Merge pull request #70308 from mikedanese/trev7

default api audiences to service account token issuer if available
2018-10-29 22:08:01 -07:00 · 2018-10-29 22:08:01 -07:00 · 1f0f4cd7eb
parent 2f175c1b41 a13b48de94
commit 1f0f4cd7eb
3 changed files with 20 additions and 6 deletions
--- a/pkg/kubeapiserver/options/BUILD
+++ b/pkg/kubeapiserver/options/BUILD
@ -61,6 +61,7 @@ go_library(
        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
@ -99,6 +100,7 @@ go_test(
        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
    ],
--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@ -26,6 +26,7 @@ import (
 	"github.com/spf13/pflag"

 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/util/flag"
@ -176,7 +177,9 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
 func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+
 		"Identifiers of the API. The service account token authenticator will validate that "+
-		"tokens used against the API are bound to at least one of these audiences.")
+		"tokens used against the API are bound to at least one of these audiences. If the "+
+		"--service-account-issuer flag is configured and this flag is not, this field "+
+		"defaults to a single element list containing the issuer URL .")

 	if s.Anonymous != nil {
 		fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
@ -327,11 +330,14 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
 		ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
 	}

-	if s.ServiceAccounts != nil {
-		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
-		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
-		ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
 	ret.APIAudiences = s.APIAudiences
+	if s.ServiceAccounts != nil {
+		if s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 {
+			ret.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer}
+		}
+		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
+		ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
+		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
 	}

 	if s.TokenFile != nil {
@ -373,7 +379,11 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
 	}

 	c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
+
 	c.Authentication.APIAudiences = o.APIAudiences
+	if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
+		c.Authentication.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}
+	}

 	return nil
 }
--- a/pkg/kubeapiserver/options/authentication_test.go
+++ b/pkg/kubeapiserver/options/authentication_test.go
@ -23,9 +23,10 @@ import (
 	"time"

 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	apiserveroptions "k8s.io/apiserver/pkg/server/options"
-	"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
+	kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
 )

 func TestAuthenticationValidate(t *testing.T) {
@ -137,7 +138,8 @@ func TestToAuthenticationConfig(t *testing.T) {
 		TokenFailureCacheTTL: 0,
 	}

-	expectConfig := authenticator.AuthenticatorConfig{
+	expectConfig := kubeauthenticator.AuthenticatorConfig{
+		APIAudiences:                authenticator.Audiences{"http://foo.bar.com"},
 		Anonymous:                   false,
 		BasicAuthFile:               "/testBasicAuthFile",
 		BootstrapToken:              false,
@ -167,6 +169,6 @@ func TestToAuthenticationConfig(t *testing.T) {

 	resultConfig := testOptions.ToAuthenticationConfig()
 	if !reflect.DeepEqual(resultConfig, expectConfig) {
-		t.Errorf("Got AuthenticationConfig: %v, Expected AuthenticationConfig: %v", resultConfig, expectConfig)
+		t.Errorf("Got AuthenticationConfig:\n\t%v\nExpected AuthenticationConfig:\n\t%v", resultConfig, expectConfig)
 	}
 }