2019-01-12 04:58:27 +00:00
/ *
Copyright 2016 The Kubernetes Authors .
Licensed under the Apache License , Version 2.0 ( the "License" ) ;
you may not use this file except in compliance with the License .
You may obtain a copy of the License at
http : //www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing , software
distributed under the License is distributed on an "AS IS" BASIS ,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
See the License for the specific language governing permissions and
limitations under the License .
* /
package options
import (
2019-08-30 18:33:25 +00:00
"errors"
2019-01-12 04:58:27 +00:00
"fmt"
"net/url"
"strings"
"time"
"github.com/spf13/pflag"
2020-06-23 22:12:14 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2019-08-30 18:33:25 +00:00
"k8s.io/apimachinery/pkg/util/sets"
2020-12-01 01:06:26 +00:00
"k8s.io/apimachinery/pkg/util/wait"
2019-01-12 04:58:27 +00:00
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapiserver "k8s.io/apiserver/pkg/server"
2020-06-23 22:12:14 +00:00
"k8s.io/apiserver/pkg/server/egressselector"
2019-04-07 17:07:55 +00:00
genericoptions "k8s.io/apiserver/pkg/server/options"
2020-06-23 22:12:14 +00:00
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
2019-08-30 18:33:25 +00:00
cliflag "k8s.io/component-base/cli/flag"
2020-08-10 17:43:49 +00:00
"k8s.io/klog/v2"
2020-06-23 22:12:14 +00:00
openapicommon "k8s.io/kube-openapi/pkg/common"
2020-12-01 01:06:26 +00:00
2020-06-23 22:12:14 +00:00
serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
2019-01-12 04:58:27 +00:00
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
2019-08-30 18:33:25 +00:00
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
2020-06-23 22:12:14 +00:00
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"
2019-01-12 04:58:27 +00:00
)
2020-12-01 01:06:26 +00:00
// BuiltInAuthenticationOptions contains all build-in authentication options for API Server
2019-01-12 04:58:27 +00:00
type BuiltInAuthenticationOptions struct {
APIAudiences [ ] string
2019-08-30 18:33:25 +00:00
Anonymous * AnonymousAuthenticationOptions
BootstrapToken * BootstrapTokenAuthenticationOptions
2019-04-07 17:07:55 +00:00
ClientCert * genericoptions . ClientCertAuthenticationOptions
2019-08-30 18:33:25 +00:00
OIDC * OIDCAuthenticationOptions
2019-04-07 17:07:55 +00:00
RequestHeader * genericoptions . RequestHeaderAuthenticationOptions
2019-01-12 04:58:27 +00:00
ServiceAccounts * ServiceAccountAuthenticationOptions
TokenFile * TokenFileAuthenticationOptions
WebHook * WebHookAuthenticationOptions
TokenSuccessCacheTTL time . Duration
TokenFailureCacheTTL time . Duration
}
2020-12-01 01:06:26 +00:00
// AnonymousAuthenticationOptions contains anonymous authentication options for API Server
2019-08-30 18:33:25 +00:00
type AnonymousAuthenticationOptions struct {
Allow bool
}
2020-12-01 01:06:26 +00:00
// BootstrapTokenAuthenticationOptions contains bootstrap token authentication options for API Server
2019-08-30 18:33:25 +00:00
type BootstrapTokenAuthenticationOptions struct {
Enable bool
}
2020-12-01 01:06:26 +00:00
// OIDCAuthenticationOptions contains OIDC authentication options for API Server
2019-08-30 18:33:25 +00:00
type OIDCAuthenticationOptions struct {
CAFile string
ClientID string
IssuerURL string
UsernameClaim string
UsernamePrefix string
GroupsClaim string
GroupsPrefix string
SigningAlgs [ ] string
RequiredClaims map [ string ] string
}
2020-12-01 01:06:26 +00:00
// ServiceAccountAuthenticationOptions contains service account authentication options for API Server
2019-01-12 04:58:27 +00:00
type ServiceAccountAuthenticationOptions struct {
2020-08-10 17:43:49 +00:00
KeyFiles [ ] string
Lookup bool
2021-07-02 08:43:15 +00:00
Issuers [ ] string
2020-08-10 17:43:49 +00:00
JWKSURI string
MaxExpiration time . Duration
ExtendExpiration bool
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
// TokenFileAuthenticationOptions contains token file authentication options for API Server
2019-01-12 04:58:27 +00:00
type TokenFileAuthenticationOptions struct {
TokenFile string
}
2020-12-01 01:06:26 +00:00
// WebHookAuthenticationOptions contains web hook authentication options for API Server
2019-01-12 04:58:27 +00:00
type WebHookAuthenticationOptions struct {
ConfigFile string
2019-12-12 01:27:03 +00:00
Version string
2019-01-12 04:58:27 +00:00
CacheTTL time . Duration
2020-12-01 01:06:26 +00:00
// RetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
// This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
// before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
RetryBackoff * wait . Backoff
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
// NewBuiltInAuthenticationOptions create a new BuiltInAuthenticationOptions, just set default token cache TTL
2019-01-12 04:58:27 +00:00
func NewBuiltInAuthenticationOptions ( ) * BuiltInAuthenticationOptions {
return & BuiltInAuthenticationOptions {
TokenSuccessCacheTTL : 10 * time . Second ,
TokenFailureCacheTTL : 0 * time . Second ,
}
}
2020-12-01 01:06:26 +00:00
// WithAll set default value for every build-in authentication option
func ( o * BuiltInAuthenticationOptions ) WithAll ( ) * BuiltInAuthenticationOptions {
return o .
2019-08-30 18:33:25 +00:00
WithAnonymous ( ) .
WithBootstrapToken ( ) .
2019-04-07 17:07:55 +00:00
WithClientCert ( ) .
2019-08-30 18:33:25 +00:00
WithOIDC ( ) .
2019-04-07 17:07:55 +00:00
WithRequestHeader ( ) .
2019-01-12 04:58:27 +00:00
WithServiceAccounts ( ) .
WithTokenFile ( ) .
WithWebHook ( )
}
2020-12-01 01:06:26 +00:00
// WithAnonymous set default value for anonymous authentication
func ( o * BuiltInAuthenticationOptions ) WithAnonymous ( ) * BuiltInAuthenticationOptions {
o . Anonymous = & AnonymousAuthenticationOptions { Allow : true }
return o
2019-08-30 18:33:25 +00:00
}
2020-12-01 01:06:26 +00:00
// WithBootstrapToken set default value for bootstrap token authentication
func ( o * BuiltInAuthenticationOptions ) WithBootstrapToken ( ) * BuiltInAuthenticationOptions {
o . BootstrapToken = & BootstrapTokenAuthenticationOptions { }
return o
2019-08-30 18:33:25 +00:00
}
2020-12-01 01:06:26 +00:00
// WithClientCert set default value for client cert
func ( o * BuiltInAuthenticationOptions ) WithClientCert ( ) * BuiltInAuthenticationOptions {
o . ClientCert = & genericoptions . ClientCertAuthenticationOptions { }
return o
2019-04-07 17:07:55 +00:00
}
2020-12-01 01:06:26 +00:00
// WithOIDC set default value for OIDC authentication
func ( o * BuiltInAuthenticationOptions ) WithOIDC ( ) * BuiltInAuthenticationOptions {
o . OIDC = & OIDCAuthenticationOptions { }
return o
2019-08-30 18:33:25 +00:00
}
2020-12-01 01:06:26 +00:00
// WithRequestHeader set default value for request header authentication
func ( o * BuiltInAuthenticationOptions ) WithRequestHeader ( ) * BuiltInAuthenticationOptions {
o . RequestHeader = & genericoptions . RequestHeaderAuthenticationOptions { }
return o
2019-04-07 17:07:55 +00:00
}
2020-12-01 01:06:26 +00:00
// WithServiceAccounts set default value for service account authentication
func ( o * BuiltInAuthenticationOptions ) WithServiceAccounts ( ) * BuiltInAuthenticationOptions {
o . ServiceAccounts = & ServiceAccountAuthenticationOptions { Lookup : true , ExtendExpiration : true }
return o
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
// WithTokenFile set default value for token file authentication
func ( o * BuiltInAuthenticationOptions ) WithTokenFile ( ) * BuiltInAuthenticationOptions {
o . TokenFile = & TokenFileAuthenticationOptions { }
return o
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
// WithWebHook set default value for web hook authentication
func ( o * BuiltInAuthenticationOptions ) WithWebHook ( ) * BuiltInAuthenticationOptions {
o . WebHook = & WebHookAuthenticationOptions {
Version : "v1beta1" ,
CacheTTL : 2 * time . Minute ,
RetryBackoff : genericoptions . DefaultAuthWebhookRetryBackoff ( ) ,
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
return o
2019-01-12 04:58:27 +00:00
}
// Validate checks invalid config combination
2020-12-01 01:06:26 +00:00
func ( o * BuiltInAuthenticationOptions ) Validate ( ) [ ] error {
2021-07-02 08:43:15 +00:00
var allErrors [ ] error
2019-01-12 04:58:27 +00:00
2020-12-01 01:06:26 +00:00
if o . OIDC != nil && ( len ( o . OIDC . IssuerURL ) > 0 ) != ( len ( o . OIDC . ClientID ) > 0 ) {
2019-08-30 18:33:25 +00:00
allErrors = append ( allErrors , fmt . Errorf ( "oidc-issuer-url and oidc-client-id should be specified together" ) )
}
2021-07-02 08:43:15 +00:00
if o . ServiceAccounts != nil && len ( o . ServiceAccounts . Issuers ) > 0 {
seen := make ( map [ string ] bool )
for _ , issuer := range o . ServiceAccounts . Issuers {
if strings . Contains ( issuer , ":" ) {
if _ , err := url . Parse ( issuer ) ; err != nil {
allErrors = append ( allErrors , fmt . Errorf ( "service-account-issuer %q contained a ':' but was not a valid URL: %v" , issuer , err ) )
continue
}
}
if issuer == "" {
allErrors = append ( allErrors , fmt . Errorf ( "service-account-issuer should not be an empty string" ) )
continue
}
if seen [ issuer ] {
allErrors = append ( allErrors , fmt . Errorf ( "service-account-issuer %q is already specified" , issuer ) )
continue
}
seen [ issuer ] = true
2019-01-12 04:58:27 +00:00
}
}
2020-12-01 01:06:26 +00:00
if o . ServiceAccounts != nil {
2021-07-02 08:43:15 +00:00
if len ( o . ServiceAccounts . Issuers ) == 0 {
2020-12-01 01:06:26 +00:00
allErrors = append ( allErrors , errors . New ( "service-account-issuer is a required flag" ) )
2019-08-30 18:33:25 +00:00
}
2020-12-01 01:06:26 +00:00
if len ( o . ServiceAccounts . KeyFiles ) == 0 {
allErrors = append ( allErrors , errors . New ( "service-account-key-file is a required flag" ) )
2019-08-30 18:33:25 +00:00
}
2019-01-12 04:58:27 +00:00
2021-03-18 22:40:29 +00:00
// Validate the JWKS URI when it is explicitly set.
// When unset, it is later derived from ExternalHost.
if o . ServiceAccounts . JWKSURI != "" {
if u , err := url . Parse ( o . ServiceAccounts . JWKSURI ) ; err != nil {
allErrors = append ( allErrors , fmt . Errorf ( "service-account-jwks-uri must be a valid URL: %v" , err ) )
} else if u . Scheme != "https" {
allErrors = append ( allErrors , fmt . Errorf ( "service-account-jwks-uri requires https scheme, parsed as: %v" , u . String ( ) ) )
2020-03-26 21:07:15 +00:00
}
}
}
2020-12-01 01:06:26 +00:00
if o . WebHook != nil {
retryBackoff := o . WebHook . RetryBackoff
if retryBackoff != nil && retryBackoff . Steps <= 0 {
2021-07-02 08:43:15 +00:00
allErrors = append ( allErrors , fmt . Errorf ( "number of webhook retry attempts must be greater than 0, but is: %d" , retryBackoff . Steps ) )
2020-12-01 01:06:26 +00:00
}
}
2019-01-12 04:58:27 +00:00
return allErrors
}
2020-12-01 01:06:26 +00:00
// AddFlags returns flags of authentication for a API Server
func ( o * BuiltInAuthenticationOptions ) AddFlags ( fs * pflag . FlagSet ) {
fs . StringSliceVar ( & o . APIAudiences , "api-audiences" , o . APIAudiences , "" +
2019-01-12 04:58:27 +00:00
"Identifiers of the API. The service account token authenticator will validate that " +
"tokens used against the API are bound to at least one of these audiences. If the " +
"--service-account-issuer flag is configured and this flag is not, this field " +
2020-03-26 21:07:15 +00:00
"defaults to a single element list containing the issuer URL." )
2019-01-12 04:58:27 +00:00
2020-12-01 01:06:26 +00:00
if o . Anonymous != nil {
fs . BoolVar ( & o . Anonymous . Allow , "anonymous-auth" , o . Anonymous . Allow , "" +
2019-08-30 18:33:25 +00:00
"Enables anonymous requests to the secure port of the API server. " +
"Requests that are not rejected by another authentication method are treated as anonymous requests. " +
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated." )
}
2020-12-01 01:06:26 +00:00
if o . BootstrapToken != nil {
fs . BoolVar ( & o . BootstrapToken . Enable , "enable-bootstrap-token-auth" , o . BootstrapToken . Enable , "" +
2019-08-30 18:33:25 +00:00
"Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' " +
"namespace to be used for TLS bootstrapping authentication." )
}
2020-12-01 01:06:26 +00:00
if o . ClientCert != nil {
o . ClientCert . AddFlags ( fs )
2019-04-07 17:07:55 +00:00
}
2020-12-01 01:06:26 +00:00
if o . OIDC != nil {
fs . StringVar ( & o . OIDC . IssuerURL , "oidc-issuer-url" , o . OIDC . IssuerURL , "" +
2019-08-30 18:33:25 +00:00
"The URL of the OpenID issuer, only HTTPS scheme will be accepted. " +
"If set, it will be used to verify the OIDC JSON Web Token (JWT)." )
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . OIDC . ClientID , "oidc-client-id" , o . OIDC . ClientID ,
2019-08-30 18:33:25 +00:00
"The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set." )
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . OIDC . CAFile , "oidc-ca-file" , o . OIDC . CAFile , "" +
2019-08-30 18:33:25 +00:00
"If set, the OpenID server's certificate will be verified by one of the authorities " +
"in the oidc-ca-file, otherwise the host's root CA set will be used." )
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . OIDC . UsernameClaim , "oidc-username-claim" , "sub" , "" +
2019-08-30 18:33:25 +00:00
"The OpenID claim to use as the user name. Note that claims other than the default ('sub') " +
"is not guaranteed to be unique and immutable. This flag is experimental, please see " +
"the authentication documentation for further details." )
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . OIDC . UsernamePrefix , "oidc-username-prefix" , "" , "" +
2019-08-30 18:33:25 +00:00
"If provided, all usernames will be prefixed with this value. If not provided, " +
"username claims other than 'email' are prefixed by the issuer URL to avoid " +
"clashes. To skip any prefixing, provide the value '-'." )
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . OIDC . GroupsClaim , "oidc-groups-claim" , "" , "" +
2019-08-30 18:33:25 +00:00
"If provided, the name of a custom OpenID Connect claim for specifying user groups. " +
"The claim value is expected to be a string or array of strings. This flag is experimental, " +
"please see the authentication documentation for further details." )
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . OIDC . GroupsPrefix , "oidc-groups-prefix" , "" , "" +
2019-08-30 18:33:25 +00:00
"If provided, all groups will be prefixed with this value to prevent conflicts with " +
"other authentication strategies." )
2020-12-01 01:06:26 +00:00
fs . StringSliceVar ( & o . OIDC . SigningAlgs , "oidc-signing-algs" , [ ] string { "RS256" } , "" +
2019-08-30 18:33:25 +00:00
"Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a " +
"'alg' header value not in this list will be rejected. " +
"Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1." )
2020-12-01 01:06:26 +00:00
fs . Var ( cliflag . NewMapStringStringNoSplit ( & o . OIDC . RequiredClaims ) , "oidc-required-claim" , "" +
2019-08-30 18:33:25 +00:00
"A key=value pair that describes a required claim in the ID Token. " +
"If set, the claim is verified to be present in the ID Token with a matching value. " +
"Repeat this flag to specify multiple claims." )
}
2020-12-01 01:06:26 +00:00
if o . RequestHeader != nil {
o . RequestHeader . AddFlags ( fs )
2019-04-07 17:07:55 +00:00
}
2020-12-01 01:06:26 +00:00
if o . ServiceAccounts != nil {
fs . StringArrayVar ( & o . ServiceAccounts . KeyFiles , "service-account-key-file" , o . ServiceAccounts . KeyFiles , "" +
2019-01-12 04:58:27 +00:00
"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify " +
"ServiceAccount tokens. The specified file can contain multiple keys, and the flag can " +
"be specified multiple times with different files. If unspecified, " +
"--tls-private-key-file is used. Must be specified when " +
"--service-account-signing-key is provided" )
2020-12-01 01:06:26 +00:00
fs . BoolVar ( & o . ServiceAccounts . Lookup , "service-account-lookup" , o . ServiceAccounts . Lookup ,
2019-01-12 04:58:27 +00:00
"If true, validate ServiceAccount tokens exist in etcd as part of authentication." )
2021-07-02 08:43:15 +00:00
fs . StringArrayVar ( & o . ServiceAccounts . Issuers , "service-account-issuer" , o . ServiceAccounts . Issuers , "" +
2019-01-12 04:58:27 +00:00
"Identifier of the service account token issuer. The issuer will assert this identifier " +
2020-03-26 21:07:15 +00:00
"in \"iss\" claim of issued tokens. This value is a string or URI. If this option is not " +
"a valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIssuerDiscovery feature " +
"will remain disabled, even if the feature gate is set to true. It is highly recommended " +
"that this value comply with the OpenID spec: https://openid.net/specs/openid-connect-discovery-1_0.html. " +
"In practice, this means that service-account-issuer must be an https URL. It is also highly " +
"recommended that this URL be capable of serving OpenID discovery documents at " +
2021-07-02 08:43:15 +00:00
"{service-account-issuer}/.well-known/openid-configuration. " +
"When this flag is specified multiple times, the first is used to generate tokens " +
"and all are used to determine which issuers are accepted." )
2020-03-26 21:07:15 +00:00
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . ServiceAccounts . JWKSURI , "service-account-jwks-uri" , o . ServiceAccounts . JWKSURI , "" +
2020-03-26 21:07:15 +00:00
"Overrides the URI for the JSON Web Key Set in the discovery doc served at " +
"/.well-known/openid-configuration. This flag is useful if the discovery doc" +
"and key set are served to relying parties from a URL other than the " +
"API server's external (as auto-detected or overridden with external-hostname). " +
"Only valid if the ServiceAccountIssuerDiscovery feature gate is enabled." )
2019-01-12 04:58:27 +00:00
// Deprecated in 1.13
2020-12-01 01:06:26 +00:00
fs . StringSliceVar ( & o . APIAudiences , "service-account-api-audiences" , o . APIAudiences , "" +
2019-01-12 04:58:27 +00:00
"Identifiers of the API. The service account token authenticator will validate that " +
"tokens used against the API are bound to at least one of these audiences." )
fs . MarkDeprecated ( "service-account-api-audiences" , "Use --api-audiences" )
2020-12-01 01:06:26 +00:00
fs . DurationVar ( & o . ServiceAccounts . MaxExpiration , "service-account-max-token-expiration" , o . ServiceAccounts . MaxExpiration , "" +
2019-01-12 04:58:27 +00:00
"The maximum validity duration of a token created by the service account token issuer. If an otherwise valid " +
"TokenRequest with a validity duration larger than this value is requested, a token will be issued with a validity duration of this value." )
2020-08-10 17:43:49 +00:00
2020-12-01 01:06:26 +00:00
fs . BoolVar ( & o . ServiceAccounts . ExtendExpiration , "service-account-extend-token-expiration" , o . ServiceAccounts . ExtendExpiration , "" +
2020-08-10 17:43:49 +00:00
"Turns on projected service account expiration extension during token generation, " +
"which helps safe transition from legacy token to bound service account token feature. " +
"If this flag is enabled, admission injected tokens would be extended up to 1 year to " +
"prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration." )
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
if o . TokenFile != nil {
fs . StringVar ( & o . TokenFile . TokenFile , "token-auth-file" , o . TokenFile . TokenFile , "" +
2019-01-12 04:58:27 +00:00
"If set, the file that will be used to secure the secure port of the API server " +
"via token authentication." )
}
2020-12-01 01:06:26 +00:00
if o . WebHook != nil {
fs . StringVar ( & o . WebHook . ConfigFile , "authentication-token-webhook-config-file" , o . WebHook . ConfigFile , "" +
2019-01-12 04:58:27 +00:00
"File with webhook configuration for token authentication in kubeconfig format. " +
"The API server will query the remote service to determine authentication for bearer tokens." )
2020-12-01 01:06:26 +00:00
fs . StringVar ( & o . WebHook . Version , "authentication-token-webhook-version" , o . WebHook . Version , "" +
2019-12-12 01:27:03 +00:00
"The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook." )
2020-12-01 01:06:26 +00:00
fs . DurationVar ( & o . WebHook . CacheTTL , "authentication-token-webhook-cache-ttl" , o . WebHook . CacheTTL ,
2019-01-12 04:58:27 +00:00
"The duration to cache responses from the webhook token authenticator." )
}
}
2020-12-01 01:06:26 +00:00
// ToAuthenticationConfig convert BuiltInAuthenticationOptions to kubeauthenticator.Config
func ( o * BuiltInAuthenticationOptions ) ToAuthenticationConfig ( ) ( kubeauthenticator . Config , error ) {
2019-01-12 04:58:27 +00:00
ret := kubeauthenticator . Config {
2020-12-01 01:06:26 +00:00
TokenSuccessCacheTTL : o . TokenSuccessCacheTTL ,
TokenFailureCacheTTL : o . TokenFailureCacheTTL ,
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
if o . Anonymous != nil {
ret . Anonymous = o . Anonymous . Allow
2019-08-30 18:33:25 +00:00
}
2020-12-01 01:06:26 +00:00
if o . BootstrapToken != nil {
ret . BootstrapToken = o . BootstrapToken . Enable
2019-08-30 18:33:25 +00:00
}
2020-12-01 01:06:26 +00:00
if o . ClientCert != nil {
2019-12-12 01:27:03 +00:00
var err error
2020-12-01 01:06:26 +00:00
ret . ClientCAContentProvider , err = o . ClientCert . GetClientCAContentProvider ( )
2019-12-12 01:27:03 +00:00
if err != nil {
return kubeauthenticator . Config { } , err
}
2019-04-07 17:07:55 +00:00
}
2020-12-01 01:06:26 +00:00
if o . OIDC != nil {
ret . OIDCCAFile = o . OIDC . CAFile
ret . OIDCClientID = o . OIDC . ClientID
ret . OIDCGroupsClaim = o . OIDC . GroupsClaim
ret . OIDCGroupsPrefix = o . OIDC . GroupsPrefix
ret . OIDCIssuerURL = o . OIDC . IssuerURL
ret . OIDCUsernameClaim = o . OIDC . UsernameClaim
ret . OIDCUsernamePrefix = o . OIDC . UsernamePrefix
ret . OIDCSigningAlgs = o . OIDC . SigningAlgs
ret . OIDCRequiredClaims = o . OIDC . RequiredClaims
2019-08-30 18:33:25 +00:00
}
2020-12-01 01:06:26 +00:00
if o . RequestHeader != nil {
2019-12-12 01:27:03 +00:00
var err error
2020-12-01 01:06:26 +00:00
ret . RequestHeaderConfig , err = o . RequestHeader . ToAuthenticationRequestHeaderConfig ( )
2019-12-12 01:27:03 +00:00
if err != nil {
return kubeauthenticator . Config { } , err
}
2019-04-07 17:07:55 +00:00
}
2019-01-12 04:58:27 +00:00
2020-12-01 01:06:26 +00:00
ret . APIAudiences = o . APIAudiences
if o . ServiceAccounts != nil {
2021-07-02 08:43:15 +00:00
if len ( o . ServiceAccounts . Issuers ) != 0 && len ( o . APIAudiences ) == 0 {
ret . APIAudiences = authenticator . Audiences ( o . ServiceAccounts . Issuers )
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
ret . ServiceAccountKeyFiles = o . ServiceAccounts . KeyFiles
2021-07-02 08:43:15 +00:00
ret . ServiceAccountIssuers = o . ServiceAccounts . Issuers
2020-12-01 01:06:26 +00:00
ret . ServiceAccountLookup = o . ServiceAccounts . Lookup
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
if o . TokenFile != nil {
ret . TokenAuthFile = o . TokenFile . TokenFile
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
if o . WebHook != nil {
ret . WebhookTokenAuthnConfigFile = o . WebHook . ConfigFile
ret . WebhookTokenAuthnVersion = o . WebHook . Version
ret . WebhookTokenAuthnCacheTTL = o . WebHook . CacheTTL
ret . WebhookRetryBackoff = o . WebHook . RetryBackoff
2019-01-12 04:58:27 +00:00
2020-12-01 01:06:26 +00:00
if len ( o . WebHook . ConfigFile ) > 0 && o . WebHook . CacheTTL > 0 {
if o . TokenSuccessCacheTTL > 0 && o . WebHook . CacheTTL < o . TokenSuccessCacheTTL {
klog . Warningf ( "the webhook cache ttl of %s is shorter than the overall cache ttl of %s for successful token authentication attempts." , o . WebHook . CacheTTL , o . TokenSuccessCacheTTL )
2019-01-12 04:58:27 +00:00
}
2020-12-01 01:06:26 +00:00
if o . TokenFailureCacheTTL > 0 && o . WebHook . CacheTTL < o . TokenFailureCacheTTL {
klog . Warningf ( "the webhook cache ttl of %s is shorter than the overall cache ttl of %s for failed token authentication attempts." , o . WebHook . CacheTTL , o . TokenFailureCacheTTL )
2019-01-12 04:58:27 +00:00
}
}
}
2019-12-12 01:27:03 +00:00
return ret , nil
2019-01-12 04:58:27 +00:00
}
2020-06-23 22:12:14 +00:00
// ApplyTo requires already applied OpenAPIConfig and EgressSelector if present.
func ( o * BuiltInAuthenticationOptions ) ApplyTo ( authInfo * genericapiserver . AuthenticationInfo , secureServing * genericapiserver . SecureServingInfo , egressSelector * egressselector . EgressSelector , openAPIConfig * openapicommon . Config , extclient kubernetes . Interface , versionedInformer informers . SharedInformerFactory ) error {
2019-01-12 04:58:27 +00:00
if o == nil {
return nil
}
2020-06-23 22:12:14 +00:00
if openAPIConfig == nil {
return errors . New ( "uninitialized OpenAPIConfig" )
}
authenticatorConfig , err := o . ToAuthenticationConfig ( )
if err != nil {
return err
}
if authenticatorConfig . ClientCAContentProvider != nil {
if err = authInfo . ApplyClientCert ( authenticatorConfig . ClientCAContentProvider , secureServing ) ; err != nil {
2019-12-12 01:27:03 +00:00
return fmt . Errorf ( "unable to load client CA file: %v" , err )
}
2020-06-23 22:12:14 +00:00
}
if authenticatorConfig . RequestHeaderConfig != nil && authenticatorConfig . RequestHeaderConfig . CAContentProvider != nil {
if err = authInfo . ApplyClientCert ( authenticatorConfig . RequestHeaderConfig . CAContentProvider , secureServing ) ; err != nil {
2019-04-07 17:07:55 +00:00
return fmt . Errorf ( "unable to load client CA file: %v" , err )
}
}
2020-06-23 22:12:14 +00:00
authInfo . APIAudiences = o . APIAudiences
2021-07-02 08:43:15 +00:00
if o . ServiceAccounts != nil && len ( o . ServiceAccounts . Issuers ) != 0 && len ( o . APIAudiences ) == 0 {
authInfo . APIAudiences = authenticator . Audiences ( o . ServiceAccounts . Issuers )
2020-06-23 22:12:14 +00:00
}
2020-12-01 01:06:26 +00:00
authenticatorConfig . ServiceAccountTokenGetter = serviceaccountcontroller . NewGetterFromClient (
extclient ,
versionedInformer . Core ( ) . V1 ( ) . Secrets ( ) . Lister ( ) ,
versionedInformer . Core ( ) . V1 ( ) . ServiceAccounts ( ) . Lister ( ) ,
versionedInformer . Core ( ) . V1 ( ) . Pods ( ) . Lister ( ) ,
)
2020-06-23 22:12:14 +00:00
authenticatorConfig . BootstrapTokenAuthenticator = bootstrap . NewTokenAuthenticator (
versionedInformer . Core ( ) . V1 ( ) . Secrets ( ) . Lister ( ) . Secrets ( metav1 . NamespaceSystem ) ,
)
if egressSelector != nil {
2020-12-01 01:06:26 +00:00
egressDialer , err := egressSelector . Lookup ( egressselector . ControlPlane . AsNetworkContext ( ) )
2019-12-12 01:27:03 +00:00
if err != nil {
2020-06-23 22:12:14 +00:00
return err
2019-04-07 17:07:55 +00:00
}
2020-06-23 22:12:14 +00:00
authenticatorConfig . CustomDial = egressDialer
2019-04-07 17:07:55 +00:00
}
2020-06-23 22:12:14 +00:00
authInfo . Authenticator , openAPIConfig . SecurityDefinitions , err = authenticatorConfig . New ( )
if err != nil {
return err
2019-01-12 04:58:27 +00:00
}
return nil
}
// ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func ( o * BuiltInAuthenticationOptions ) ApplyAuthorization ( authorization * BuiltInAuthorizationOptions ) {
2019-08-30 18:33:25 +00:00
if o == nil || authorization == nil || o . Anonymous == nil {
2019-01-12 04:58:27 +00:00
return
}
2019-08-30 18:33:25 +00:00
// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
// in such a case the AnonymousAuth is stomped to false and you get a message
if o . Anonymous . Allow && sets . NewString ( authorization . Modes ... ) . Has ( authzmodes . ModeAlwaysAllow ) {
klog . Warningf ( "AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer" )
o . Anonymous . Allow = false
}
2019-01-12 04:58:27 +00:00
}