kube-apiserver源码阅读分享

原创 baron 上云专家

作者 | baron TKE专项技术组

导读：本文主要对kube-apiserver的功能在源码层面进行解读，分析了kube-apiserver三个基本功能的代码结构以及逻辑实现。分别解读了kube-apiserver服务路由的配置方式，kube-apiserver服务请求访问控制模式，bootstrapToken鉴权模式等内容。

版本环境

• kubernetes版本：kubernetes:v1.17.0

• go环境：go version go1.13.4 windows/amd64

代码总体解析

1. ApiServer的功能设计

kube-apiserver的设计目的在于成为一台相对优雅简单的server，对外提供规范的Kubernetes API。它不仅提供了外部访问集群api的渠道，同时也达到了解耦各组件的目的。

kube-apiserver的主要功能是处理其他业务的REST请求，对其进行验证及鉴权，请求成功后将结果更新到后端存储 etcd （也可以是其他存储）中。

从kube-apiserver的功能可以看出，其源码主要围绕三个关键点展开。我们将依次从三个方面：配置服务路由、访问权限以及同数据库（etcd）的交互对kube-apiserver源码进行解读。

2. 数据结构

数据结构体现了代码的组织和存储形式，为了便于后续代码阅读，这里先简单介绍下kube-apiserver主要逻辑涉及的几个重要的结构体，主要为ServerRunOptions、Config、APIGroupInfo。

ServerRunOptions

ServerRunOptions位于k8s.io/kubernetes/cmd/kube-apiserver/app/options/options.go，是kube-apiserver的启动参数结构体，涵括了kube-apiserver启动需要所有参数，后续各个逻辑需要的相关配置参数均来源于此。其中每项参数的含义请参考官网文档：

type ServerRunOptions struct {    // kube-apiserver系列服务基础配置项  GenericServerRunOptions *genericoptions.ServerRunOptions    // 后端存储etcd的配置项  Etcd                    *genericoptions.EtcdOptions  SecureServing           *genericoptions.SecureServingOptionsWithLoopback  InsecureServing         *genericoptions.DeprecatedInsecureServingOptionsWithLoopback  Audit                   *genericoptions.AuditOptions  Features                *genericoptions.FeatureOptions  Admission               *kubeoptions.AdmissionOptions    // 集群验证配置项  Authentication          *kubeoptions.BuiltInAuthenticationOptions    // 集群操作鉴权配置项  Authorization           *kubeoptions.BuiltInAuthorizationOptions  CloudProvider           *kubeoptions.CloudProviderOptions  APIEnablement           *genericoptions.APIEnablementOptions  EgressSelector          *genericoptions.EgressSelectorOptions  ...}

Config

Config位于k8s.io/apiserver/pkg/server/config.go，是kube-apiserver系列服务的通用配置项，用于与各服务对应的额外配置组合来构成对应服务的配置结构体。

type Config struct {  // https服务配置项SecureServing *SecureServingInfo  // 服务验证配置Authentication AuthenticationInfo  // 服务鉴权配置Authorization AuthorizationInfoLoopbackClientConfig *restclient.ConfigEgressSelector *egressselector.EgressSelectorRuleResolver authorizer.RuleResolverAdmissionControl    admission.InterfaceAuditBackend audit.Backend  // 配置服务路由BuildHandlerChainFunc func(apiHandler http.Handler, c *Config) (securehttp.Handler)RESTOptionsGetter genericregistry.RESTOptionsGetter  ...}

APIGroupInfo

APIGroupInfo位于k8s.io/apiserver/pkg/server/generaticapiserver.go，定义了一个 API 组的相关信息。（以customresourcedefinitions资源为例，对应的API组name为apiextensions.k8s.io，API组支持的版本信息PrioritizedVersions为v1和v1beta1两个版本，版本、资源、后端CRUD结构体的映射关系为map[v1beta1]

[customresourcedefinitions]customresourcedefinitionsStorage）type APIGroupInfo struct {  PrioritizedVersions []schema.GroupVersion    // map[version][resource]storage  VersionedResourcesStorageMap map[string]map[string]rest.Storage  OptionsExternalVersion *schema.GroupVersion  MetaGroupVersion *schema.GroupVersion  Scheme *runtime.Scheme  NegotiatedSerializer runtime.NegotiatedSerializer  ParameterCodec runtime.ParameterCodec  StaticOpenAPISpec *spec.Swagger}

kube-apiserver功能介绍

功能一：配置服务路由

kube-apiserver中配置路由的代码完全遵循的设计模式，先将处理方法注册到对应Route，再Route中注册到WebService，最后将所有的WebService注册到Container中，由Container负责分发流量。访问的过程为Container-->WebService-->Route。

kube-apiserver整个的api如下：

main

入口函数，这里使用构建apiserver的cli命令工具，代码逻辑放在app.NewAPIServerCommand()：

func main() {  rand.Seed(time.Now().UnixNano())  command := app.NewAPIServerCommand()  logs.InitLogs()  defer logs.FlushLogs()  if err := command.Execute(); err != nil {    os.Exit(1)  }}

NewAPIServerCommand

在这里，代码组织形式是cobra构建cli命令行工具的模式。这里主要是对启动参数进行解析、完善及验证其合法性。各项启动参数及其意义可参考。apiserver的具体逻辑放在Run(completedOptions, genericapiserver.SetupSignalHandler())。

func NewAPIServerCommand() *cobra.Command {  s := options.NewServerRunOptions()  cmd := &cobra.Command{    Use: "kube-apiserver",    Long: `xxxxx`,    RunE: func(cmd *cobra.Command, args []string) error {      verflag.PrintAndExitIfRequested()      utilflag.PrintFlags(cmd.Flags())      completedOptions, err := Complete(s)      if errs := completedOptions.Validate(); len(errs) != 0 {        return utilerrors.NewAggregate(errs)      }      return Run(completedOptions, genericapiserver.SetupSignalHandler())    ,  }

在笔者的测试环境里，kube-apiserver对应的启动参数如下：

Run

run函数逻辑很明了，分为三部分：

创建kube-apiserver服务链，配置各api路由的逻辑。
kube-apiserver服务运行前的准备，如设置健康检查和存活检查等操作。
正式运行kube-apiserver服务。

func Run(completeOptions completedServerRunOptions, stopCh <-chan struct{}) error {
  server, err := CreateServerChain(completeOptions, stopCh)
  prepared, err := server.PrepareRun()
  return prepared.Run(stopCh)}

CreateServerChain

kube-apiserver包含一系列服务：

createAPIExtensionsServer：创建CustomResourceDefinitions对应的服务，配置对应api的路由(/apis/apiextensions.k8s.io/)。

CreateKubeAPIServer：创建kube-apiserver的api服务，配置/api和/apis根路径下的路由。

createAggregatorServer：创建聚合服务，聚合在kube-apiserver之外的拓展apiserver。

func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan struct{}) (*aggregatorapiserver.APIAggregator, error) {  ...  // 启动CustomResourceDefinitions对应的服务  apiExtensionsServer, err := createAPIExtensionsServer(apiExtensionsConfig, genericapiserver.NewEmptyDelegate())  // 启动kube-apiserver的api服务  kubeAPIServer, err := CreateKubeAPIServer(kubeAPIServerConfig, apiExtensionsServer.GenericAPIServer)  // 启动聚合服务  aggregatorServer, err := createAggregatorServer(aggregatorConfig, kubeAPIServer.GenericAPIServer, apiExtensionsServer.Informers)  ...}

createAPIExtensionsServer

这里就以createAPIExtensionsServer为例详细梳理下kube-apiserver配置api路由的代码逻辑。

Complete()完善apiextensionsConfig的配置信息，然后到new的逻辑里面组装customresourcedefinitions对应的api组信息apiGroupInfo。

func createAPIExtensionsServer(apiextensionsConfig *apiextensionsapiserver.Config, delegateAPIServer genericapiserver.DelegationTarget) (*apiextensionsapiserver.CustomResourceDefinitions, error) {  return apiextensionsConfig.Complete().New(delegateAPIServer)}
func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*CustomResourceDefinitions, error) {  ...    // 将这组api的GroupName设置为apiextensions.k8s.io  apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(apiextensions.GroupName, Scheme, metav1.ParameterCodec, Codecs)    // 根据配置情况，装填对应资源的CRUD后端交互结构体  if apiResourceConfig.VersionEnabled(v1beta1.SchemeGroupVersion) {    storage := map[string]rest.Storage{}    customResourceDefintionStorage := customresourcedefinition.NewREST(Scheme, c.GenericConfig.RESTOptionsGetter)    storage["customresourcedefinitions"] = customResourceDefintionStorage    storage["customresourcedefinitions/status"] = customresourcedefinition.NewStatusREST(Scheme, customResourceDefintionStorage)    apiGroupInfo.VersionedResourcesStorageMap[v1beta1.SchemeGroupVersion.Version] = storage  }
  if apiResourceConfig.VersionEnabled(v1.SchemeGroupVersion) {    storage := map[string]rest.Storage{}    customResourceDefintionStorage := customresourcedefinition.NewREST(Scheme, c.GenericConfig.RESTOptionsGetter)    storage["customresourcedefinitions"] = customResourceDefintionStorage    storage["customresourcedefinitions/status"] = customresourcedefinition.NewStatusREST(Scheme, customResourceDefintionStorage)    apiGroupInfo.VersionedResourcesStorageMap[v1.SchemeGroupVersion.Version] = storage  }
  // 转入下一步逻辑  if err := s.GenericAPIServer.InstallAPIGroup(&apiGroupInfo); err != nil {    return nil, err  }  ...}

ApiGroupInfo在测试环境的体现为：

InstallAPIGroupfunc (s *GenericAPIServer) InstallAPIGroup(apiGroupInfo *APIGroupInfo) error {  return s.InstallAPIGroups(apiGroupInfo)}
func (s *GenericAPIServer) InstallAPIGroups(apiGroupInfos ...*APIGroupInfo) error {  ...  for _, apiGroupInfo := range apiGroupInfos {        // 设置APIGroupPrefix即api根路径为/apis，随后转入下一步逻辑    if err := s.installAPIResources(APIGroupPrefix, apiGroupInfo, openAPIModels); err != nil {      return fmt.Errorf("unable to install api resources: %v", err)    }    ...  }  return nil}

apiGroupInfo在测试环境对应于：

installAPIResourcesfunc (s *GenericAPIServer) installAPIResources(apiPrefix string, apiGroupInfo *APIGroupInfo, openAPIModels openapiproto.Models) error {    // 分别对对应的api组的不同版本进行处理  for _, groupVersion := range apiGroupInfo.PrioritizedVersions {    if len(apiGroupInfo.VersionedResourcesStorageMap[groupVersion.Version]) == 0 {      klog.Warningf("Skipping API %v because it has no resources.", groupVersion)      continue    }
    apiGroupVersion := s.getAPIGroupVersion(apiGroupInfo, groupVersion, apiPrefix)    if apiGroupInfo.OptionsExternalVersion != nil {      apiGroupVersion.OptionsExternalVersion = apiGroupInfo.OptionsExternalVersion    }    apiGroupVersion.OpenAPIModels = openAPIModels    apiGroupVersion.MaxRequestBodyBytes = s.maxRequestBodyBytes    // 进入下一逻辑    if err := apiGroupVersion.InstallREST(s.Handler.GoRestfulContainer); err != nil {      return fmt.Errorf("unable to setup API %v: %v", apiGroupInfo, err)    }  }  return nil}

groupVersion在测试环境里对应于：

InstallRESTfunc (g *APIGroupVersion) InstallREST(container *restful.Container) error {    // 这里将api的prefix组装成如/apis/apiextensions.k8s.io/v1beta1形式  prefix := path.Join(g.Root, g.GroupVersion.Group, g.GroupVersion.Version)  installer := &APIInstaller{    group:             g,    prefix:            prefix,    minRequestTimeout: g.MinRequestTimeout,  }
    // Install()进入下一层逻辑  apiResources, ws, registrationErrors := installer.Install()  versionDiscoveryHandler := discovery.NewAPIVersionHandler(g.Serializer, g.GroupVersion, staticLister{apiResources})  versionDiscoveryHandler.AddToWebService(ws)    // 将对应路径(/apis/apiextensions.k8s.io/v1beta1/)下的WebService注册到Container中  container.Add(ws)  return utilerrors.NewAggregate(registrationErrors)}

apiResources在测试环境里对应于：

Installfunc (a *APIInstaller) Install() ([]metav1.APIResource, *restful.WebService, []error) {  var apiResources []metav1.APIResource  var errors []error    // 设置WebService对应的路径为a.prefix，即形如/apis/apiextensions.k8s.io/v1beta1/的路径  ws := a.newWebService()    paths := make([]string, len(a.group.Storage))  var i int = 0  for path := range a.group.Storage {    paths[i] = path    i++  }  sort.Strings(paths)  for _, path := range paths {        // 分别为Storage中的各资源，形如"customresourcedefinitions"、"customresourcedefinitions/status"，配置对应的CRUD路径即对应处理逻辑，进入下一层逻辑    apiResource, err := a.registerResourceHandlers(path, a.group.Storage[path], ws)
    }    if apiResource != nil {      apiResources = append(apiResources, *apiResource)    }  }  return apiResources, ws, errors}registerResourceHandlersfunc (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storage, ws *restful.WebService) (*metav1.APIResource, error) {  ...    switch action.Verb {    case "GET":       var handler restful.RouteFunction      if isGetterWithOptions {        handler = restfulGetResourceWithOptions(getterWithOptions, reqScope, isSubresource)      } else {        handler = restfulGetResource(getter, exporter, reqScope)      }      ...      route := ws.GET(action.Path).To(handler).        Doc(doc).        Param(ws.QueryParameter("pretty", "If 'true', then the output is pretty printed.")).        Operation("read"+namespaced+kind+strings.Title(subresource)+operationSuffix).        Produces(append(storageMeta.ProducesMIMETypes(action.Verb), mediaTypes...)...).        Returns(http.StatusOK, "OK", producedObject).        Writes(producedObject)      ...      addParams(route, action.Params)       // 将各route汇集      routes = append(routes, route)    ...    }
  // 将所有route映射到对应的WebService中    for _, route := range routes {      route.Metadata(ROUTE_META_GVK, metav1.GroupVersionKind{        Group:   reqScope.Kind.Group,        Version: reqScope.Kind.Version,        Kind:    reqScope.Kind.Kind,      })      route.Metadata(ROUTE_META_ACTION, strings.ToLower(action.Verb))      ws.Route(route)    }  }  ...
  return &apiResource, nil}

CreateKubeAPIServer

启动kube-apiserver，配置/api下的核心路由和/apis下的部分拓展api路由，代码逻辑同上，这里不再赘述。

func CreateKubeAPIServer(kubeAPIServerConfig *master.Config, delegateAPIServer genericapiserver.DelegationTarget) (*master.Master, error) {  kubeAPIServer, err := kubeAPIServerConfig.Complete().New(delegateAPIServer)  return kubeAPIServer, nil}
func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*Master, error) {  ...  if c.ExtraConfig.APIResourceConfigSource.VersionEnabled(apiv1.SchemeGroupVersion) {    legacyRESTStorageProvider := corerest.LegacyRESTStorageProvider{      StorageFactory:              c.ExtraConfig.StorageFactory,      ProxyTransport:              c.ExtraConfig.ProxyTransport,      KubeletClientConfig:         c.ExtraConfig.KubeletClientConfig,      EventTTL:                    c.ExtraConfig.EventTTL,      ServiceIPRange:              c.ExtraConfig.ServiceIPRange,      SecondaryServiceIPRange:     c.ExtraConfig.SecondaryServiceIPRange,      ServiceNodePortRange:        c.ExtraConfig.ServiceNodePortRange,      LoopbackClientConfig:        c.GenericConfig.LoopbackClientConfig,      ServiceAccountIssuer:        c.ExtraConfig.ServiceAccountIssuer,      ServiceAccountMaxExpiration: c.ExtraConfig.ServiceAccountMaxExpiration,      APIAudiences:                c.GenericConfig.Authentication.APIAudiences,    }    if err := m.InstallLegacyAPI(&c, c.GenericConfig.RESTOptionsGetter, legacyRESTStorageProvider); err != nil {      return nil, err    }  }
  restStorageProviders := []RESTStorageProvider{    auditregistrationrest.RESTStorageProvider{},    authenticationrest.RESTStorageProvider{Authenticator: c.GenericConfig.Authentication.Authenticator, APIAudiences: c.GenericConfig.Authentication.APIAudiences},    authorizationrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer, RuleResolver: c.GenericConfig.RuleResolver},    autoscalingrest.RESTStorageProvider{},    batchrest.RESTStorageProvider{},    certificatesrest.RESTStorageProvider{},    coordinationrest.RESTStorageProvider{},    discoveryrest.StorageProvider{},    extensionsrest.RESTStorageProvider{},    networkingrest.RESTStorageProvider{},    noderest.RESTStorageProvider{},    policyrest.RESTStorageProvider{},    rbacrest.RESTStorageProvider{Authorizer: c.GenericConfig.Authorization.Authorizer},    schedulingrest.RESTStorageProvider{},    settingsrest.RESTStorageProvider{},    storagerest.RESTStorageProvider{},    flowcontrolrest.RESTStorageProvider{},    appsrest.RESTStorageProvider{},    admissionregistrationrest.RESTStorageProvider{},    eventsrest.RESTStorageProvider{TTL: c.ExtraConfig.EventTTL},  }  if err := m.InstallAPIs(c.ExtraConfig.APIResourceConfigSource, c.GenericConfig.RESTOptionsGetter, restStorageProviders...); err != nil {    return nil, err  }  ...}

createAggregatorServer

启动kube-apiserver，配置/apis/apiextensions.k8s.io下的部分拓展api路由，代码逻辑同上，这里不再赘述。

func createAggregatorServer(aggregatorConfig *aggregatorapiserver.Config, delegateAPIServer genericapiserver.DelegationTarget, apiExtensionInformers apiextensionsinformers.SharedInformerFactory) (*aggregatorapiserver.APIAggregator, error) {  aggregatorServer, err := aggregatorConfig.Complete().NewWithDelegate(delegateAPIServer)  ...  return aggregatorServer, nil}

PrepareRun函数

func (s *APIAggregator) PrepareRun() (preparedAPIAggregator, error) {  ...  prepared := s.GenericAPIServer.PrepareRun()    ...  return preparedAPIAggregator{APIAggregator: s, runnable: prepared}, nil}

PrepareRun函数

func (s *GenericAPIServer) PrepareRun() preparedGenericAPIServer {  s.delegationTarget.PrepareRun()  ...  // 注册kube-apiserver的健康检查、生存检查及就绪检查  s.installHealthz()  s.installLivez()  err := s.addReadyzShutdownCheck(s.readinessStopCh)  s.installReadyz()  ...  return preparedGenericAPIServer{s}}

Run函数

kube-apiserver服务的正式启动。

func (s preparedGenericAPIServer) Run(stopCh <-chan struct{}) error {  ...  err := s.NonBlockingRun(delayedStopCh)  <-stopCh  ...  return nil}

NonBlockingRun

预设些服务启动前的准备工作及服务shutdown之前的清理工作，然后启动服务。

func (s preparedGenericAPIServer) NonBlockingRun(stopCh <-chan struct{}) error {  ...  if s.SecureServingInfo != nil && s.Handler != nil {    var err error    stoppedCh, err = s.SecureServingInfo.Serve(s.Handler, s.ShutdownTimeout, internalStopCh)    if err != nil {      close(internalStopCh)      close(auditStopCh)      return err    }  }  ...  return nil}
Servefunc (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) (<-chan struct{}, error) {  ...  tlsConfig, err := s.tlsConfig(stopCh)
  secureServer := &http.Server{    Addr:           s.Listener.Addr().String(),    Handler:        handler,    MaxHeaderBytes: 1 << 20,    TLSConfig:      tlsConfig,  }  const resourceBody99Percentile = 256 * 1024
  ...  return RunServer(secureServer, s.Listener, shutdownTimeout, stopCh)}
RunServerfunc RunServer(  server *http.Server,  ln net.Listener,  shutDownTimeout time.Duration,  stopCh <-chan struct{},) (<-chan struct{}, error) {
  stoppedCh := make(chan struct{})  go func() {    defer close(stoppedCh)    <-stopCh    ctx, cancel := context.WithTimeout(context.Background(), shutDownTimeout)    server.Shutdown(ctx)    cancel()  }()
  go func() {    defer utilruntime.HandleCrash()
    var listener net.Listener    listener = tcpKeepAliveListener{ln.(*net.TCPListener)}    if server.TLSConfig != nil {      listener = tls.NewListener(listener, server.TLSConfig)    }
    err := server.Serve(listener)
    msg := fmt.Sprintf("Stopped listening on %s", ln.Addr().String())    select {    case <-stopCh:      klog.Info(msg)    default:      panic(fmt.Sprintf("%s due to error: %v", msg, err))    }  }()
  return stoppedCh, nil}

功能二：访问权限控制

访问权限控制设计在请求的处理逻辑中，用于在处理请求之前对请求进行验证及鉴权等操作。以createAPIExtensionsServer中的逻辑为例，在createAPIExtensionsServer中存在以下逻辑。

createAPIExtensionsServer

func createAPIExtensionsServer(apiextensionsConfig *apiextensionsapiserver.Config, delegateAPIServer genericapiserver.DelegationTarget) (*apiextensionsapiserver.CustomResourceDefinitions, error) {  return apiextensionsConfig.Complete().New(delegateAPIServer)}
func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*CustomResourceDefinitions, error) {  genericServer, err := c.GenericConfig.New("apiextensions-apiserver", delegationTarget)  if err != nil {    return nil, err  }
  ...  return s, nil}
func (c completedConfig) New(name string, delegationTarget DelegationTarget) (*GenericAPIServer, error) {  ...
  handlerChainBuilder := func(handler http.Handler) http.Handler {    return c.BuildHandlerChainFunc(handler, c.Config)  }
    // 在构建对于的handler时，将访问控制相应的逻辑加进去  apiServerHandler := NewAPIServerHandler(name, c.Serializer, handlerChainBuilder, delegationTarget.UnprotectedHandler())
  ...
  return s, nil}

那么，这个访问控制的处理链是什么样的呢？我们一起看看。

CreateKubeAPIServerConfig

在起初创建kube-apiserver的配置时，相应访问控制的逻辑链就被引入。如下：

func CreateKubeAPIServerConfig(  s completedServerRunOptions,  nodeTunneler tunneler.Tunneler,  proxyTransport *http.Transport,) (  *master.Config,  *genericapiserver.DeprecatedInsecureServingInfo,  aggregatorapiserver.ServiceResolver,  []admission.PluginInitializer,  error,) {  genericConfig, versionedInformers, insecureServingInfo, serviceResolver, pluginInitializers, admissionPostStartHook, storageFactory, err := buildGenericConfig(s.ServerRunOptions, proxyTransport)
    ...
  return config, insecureServingInfo, serviceResolver, pluginInitializers, nil}
func buildGenericConfig(  s *options.ServerRunOptions,  proxyTransport *http.Transport,) (  genericConfig *genericapiserver.Config,  versionedInformers clientgoinformers.SharedInformerFactory,  insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,  serviceResolver aggregatorapiserver.ServiceResolver,  pluginInitializers []admission.PluginInitializer,  admissionPostStartHook genericapiserver.PostStartHookFunc,  storageFactory *serverstorage.DefaultStorageFactory,  lastErr error,) {  genericConfig = genericapiserver.NewConfig(legacyscheme.Codecs)  ...
  return}
func NewConfig(codecs serializer.CodecFactory) *Config {  defaultHealthChecks := []healthz.HealthChecker{healthz.PingHealthz, healthz.LogHealthz}  return &Config{    Serializer:                  codecs,        // 访问控制的逻辑链在这里被传入    BuildHandlerChainFunc:       DefaultBuildHandlerChain,    HandlerChainWaitGroup:       new(utilwaitgroup.SafeWaitGroup),    LegacyAPIGroupPrefixes:      sets.NewString(DefaultLegacyAPIPrefix),    DisabledPostStartHooks:      sets.NewString(),    PostStartHooks:              map[string]PostStartHookConfigEntry{},    HealthzChecks:               append([]healthz.HealthChecker{}, defaultHealthChecks...),    ReadyzChecks:                append([]healthz.HealthChecker{}, defaultHealthChecks...),    LivezChecks:                 append([]healthz.HealthChecker{}, defaultHealthChecks...),    EnableIndex:                 true,    EnableDiscovery:             true,    EnableProfiling:             true,    EnableMetrics:               true,    MaxRequestsInFlight:         400,    MaxMutatingRequestsInFlight: 200,    RequestTimeout:              time.Duration(60) * time.Second,    MinRequestTimeout:           1800,    LivezGracePeriod:            time.Duration(0),    ShutdownDelayDuration:       time.Duration(0),    JSONPatchMaxCopyBytes: int64(3 * 1024 * 1024),    MaxRequestBodyBytes: int64(3 * 1024 * 1024),    LongRunningFunc: genericfilters.BasicLongRunningRequestCheck(sets.NewString("watch"), sets.NewString()),  }}

DefaultBuildHandlerChain

在kube-apiserver中，一个handler在诞生之初会根据配置为其赋予相应的访问控制逻辑，这里我们主要看看权限验证及鉴权两块，即Authorization和Authentication。

func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {  handler := genericapifilters.WithAuthorization(apiHandler, c.Authorization.Authorizer, c.Serializer)  handler = genericfilters.WithMaxInFlightLimit(handler, c.MaxRequestsInFlight, c.MaxMutatingRequestsInFlight, c.LongRunningFunc)  handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer)  handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)  failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)  failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)  handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)  handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")  handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.LongRunningFunc, c.RequestTimeout)  handler = genericfilters.WithWaitGroup(handler, c.LongRunningFunc, c.HandlerChainWaitGroup)  handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver)  handler = genericfilters.WithPanicRecovery(handler)  return handler}

下面一起看看，访问权限控制是怎么实现的。

buildGenericConfig

在构建kube-apiserver配置时，有如下逻辑：

func buildGenericConfig(  s *options.ServerRunOptions,  proxyTransport *http.Transport,) (  genericConfig *genericapiserver.Config,  versionedInformers clientgoinformers.SharedInformerFactory,  insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,  serviceResolver aggregatorapiserver.ServiceResolver,  pluginInitializers []admission.PluginInitializer,  admissionPostStartHook genericapiserver.PostStartHookFunc,  storageFactory *serverstorage.DefaultStorageFactory,  lastErr error,) {  ...  // 构建鉴权相关配置  genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, versionedInformers)  // 构建权限验证相关配置  genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, versionedInformers)  ...
  return}

WithAuthorization

func WithAuthorization(handler http.Handler, a authorizer.Authorizer, s runtime.NegotiatedSerializer) http.Handler {  ...  return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {    ...        // 逻辑为对传入的对应访问控制的入参进行判断，通过则进行对应的请求处理，否则返回权限错误    authorized, reason, err := a.Authorize(ctx, attributes)    if authorized == authorizer.DecisionAllow {      audit.LogAnnotation(ae, decisionAnnotationKey, decisionAllow)      audit.LogAnnotation(ae, reasonAnnotationKey, reason)      handler.ServeHTTP(w, req)      return    }    if err != nil {      audit.LogAnnotation(ae, reasonAnnotationKey, reasonError)      responsewriters.InternalError(w, req, err)      return    }
    klog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason)    audit.LogAnnotation(ae, decisionAnnotationKey, decisionForbid)    audit.LogAnnotation(ae, reasonAnnotationKey, reason)    responsewriters.Forbidden(ctx, attributes, w, req, reason, s)  })}

BuildAuthorizer

func BuildAuthorizer(s *options.ServerRunOptions, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) {  authorizationConfig := s.Authorization.ToAuthorizationConfig(versionedInformers)  return authorizationConfig.New()}

func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, error) {  ...
  for _, authorizationMode := range config.AuthorizationModes {    switch authorizationMode {        // Node模式    case modes.ModeNode:      graph := node.NewGraph()      node.AddGraphEventHandlers(        graph,        config.VersionedInformerFactory.Core().V1().Nodes(),        config.VersionedInformerFactory.Core().V1().Pods(),        config.VersionedInformerFactory.Core().V1().PersistentVolumes(),        config.VersionedInformerFactory.Storage().V1().VolumeAttachments(),      )      nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())      authorizers = append(authorizers, nodeAuthorizer)    // AlwaysAllow模式    case modes.ModeAlwaysAllow:      alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()      authorizers = append(authorizers, alwaysAllowAuthorizer)      ruleResolvers = append(ruleResolvers, alwaysAllowAuthorizer)        // AlwaysDeny模式    case modes.ModeAlwaysDeny:      alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer()      authorizers = append(authorizers, alwaysDenyAuthorizer)      ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)        // ABAC模式    case modes.ModeABAC:      abacAuthorizer, err := abac.NewFromFile(config.PolicyFile)      if err != nil {        return nil, nil, err      }      authorizers = append(authorizers, abacAuthorizer)      ruleResolvers = append(ruleResolvers, abacAuthorizer)        // Webhook模式    case modes.ModeWebhook:      webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,        config.WebhookVersion,        config.WebhookCacheAuthorizedTTL,        config.WebhookCacheUnauthorizedTTL)      if err != nil {        return nil, nil, err      }      authorizers = append(authorizers, webhookAuthorizer)      ruleResolvers = append(ruleResolvers, webhookAuthorizer)        // RBAC模式    case modes.ModeRBAC:      rbacAuthorizer := rbac.New(        &rbac.RoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().Roles().Lister()},        &rbac.RoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().RoleBindings().Lister()},        &rbac.ClusterRoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoles().Lister()},        &rbac.ClusterRoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoleBindings().Lister()},      )      authorizers = append(authorizers, rbacAuthorizer)      ruleResolvers = append(ruleResolvers, rbacAuthorizer)    default:      return nil, nil, fmt.Errorf("unknown authorization mode %s specified", authorizationMode)    }  }
  return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil}

Authorize

这里特别看一下RBAC模式的Authorize。

func (r *RBACAuthorizer) Authorize(ctx context.Context, requestAttributes authorizer.Attributes) (authorizer.Decision, string, error) {  ruleCheckingVisitor := &authorizingVisitor{requestAttributes: requestAttributes}
  r.authorizationRuleResolver.VisitRulesFor(requestAttributes.GetUser(), requestAttributes.GetNamespace(), ruleCheckingVisitor.visit)  if ruleCheckingVisitor.allowed {    return authorizer.DecisionAllow, ruleCheckingVisitor.reason, nil  }
  if klog.V(5) {    var operation string    if requestAttributes.IsResourceRequest() {      b := &bytes.Buffer{}      b.WriteString(`"`)      b.WriteString(requestAttributes.GetVerb())      b.WriteString(`" resource "`)      b.WriteString(requestAttributes.GetResource())      if len(requestAttributes.GetAPIGroup()) > 0 {        b.WriteString(`.`)        b.WriteString(requestAttributes.GetAPIGroup())      }      if len(requestAttributes.GetSubresource()) > 0 {        b.WriteString(`/`)        b.WriteString(requestAttributes.GetSubresource())      }      b.WriteString(`"`)      if len(requestAttributes.GetName()) > 0 {        b.WriteString(` named "`)        b.WriteString(requestAttributes.GetName())        b.WriteString(`"`)      }      operation = b.String()    } else {      operation = fmt.Sprintf("%q nonResourceURL %q", requestAttributes.GetVerb(), requestAttributes.GetPath())    }
    var scope string    if ns := requestAttributes.GetNamespace(); len(ns) > 0 {      scope = fmt.Sprintf("in namespace %q", ns)    } else {      scope = "cluster-wide"    }
    klog.Infof("RBAC DENY: user %q groups %q cannot %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope)  }
  reason := ""  if len(ruleCheckingVisitor.errors) > 0 {    reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))  }  return authorizer.DecisionNoOpinion, reason, nil}

WithAuthentication

func WithAuthentication(handler http.Handler, auth authenticator.Request, failed http.Handler, apiAuds authenticator.Audiences) http.Handler {  ...  return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {    authenticationStart := time.Now()
    ...        // 主要逻辑在这里    resp, ok, err := auth.AuthenticateRequest(req)    ...
    handler.ServeHTTP(w, req)  })}

BuildAuthenticator

func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, versionedInformer clientgoinformers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {  authenticatorConfig, err := s.Authentication.ToAuthenticationConfig()
  if s.Authentication.ServiceAccounts.Lookup || utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {    authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(      extclient,      versionedInformer.Core().V1().Secrets().Lister(),      versionedInformer.Core().V1().ServiceAccounts().Lister(),      versionedInformer.Core().V1().Pods().Lister(),    )  }    // Bootstrap模式  authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator(    versionedInformer.Core().V1().Secrets().Lister().Secrets(v1.NamespaceSystem),  )
  return authenticatorConfig.New()}

func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, error) {  var authenticators []authenticator.Request  var tokenAuthenticators []authenticator.Token  securityDefinitions := spec.SecurityDefinitions{}
  // front proxy鉴权配置  if config.RequestHeaderConfig != nil {    requestHeaderAuthenticator := headerrequest.NewDynamicVerifyOptionsSecure(      config.RequestHeaderConfig.CAContentProvider.VerifyOptions,      config.RequestHeaderConfig.AllowedClientNames,      config.RequestHeaderConfig.UsernameHeaders,      config.RequestHeaderConfig.GroupHeaders,      config.RequestHeaderConfig.ExtraHeaderPrefixes,    )    authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, requestHeaderAuthenticator))  }
  // basic auth鉴权配置  if len(config.BasicAuthFile) > 0 {    basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile)    authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, basicAuth))
    securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{      SecuritySchemeProps: spec.SecuritySchemeProps{        Type:        "basic",        Description: "HTTP Basic authentication",      },    }  }
  // X509 methods鉴权配置  if config.ClientCAContentProvider != nil {    certAuth := x509.NewDynamic(config.ClientCAContentProvider.VerifyOptions, x509.CommonNameUserConversion)    authenticators = append(authenticators, certAuth)  }
  // Bearer token methods鉴权配置  if len(config.TokenAuthFile) > 0 {    tokenAuth, err := newAuthenticatorFromTokenFile(config.TokenAuthFile)
    tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, tokenAuth))  }  if len(config.ServiceAccountKeyFiles) > 0 {    serviceAccountAuth, err := newLegacyServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.APIAudiences, config.ServiceAccountTokenGetter)
    tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)  }  if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) && config.ServiceAccountIssuer != "" {    serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.ServiceAccountKeyFiles, config.APIAudiences, config.ServiceAccountTokenGetter)
    tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)  }  if config.BootstrapToken {    if config.BootstrapTokenAuthenticator != nil {      tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, config.BootstrapTokenAuthenticator))    }  }  if len(config.OIDCIssuerURL) > 0 && len(config.OIDCClientID) > 0 {    oidcAuth, err := newAuthenticatorFromOIDCIssuerURL(oidc.Options{      IssuerURL:            config.OIDCIssuerURL,      ClientID:             config.OIDCClientID,      APIAudiences:         config.APIAudiences,      CAFile:               config.OIDCCAFile,      UsernameClaim:        config.OIDCUsernameClaim,      UsernamePrefix:       config.OIDCUsernamePrefix,      GroupsClaim:          config.OIDCGroupsClaim,      GroupsPrefix:         config.OIDCGroupsPrefix,      SupportedSigningAlgs: config.OIDCSigningAlgs,      RequiredClaims:       config.OIDCRequiredClaims,    })
    tokenAuthenticators = append(tokenAuthenticators, oidcAuth)  }  if len(config.WebhookTokenAuthnConfigFile) > 0 {    webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile, config.WebhookTokenAuthnVersion, config.WebhookTokenAuthnCacheTTL, config.APIAudiences)
    tokenAuthenticators = append(tokenAuthenticators, webhookTokenAuth)  }
  if len(tokenAuthenticators) > 0 {    tokenAuth := tokenunion.New(tokenAuthenticators...)    if config.TokenSuccessCacheTTL > 0 || config.TokenFailureCacheTTL > 0 {      tokenAuth = tokencache.New(tokenAuth, true, config.TokenSuccessCacheTTL, config.TokenFailureCacheTTL)    }    authenticators = append(authenticators, bearertoken.New(tokenAuth), websocket.NewProtocolAuthenticator(tokenAuth))    securityDefinitions["BearerToken"] = &spec.SecurityScheme{      SecuritySchemeProps: spec.SecuritySchemeProps{        Type:        "apiKey",        Name:        "authorization",        In:          "header",        Description: "Bearer Token authentication",      },    }  }
  if len(authenticators) == 0 {    if config.Anonymous {      return anonymous.NewAuthenticator(), &securityDefinitions, nil    }    return nil, &securityDefinitions, nil  }
  authenticator := union.New(authenticators...)
  authenticator = group.NewAuthenticatedGroupAdder(authenticator)
  if config.Anonymous {    authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())  }
  return authenticator, &securityDefinitions, nil}

AuthenticateRequest

这里特别看一下Bootstrap模式的AuthenticateRequest。

func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {  auth := strings.TrimSpace(req.Header.Get("Authorization"))  if auth == "" {    return nil, false, nil  }  parts := strings.Split(auth, " ")  if len(parts) < 2 || strings.ToLower(parts[0]) != "bearer" {    return nil, false, nil  }
  token := parts[1]
  if len(token) == 0 {    return nil, false, nil  }
  resp, ok, err := a.auth.AuthenticateToken(req.Context(), token)  if ok {    req.Header.Del("Authorization")  }
  if !ok && err == nil {    err = invalidToken  }
  return resp, ok, err}

功能三：与后端存储的交互

kube-apiserver与后端ETCD交互的逻辑入口为配置api路由的终端registerResourceHandlers。这里仍以customresourcedefinitions为例，我在集群里新增一个crd资源scalings.control.example.com，然后在集群ETCD查找如下：

详细信息如下：

下面我们一起看看代码中的逻辑是如何设计的。

registerResourceHandlers

访问kube-apiserver对应的后端交互操作，在registerResourceHandlers逻辑里，这里以Get操作为例。

func (a *APIInstaller) registerResourceHandlers(path string, storage rest.Storage, ws *restful.WebService) (*metav1.APIResource, error) {  ...    switch action.Verb {    case "GET":       var handler restful.RouteFunction      if isGetterWithOptions {        handler = restfulGetResourceWithOptions(getterWithOptions, reqScope, isSubresource)      } else {        handler = restfulGetResource(getter, exporter, reqScope)      }      ...    }  }  ...
  return &apiResource, nil}

restfulGetResourceWithOptions

func restfulGetResourceWithOptions(r rest.GetterWithOptions, scope handlers.RequestScope, isSubresource bool) restful.RouteFunction {  return func(req *restful.Request, res *restful.Response) {    handlers.GetResourceWithOptions(r, &scope, isSubresource)(res.ResponseWriter, req.Request)  }}

GetResourceWithOptions

相应操作需要对应的rest.GetterWithOptions来实现。

func GetResourceWithOptions(r rest.GetterWithOptions, scope *RequestScope, isSubresource bool) http.HandlerFunc {  return getResourceHandler(scope,    func(ctx context.Context, name string, req *http.Request, trace *utiltrace.Trace) (runtime.Object, error) {      opts, subpath, subpathKey := r.NewGetOptions()      trace.Step("About to process Get options")            if err := getRequestOptions(req, scope, opts, subpath, subpathKey, isSubresource); err != nil {        err = errors.NewBadRequest(err.Error())        return nil, err      }
      if trace != nil {       trace.Step("About to Get from storage")      }
            // 逻辑实现为对应的rest.GetterWithOptions的相应操作。      return r.Get(ctx, name, opts)    })}

现在重点看看rest.GetterWithOptions这个结构体是如何构建的。

下面我们还是以createAPIExtensionsServer为例来将相应的逻辑抽丝剥茧。

createAPIExtensionsServer

func createAPIExtensionsServer(apiextensionsConfig *apiextensionsapiserver.Config, delegateAPIServer genericapiserver.DelegationTarget) (*apiextensionsapiserver.CustomResourceDefinitions, error) {  return apiextensionsConfig.Complete().New(delegateAPIServer)}
func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget) (*CustomResourceDefinitions, error) {  ...  apiResourceConfig := c.GenericConfig.MergedResourceConfig  apiGroupInfo := genericapiserver.NewDefaultAPIGroupInfo(apiextensions.GroupName, Scheme, metav1.ParameterCodec, Codecs)
  if apiResourceConfig.VersionEnabled(v1beta1.SchemeGroupVersion) {    storage := map[string]rest.Storage{}        // 以customresourcedefinitions这种资源对应的操作为例。NewREST来构造对应的后端交互结构体    customResourceDefintionStorage := customresourcedefinition.NewREST(Scheme, c.GenericConfig.RESTOptionsGetter)    storage["customresourcedefinitions"] = customResourceDefintionStorage    storage["customresourcedefinitions/status"] = customresourcedefinition.NewStatusREST(Scheme, customResourceDefintionStorage)    apiGroupInfo.VersionedResourcesStorageMap[v1beta1.SchemeGroupVersion.Version] = storage  }
  ...
  return s, nil}

NewREST

构建customresourcedefinitions对应的用于后端交互的结构体

func NewREST(scheme *runtime.Scheme, optsGetter generic.RESTOptionsGetter) *REST {  strategy := NewStrategy(scheme)  // 相应数据结构在前面已经提到，这里不再赘述  store := &genericregistry.Store{    ...  }
  options := &generic.StoreOptions{RESTOptions: optsGetter, AttrFunc: GetAttrs}    // 完善结构体的action操作  if err := store.CompleteWithOptions(options); err != nil {    panic(err)   }  return &REST{store}
}

CompleteWithOptions

func (e *Store) CompleteWithOptions(options *generic.StoreOptions) error {  ...  opts, err := options.RESTOptions.GetRESTOptions(e.DefaultQualifiedResource)
  ...  return nil}

GetRESTOptions

CRDRESTOptionsGetter是crd对应实现后端交互接口的结构体。

func (t CRDRESTOptionsGetter) GetRESTOptions(resource schema.GroupResource) (generic.RESTOptions, error) {  ret := generic.RESTOptions{    StorageConfig:           &t.StorageConfig,    Decorator:               generic.UndecoratedStorage,    EnableGarbageCollection: t.EnableGarbageCollection,    DeleteCollectionWorkers: t.DeleteCollectionWorkers,    ResourcePrefix:          resource.Group + "/" + resource.Resource,    CountMetricPollPeriod:   t.CountMetricPollPeriod,  }
  if t.EnableWatchCache {    ret.Decorator = genericregistry.StorageWithCacher(t.DefaultWatchCacheSize)  }  return ret, nil}

StorageWithCacher

func StorageWithCacher(capacity int) generic.StorageDecorator {  return func(    storageConfig *storagebackend.Config,    resourcePrefix string,    keyFunc func(obj runtime.Object) (string, error),    newFunc func() runtime.Object,    newListFunc func() runtime.Object,    getAttrsFunc storage.AttrFunc,    triggerFuncs storage.IndexerFuncs) (storage.Interface, factory.DestroyFunc, error) {    // 构造和后端etcd交互的结构体Storage    s, d, err := generic.NewRawStorage(storageConfig)    }    ...    cacher, err := cacherstorage.NewCacherFromConfig(cacherConfig)    destroyFunc := func() {      cacher.Stop()      d()    }    RegisterStorageCleanup(destroyFunc)
    return cacher, destroyFunc, nil  }}

NewRawStorage

func NewRawStorage(config *storagebackend.Config) (storage.Interface, factory.DestroyFunc, error) {  return factory.Create(*config)}// 根据etcd的版本来创建对应的后端交互结构体，1.17版本仅支持etcd v3版本func Create(c storagebackend.Config) (storage.Interface, DestroyFunc, error) {  switch c.Type {  case "etcd2":    return nil, nil, fmt.Errorf("%v is no longer a supported storage backend", c.Type)  case storagebackend.StorageTypeUnset, storagebackend.StorageTypeETCD3:    return newETCD3Storage(c)
  default:    return nil, nil, fmt.Errorf("unknown storage type: %s", c.Type)  }}

newETCD3Storage

func newETCD3Storage(c storagebackend.Config) (storage.Interface, DestroyFunc, error) {  stopCompactor, err := startCompactorOnce(c.Transport, c.CompactionInterval)
  client, err := newETCD3Client(c.Transport)
  var once sync.Once  destroyFunc := func() {    once.Do(func() {      stopCompactor()      client.Close()    })  }  transformer := c.Transformer  if transformer == nil {    transformer = value.IdentityTransformer  }  return etcd3.New(client, c.Codec, c.Prefix, transformer, c.Paging), destroyFunc, nil}

New

func New(c *clientv3.Client, codec runtime.Codec, prefix string, transformer value.Transformer, pagingEnabled bool) storage.Interface {  return newStore(c, pagingEnabled, codec, prefix, transformer)}
// 返回对应资源的完整的后端交互结构体storefunc newStore(c *clientv3.Client, pagingEnabled bool, codec runtime.Codec, prefix string, transformer value.Transformer) *store {  versioner := APIObjectVersioner{}
  result := &store{    client:        c,    codec:         codec,    versioner:     versioner,    transformer:   transformer,    pagingEnabled: pagingEnabled,    pathPrefix:   path.Join("/", prefix),    watcher:      newWatcher(c, codec, versioner, transformer),    leaseManager: newDefaultLeaseManager(c),  }  return result}

Get

func (s *store) Get(ctx context.Context, key string, resourceVersion string, out runtime.Object, ignoreNotFound bool) error {  key = path.Join(s.pathPrefix, key)  startTime := time.Now()  getResp, err := s.client.KV.Get(ctx, key, s.getOps...)  metrics.RecordEtcdRequestLatency("get", getTypeName(out), startTime)  if err != nil {    return err  }  if err = s.ensureMinimumResourceVersion(resourceVersion, uint64(getResp.Header.Revision)); err != nil {    return err  }    if len(getResp.Kvs) == 0 {    if ignoreNotFound {      return runtime.SetZeroValue(out)    }    return storage.NewKeyNotFoundError(key, 0)  }  kv := getResp.Kvs[0]    data, _, err := s.transformer.TransformFromStorage(kv.Value, authenticatedDataString(key))  if err != nil {    return storage.NewInternalError(err.Error())  }  return decode(s.codec, s.versioner, data, out, kv.ModRevision)}

总结

kube-apiserver在kubernetes架构中充当重要的作用。首先，它是集群内各组件互相联系的核心组件，解耦了集群内各组件间的复杂关系，让各组件内更多的关注自身功能逻辑；其次，它是集群外访问集群内资源的唯一入口，负责着集群内外的所有请求及其访问控制。所以了解kube-apiserver可以有助于我们更深入的去理解kubernetes的功能涉及及架构设计，有利于我们更好的将kubernetes用于我们的生产。本篇文章有点长，希望能给读者朋友带来帮助，谢谢大家的阅读。

作者简介：baron，云计算从业者，热爱容器、热爱K8S、热爱云原生，走在云架构师路上的程序猿。

继续滑动看下一个