apiserver: add feature gate AllowProxyRequestToClusters

Signed-off-by: scydas <[email protected]>

Author: scydas

pkg/kubeapiserver/apiserver.go

@@ -66,10 +66,12 @@ func NewDefaultConfig() *Config {
 }
 
 type ExtraConfig struct {
-	SecretNamespace                 string
-	AllowPediaClusterConfigReuse    bool
-	ExtraProxyRequestHeaderPrefixes []string
-	AllowedProxySubresources        map[schema.GroupResource]sets.Set[string]
+	SecretNamespace                   string
+	AllowPediaClusterConfigReuse      bool
+	ExtraProxyRequestHeaderPrefixes   []string
+	AllowedProxySubresources          map[schema.GroupResource]sets.Set[string]
+	EnableProxyPathForForwardRequest  bool
+	AllowForwardUnsyncResourceRequest bool
 }
 
 type Config struct {
@@ -171,16 +173,20 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 	}
 	proxy := proxyrest.NewRemoteProxyREST(c.GenericConfig.Serializer, connector)
 
-	// forward request
-	genericserver.Handler.NonGoRestfulMux.HandlePrefix("/proxy/", http.StripPrefix("/proxy", proxy))
+	if c.ExtraConfig.EnableProxyPathForForwardRequest {
+		// forward request
+		genericserver.Handler.NonGoRestfulMux.HandlePrefix("/proxy/", http.StripPrefix("/proxy", proxy))
+		methods = sortedMethods
+	}
 
 	// handle root discovery request
 	discoveryHandler := WrapForwardRequestHandler(discoveryManager, proxy)
 	genericserver.Handler.NonGoRestfulMux.Handle("/api", discoveryHandler)
 	genericserver.Handler.NonGoRestfulMux.Handle("/apis", discoveryHandler)
 
 	resourceHandler := &ResourceHandler{
-		minRequestTimeout: time.Duration(c.GenericConfig.MinRequestTimeout) * time.Second,
+		allowForwardUnsyncResourceRequest: c.ExtraConfig.AllowForwardUnsyncResourceRequest,
+		minRequestTimeout:                 time.Duration(c.GenericConfig.MinRequestTimeout) * time.Second,
 
 		delegate:      delegate,
 		proxy:         proxy,

pkg/kubeapiserver/features.go

@@ -0,0 +1,25 @@
+package kubeapiserver
+
+import (
+	"k8s.io/apimachinery/pkg/util/runtime"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	"k8s.io/component-base/featuregate"
+)
+
+const (
+	// AllowProxyRequestToClusters is a feature gate for the apiserver to handle proxy and forward requests.
+	//
+	// owner: @scydas
+	// alpha: v0.9.0
+	AllowProxyRequestToClusters featuregate.Feature = "AllowProxyRequestToClusters"
+)
+
+func init() {
+	runtime.Must(utilfeature.DefaultMutableFeatureGate.Add(defaultInternalStorageFeatureGates))
+}
+
+// defaultInternalStorageFeatureGates consists of all known custom internalstorage feature keys.
+// To add a new feature, define a key for it above and add it here.
+var defaultInternalStorageFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
+	AllowProxyRequestToClusters: {Default: false, PreRelease: featuregate.Alpha},
+}

pkg/kubeapiserver/options.go

@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 
 	proxyrest "github.com/clusterpedia-io/clusterpedia/pkg/kubeapiserver/resourcerest/proxy"
 )
@@ -18,6 +19,9 @@ type Options struct {
 
 	AllowedProxySubresources        []string
 	ExtraProxyRequestHeaderPrefixes []string
+
+	EnableProxyPathForForwardRequest  bool
+	AllowForwardUnsyncResourceRequest bool
 }
 
 func NewOptions() *Options {
@@ -40,12 +44,20 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	// If you have a better solution, please submit an issue!
 	fs.StringSliceVar(&o.AllowedProxySubresources, "allowed-proxy-subresources", o.AllowedProxySubresources, ""+
 		"List of subresources that support proxying requests to the specified cluster, formatted as '[resource/subresource],[subresource],...'. "+
-		fmt.Sprintf("Supported proxy subresources include %q", strings.Join(resources, ",")),
+		fmt.Sprintf("Supported proxy subresources include %q.", strings.Join(resources, ",")),
 	)
 
 	fs.BoolVar(&o.AllowPediaClusterConfigForProxyRequest, "allow-pediacluster-config-for-proxy-request", o.AllowPediaClusterConfigForProxyRequest, ""+
 		"Allow proxy requests to use the cluster configuration from PediaCluster when authentication information cannot be got from the header.",
 	)
+
+	fs.BoolVar(&o.EnableProxyPathForForwardRequest, "enable-proxy-path-for-forward-request", o.EnableProxyPathForForwardRequest, ""+
+		"Add a '/proxy' path in the API to proxy any request.",
+	)
+	fs.BoolVar(&o.AllowForwardUnsyncResourceRequest, "allow-forward-unsync-resource-request", o.AllowForwardUnsyncResourceRequest, ""+
+		"Allow forwarding requests for unsynchronized resource types."+
+		"By default, only requests for resource types configured in PediaCluster can be forwarded.",
+	)
 }
 
 var supportedProxyCoreSubresources = map[string][]string{
@@ -55,6 +67,11 @@ var supportedProxyCoreSubresources = map[string][]string{
 }
 
 func (o *Options) Config() (*ExtraConfig, error) {
+	if !utilfeature.DefaultFeatureGate.Enabled(AllowProxyRequestToClusters) && (len(o.AllowedProxySubresources) != 0 ||
+		o.EnableProxyPathForForwardRequest || o.AllowForwardUnsyncResourceRequest) {
+		return nil, fmt.Errorf("please enable feature gate %s to allow apiserver to handle the proxy and forward requests", AllowProxyRequestToClusters)
+	}
+
 	subresources := make(map[schema.GroupResource]sets.Set[string])
 
 	for _, subresource := range o.AllowedProxySubresources {
@@ -89,7 +106,9 @@ func (o *Options) Config() (*ExtraConfig, error) {
 		}
 	}
 	return &ExtraConfig{
-		AllowPediaClusterConfigReuse: o.AllowPediaClusterConfigForProxyRequest,
-		AllowedProxySubresources:     subresources,
+		AllowPediaClusterConfigReuse:      o.AllowPediaClusterConfigForProxyRequest,
+		AllowedProxySubresources:          subresources,
+		EnableProxyPathForForwardRequest:  o.EnableProxyPathForForwardRequest,
+		AllowForwardUnsyncResourceRequest: o.AllowForwardUnsyncResourceRequest,
 	}, nil
 }

pkg/kubeapiserver/resource_handler.go

@@ -27,10 +27,10 @@ import (
 )
 
 type ResourceHandler struct {
-	couldForwardAnyRequest bool
-	minRequestTimeout      time.Duration
-	delegate               http.Handler
-	proxy                  http.Handler
+	allowForwardUnsyncResourceRequest bool
+	minRequestTimeout                 time.Duration
+	delegate                          http.Handler
+	proxy                             http.Handler
 
 	rest          *RESTManager
 	discovery     *discovery.DiscoveryManager
@@ -62,7 +62,7 @@ func (r *ResourceHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		shouldForwardRequest = true
 	}
 
-	if shouldForwardRequest && r.couldForwardAnyRequest {
+	if shouldForwardRequest && r.allowForwardUnsyncResourceRequest {
 		r.proxy.ServeHTTP(w, req)
 		return
 	}