Home Explore Help
Sign In
tzeneto
/
custom-kube-scheduler
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: edebc35d0d
Branches Tags
custom-kube-...
/
kubernetes-v1.15.4
/
pkg
/
controller
/
bootstrap
/
tokencleaner.go

tokencleaner.go 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204 
  1. /*
    2. 

  2. Copyright 2016 The Kubernetes Authors.
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package bootstrap
    18. 

  18. 

  19. import (
    20. 

  20. 	"fmt"
    21. 

  21. 	"time"
    22. 

  22. 

  23. 	"k8s.io/api/core/v1"
    24. 

  24. 	apierrors "k8s.io/apimachinery/pkg/api/errors"
    25. 

  25. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26. 

  26. 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
    27. 

  27. 	"k8s.io/apimachinery/pkg/util/wait"
    28. 

  28. 	coreinformers "k8s.io/client-go/informers/core/v1"
    29. 

  29. 	clientset "k8s.io/client-go/kubernetes"
    30. 

  30. 	corelisters "k8s.io/client-go/listers/core/v1"
    31. 

  31. 	"k8s.io/client-go/tools/cache"
    32. 

  32. 	"k8s.io/client-go/util/workqueue"
    33. 

  33. 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
    34. 

  34. 	"k8s.io/klog"
    35. 

  35. 	api "k8s.io/kubernetes/pkg/apis/core"
    36. 

  36. 	"k8s.io/kubernetes/pkg/controller"
    37. 

  37. 	"k8s.io/kubernetes/pkg/util/metrics"
    38. 

  38. )
    39. 

  39. 

  40. // TokenCleanerOptions contains options for the TokenCleaner
    41. 

  41. type TokenCleanerOptions struct {
    42. 

  42. 	// TokenSecretNamespace string is the namespace for token Secrets.
    43. 

  43. 	TokenSecretNamespace string
    44. 

  44. 

  45. 	// SecretResync is the time.Duration at which to fully re-list secrets.
    46. 

  46. 	// If zero, re-list will be delayed as long as possible
    47. 

  47. 	SecretResync time.Duration
    48. 

  48. }
    49. 

  49. 

  50. // DefaultTokenCleanerOptions returns a set of default options for creating a
    51. 

  51. // TokenCleaner
    52. 

  52. func DefaultTokenCleanerOptions() TokenCleanerOptions {
    53. 

  53. 	return TokenCleanerOptions{
    54. 

  54. 		TokenSecretNamespace: api.NamespaceSystem,
    55. 

  55. 	}
    56. 

  56. }
    57. 

  57. 

  58. // TokenCleaner is a controller that deletes expired tokens
    59. 

  59. type TokenCleaner struct {
    60. 

  60. 	tokenSecretNamespace string
    61. 

  61. 

  62. 	client clientset.Interface
    63. 

  63. 

  64. 	// secretLister is able to list/get secrets and is populated by the shared informer passed to NewTokenCleaner.
    65. 

  65. 	secretLister corelisters.SecretLister
    66. 

  66. 

  67. 	// secretSynced returns true if the secret shared informer has been synced at least once.
    68. 

  68. 	secretSynced cache.InformerSynced
    69. 

  69. 

  70. 	queue workqueue.RateLimitingInterface
    71. 

  71. }
    72. 

  72. 

  73. // NewTokenCleaner returns a new *NewTokenCleaner.
    74. 

  74. func NewTokenCleaner(cl clientset.Interface, secrets coreinformers.SecretInformer, options TokenCleanerOptions) (*TokenCleaner, error) {
    75. 

  75. 	e := &TokenCleaner{
    76. 

  76. 		client:               cl,
    77. 

  77. 		secretLister:         secrets.Lister(),
    78. 

  78. 		secretSynced:         secrets.Informer().HasSynced,
    79. 

  79. 		tokenSecretNamespace: options.TokenSecretNamespace,
    80. 

  80. 		queue:                workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "token_cleaner"),
    81. 

  81. 	}
    82. 

  82. 

  83. 	if cl.CoreV1().RESTClient().GetRateLimiter() != nil {
    84. 

  84. 		if err := metrics.RegisterMetricAndTrackRateLimiterUsage("token_cleaner", cl.CoreV1().RESTClient().GetRateLimiter()); err != nil {
    85. 

  85. 			return nil, err
    86. 

  86. 		}
    87. 

  87. 	}
    88. 

  88. 

  89. 	secrets.Informer().AddEventHandlerWithResyncPeriod(
    90. 

  90. 		cache.FilteringResourceEventHandler{
    91. 

  91. 			FilterFunc: func(obj interface{}) bool {
    92. 

  92. 				switch t := obj.(type) {
    93. 

  93. 				case *v1.Secret:
    94. 

  94. 					return t.Type == bootstrapapi.SecretTypeBootstrapToken && t.Namespace == e.tokenSecretNamespace
    95. 

  95. 				default:
    96. 

  96. 					utilruntime.HandleError(fmt.Errorf("object passed to %T that is not expected: %T", e, obj))
    97. 

  97. 					return false
    98. 

  98. 				}
    99. 

  99. 			},
    100. 

  100. 			Handler: cache.ResourceEventHandlerFuncs{
    101. 

  101. 				AddFunc:    e.enqueueSecrets,
    102. 

  102. 				UpdateFunc: func(oldSecret, newSecret interface{}) { e.enqueueSecrets(newSecret) },
    103. 

  103. 			},
    104. 

  104. 		},
    105. 

  105. 		options.SecretResync,
    106. 

  106. 	)
    107. 

  107. 

  108. 	return e, nil
    109. 

  109. }
    110. 

  110. 

  111. // Run runs controller loops and returns when they are done
    112. 

  112. func (tc *TokenCleaner) Run(stopCh <-chan struct{}) {
    113. 

  113. 	defer utilruntime.HandleCrash()
    114. 

  114. 	defer tc.queue.ShutDown()
    115. 

  115. 

  116. 	klog.Infof("Starting token cleaner controller")
    117. 

  117. 	defer klog.Infof("Shutting down token cleaner controller")
    118. 

  118. 

  119. 	if !controller.WaitForCacheSync("token_cleaner", stopCh, tc.secretSynced) {
    120. 

  120. 		return
    121. 

  121. 	}
    122. 

  122. 

  123. 	go wait.Until(tc.worker, 10*time.Second, stopCh)
    124. 

  124. 

  125. 	<-stopCh
    126. 

  126. }
    127. 

  127. 

  128. func (tc *TokenCleaner) enqueueSecrets(obj interface{}) {
    129. 

  129. 	key, err := controller.KeyFunc(obj)
    130. 

  130. 	if err != nil {
    131. 

  131. 		utilruntime.HandleError(err)
    132. 

  132. 		return
    133. 

  133. 	}
    134. 

  134. 	tc.queue.Add(key)
    135. 

  135. }
    136. 

  136. 

  137. // worker runs a thread that dequeues secrets, handles them, and marks them done.
    138. 

  138. func (tc *TokenCleaner) worker() {
    139. 

  139. 	for tc.processNextWorkItem() {
    140. 

  140. 	}
    141. 

  141. }
    142. 

  142. 

  143. // processNextWorkItem deals with one key off the queue.  It returns false when it's time to quit.
    144. 

  144. func (tc *TokenCleaner) processNextWorkItem() bool {
    145. 

  145. 	key, quit := tc.queue.Get()
    146. 

  146. 	if quit {
    147. 

  147. 		return false
    148. 

  148. 	}
    149. 

  149. 	defer tc.queue.Done(key)
    150. 

  150. 

  151. 	if err := tc.syncFunc(key.(string)); err != nil {
    152. 

  152. 		tc.queue.AddRateLimited(key)
    153. 

  153. 		utilruntime.HandleError(fmt.Errorf("Sync %v failed with : %v", key, err))
    154. 

  154. 		return true
    155. 

  155. 	}
    156. 

  156. 

  157. 	tc.queue.Forget(key)
    158. 

  158. 	return true
    159. 

  159. }
    160. 

  160. 

  161. func (tc *TokenCleaner) syncFunc(key string) error {
    162. 

  162. 	startTime := time.Now()
    163. 

  163. 	defer func() {
    164. 

  164. 		klog.V(4).Infof("Finished syncing secret %q (%v)", key, time.Since(startTime))
    165. 

  165. 	}()
    166. 

  166. 

  167. 	namespace, name, err := cache.SplitMetaNamespaceKey(key)
    168. 

  168. 	if err != nil {
    169. 

  169. 		return err
    170. 

  170. 	}
    171. 

  171. 

  172. 	ret, err := tc.secretLister.Secrets(namespace).Get(name)
    173. 

  173. 	if apierrors.IsNotFound(err) {
    174. 

  174. 		klog.V(3).Infof("secret has been deleted: %v", key)
    175. 

  175. 		return nil
    176. 

  176. 	}
    177. 

  177. 

  178. 	if err != nil {
    179. 

  179. 		return err
    180. 

  180. 	}
    181. 

  181. 

  182. 	if ret.Type == bootstrapapi.SecretTypeBootstrapToken {
    183. 

  183. 		tc.evalSecret(ret)
    184. 

  184. 	}
    185. 

  185. 	return nil
    186. 

  186. }
    187. 

  187. 

  188. func (tc *TokenCleaner) evalSecret(o interface{}) {
    189. 

  189. 	secret := o.(*v1.Secret)
    190. 

  190. 	if isSecretExpired(secret) {
    191. 

  191. 		klog.V(3).Infof("Deleting expired secret %s/%s", secret.Namespace, secret.Name)
    192. 

  192. 		var options *metav1.DeleteOptions
    193. 

  193. 		if len(secret.UID) > 0 {
    194. 

  194. 			options = &metav1.DeleteOptions{Preconditions: &metav1.Preconditions{UID: &secret.UID}}
    195. 

  195. 		}
    196. 

  196. 		err := tc.client.CoreV1().Secrets(secret.Namespace).Delete(secret.Name, options)
    197. 

  197. 		// NotFound isn't a real error (it's already been deleted)
    198. 

  198. 		// Conflict isn't a real error (the UID precondition failed)
    199. 

  199. 		if err != nil && !apierrors.IsConflict(err) && !apierrors.IsNotFound(err) {
    200. 

  200. 			klog.V(3).Infof("Error deleting Secret: %v", err)
    201. 

  201. 		}
    202. 

  202. 	}
    203. 

  203. }
    204. 

  204.