From 0d2e5a0dd80f19baca480b80b4387de7c1ce6518 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 4 Apr 2017 22:00:07 -0400 Subject: [PATCH] Enable service account token lookup by default ```release-note kube-apiserver: --service-account-lookup now defaults to true. This enables service account tokens to be revoked by deleting the Secret object containing the token. ``` --- cluster/libvirt-coreos/util.sh | 2 +- cluster/rackspace/cloud-config/master-cloud-config.yaml | 2 +- hack/local-up-cluster.sh | 2 +- pkg/kubeapiserver/options/authentication.go | 2 +- .../getting-started-guides/coreos/cloud-configs/master.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cluster/libvirt-coreos/util.sh b/cluster/libvirt-coreos/util.sh index 23285ce98a..511d1a36c0 100644 --- a/cluster/libvirt-coreos/util.sh +++ b/cluster/libvirt-coreos/util.sh @@ -26,7 +26,7 @@ source "$ROOT/${KUBE_CONFIG_FILE:-"config-default.sh"}" source "$KUBE_ROOT/cluster/common.sh" export LIBVIRT_DEFAULT_URI=qemu:///system -export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} +export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-true} export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota} readonly POOL=kubernetes readonly POOL_PATH=/var/lib/libvirt/images/kubernetes diff --git a/cluster/rackspace/cloud-config/master-cloud-config.yaml b/cluster/rackspace/cloud-config/master-cloud-config.yaml index 5a66e1d283..7566e619e2 100644 --- a/cluster/rackspace/cloud-config/master-cloud-config.yaml +++ b/cluster/rackspace/cloud-config/master-cloud-config.yaml @@ -135,7 +135,7 @@ coreos: --token-auth-file=/var/lib/kube-apiserver/known_tokens.csv \ --v=2 \ --service-account-key-file=/var/run/kubernetes/kube-serviceaccount.key \ - --service-account-lookup=false \ + --service-account-lookup=true \ --admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultTolerationSeconds,ResourceQuota Restart=always RestartSec=5 diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh index 1e43f067ec..b66098a487 100755 --- a/hack/local-up-cluster.sh +++ b/hack/local-up-cluster.sh @@ -361,7 +361,7 @@ function start_etcd { } function set_service_accounts { - SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} + SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-true} SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-/tmp/kube-serviceaccount.key} # Generate ServiceAccount key if needed if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 0bdc8da2f2..bda8a45782 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -147,7 +147,7 @@ func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticatio } func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { - s.ServiceAccounts = &ServiceAccountAuthenticationOptions{} + s.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true} return s } diff --git a/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml b/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml index fbacf82ef5..be82a97f24 100644 --- a/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml +++ b/test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml @@ -90,7 +90,7 @@ coreos: ExecStartPre=/opt/bin/wupiao 127.0.0.1:2379/v2/machines ExecStart=/opt/bin/kube-apiserver \ --service-account-key-file=/opt/bin/kube-serviceaccount.key \ - --service-account-lookup=false \ + --service-account-lookup=true \ --admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \ --runtime-config=api/v1 \ --allow-privileged=true \