/union.go
@@ -0,0 +1,105 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package union implements an authorizer that combines multiple subauthorizer.
+// The union authorizer iterates over each subauthorizer and returns the first
+// decision that is either an Allow decision or a Deny decision. If a
+// subauthorizer returns a NoOpinion, then the union authorizer moves onto the
+// next authorizer or, if the subauthorizer was the last authorizer, returns
+// NoOpinion as the aggregate decision. I.e. union authorizer creates an
+// aggregate decision and supports short-circuit allows and denies from
+// subauthorizers.
+package union
+
+import (
+ "strings"
+
+ utilerrors "k8s.io/apimachinery/pkg/util/errors"
+ "k8s.io/apiserver/pkg/authentication/user"
+ "k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+// unionAuthzHandler authorizer against a chain of authorizer.Authorizer
+type unionAuthzHandler []authorizer.Authorizer
+
+// New returns an authorizer that authorizes against a chain of authorizer.Authorizer objects
+func New(authorizationHandlers ...authorizer.Authorizer) authorizer.Authorizer {
+ return unionAuthzHandler(authorizationHandlers)
+}
+
+// Authorizes against a chain of authorizer.Authorizer objects and returns nil if successful and returns error if unsuccessful
+func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (authorizer.Decision, string, error) {
+ var (
+ errlist []error
+ reasonlist []string
+ )
+
+ for _, currAuthzHandler := range authzHandler {
+ decision, reason, err := currAuthzHandler.Authorize(a)
+
+ if err != nil {
+ errlist = append(errlist, err)
+ }
+ if len(reason) != 0 {
+ reasonlist = append(reasonlist, reason)
+ }
+ switch decision {
+ case authorizer.DecisionAllow, authorizer.DecisionDeny:
+ return decision, reason, err
+ case authorizer.DecisionNoOpinion:
+ // continue to the next authorizer
+ }
+ }
+
+ return authorizer.DecisionNoOpinion, strings.Join(reasonlist, "\n"), utilerrors.NewAggregate(errlist)
+}
+
+// unionAuthzRulesHandler authorizer against a chain of authorizer.RuleResolver
+type unionAuthzRulesHandler []authorizer.RuleResolver
+
+// NewRuleResolvers returns an authorizer that authorizes against a chain of authorizer.Authorizer objects
+func NewRuleResolvers(authorizationHandlers ...authorizer.RuleResolver) authorizer.RuleResolver {
+ return unionAuthzRulesHandler(authorizationHandlers)
+}
+
+// RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful
+func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
+ var (
+ errList []error
+ resourceRulesList []authorizer.ResourceRuleInfo
+ nonResourceRulesList []authorizer.NonResourceRuleInfo
+ )
+ incompleteStatus := false
+
+ for _, currAuthzHandler := range authzHandler {
+ resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(user, namespace)
+
+ if incomplete == true {
+ incompleteStatus = true
+ }
+ if err != nil {
+ errList = append(errList, err)
+ }
+ if len(resourceRules) > 0 {
+ resourceRulesList = append(resourceRulesList, resourceRules...)
+ }
+ if len(nonResourceRules) > 0 {
+ nonResourceRulesList = append(nonResourceRulesList, nonResourceRules...)
+ }
+ }
+
+ return resourceRulesList, nonResourceRulesList, incompleteStatus, utilerrors.NewAggregate(errList)
+}