github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add helper methods for SA token secret checks

pull/6/head
deads2k 2015-09-16 16:04:26 -04:00
parent e83bf49f86
commit 32a495acb6
3 changed files with 57 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
pkg/controller/serviceaccount/tokens_controller.go
View File

@ -417,7 +417,7 @@ func (e *TokensController) removeSecretReferenceIfNeeded(serviceAccount *api.Ser
// getServiceAccount returns the ServiceAccount referenced by the given secret. If the secret is not // getServiceAccount returns the ServiceAccount referenced by the given secret. If the secret is not
// of type ServiceAccountToken, or if the referenced ServiceAccount does not exist, nil is returned // of type ServiceAccountToken, or if the referenced ServiceAccount does not exist, nil is returned
func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMiss bool) (*api.ServiceAccount, error) { func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMiss bool) (*api.ServiceAccount, error) {
name, uid := serviceAccountNameAndUID(secret) name, _ := serviceAccountNameAndUID(secret)
if len(name) == 0 { if len(name) == 0 {
return nil, nil return nil, nil
} }
@ -430,15 +430,10 @@ func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMis
for _, obj := range namespaceAccounts { for _, obj := range namespaceAccounts {
serviceAccount := obj.(*api.ServiceAccount) serviceAccount := obj.(*api.ServiceAccount)
if name != serviceAccount.Name {
// Name must match if IsServiceAccountToken(secret, serviceAccount) {
continue return serviceAccount, nil
} }
if len(uid) > 0 && uid != string(serviceAccount.UID) {
// If UID is specified, it must match
continue
}
return serviceAccount, nil
} }
if fetchOnCacheMiss { if fetchOnCacheMiss {
@ -449,11 +444,10 @@ func (e *TokensController) getServiceAccount(secret *api.Secret, fetchOnCacheMis
if err != nil { if err != nil {
return nil, err return nil, err
} }
if len(uid) > 0 && uid != string(serviceAccount.UID) {
// If UID is specified, it must match if IsServiceAccountToken(secret, serviceAccount) {
return nil, nil return serviceAccount, nil
} }
return serviceAccount, nil
} }
return nil, nil return nil, nil
@ -471,16 +465,10 @@ func (e *TokensController) listTokenSecrets(serviceAccount *api.ServiceAccount)
items := []*api.Secret{} items := []*api.Secret{}
for _, obj := range namespaceSecrets { for _, obj := range namespaceSecrets {
secret := obj.(*api.Secret) secret := obj.(*api.Secret)
name, uid := serviceAccountNameAndUID(secret)
if name != serviceAccount.Name { if IsServiceAccountToken(secret, serviceAccount) {
// Name must match items = append(items, secret)
continue
} }
if len(uid) > 0 && uid != string(serviceAccount.UID) {
// If UID is specified, it must match
continue
}
items = append(items, secret)
} }
return items, nil return items, nil
} }

43
pkg/controller/serviceaccount/util.go
View File

@ -20,8 +20,12 @@ import (
"fmt" "fmt"
"strings" "strings"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/validation" "k8s.io/kubernetes/pkg/api/validation"
"k8s.io/kubernetes/pkg/auth/user" "k8s.io/kubernetes/pkg/auth/user"
client "k8s.io/kubernetes/pkg/client/unversioned"
"k8s.io/kubernetes/pkg/fields"
"k8s.io/kubernetes/pkg/labels"
) )
const ( const (
@ -81,3 +85,42 @@ func UserInfo(namespace, name, uid string) user.Info {
Groups: MakeGroupNames(namespace, name), Groups: MakeGroupNames(namespace, name),
} }
} }
// GetServiceAccountTokens returns all ServiceAccountToken secrets for the given ServiceAccount
func GetServiceAccountTokens(secretsNamespacer client.SecretsNamespacer, sa *api.ServiceAccount) ([]*api.Secret, error) {
tokenSelector := fields.SelectorFromSet(map[string]string{client.SecretType: string(api.SecretTypeServiceAccountToken)})
secrets, err := secretsNamespacer.Secrets(sa.Namespace).List(labels.Everything(), tokenSelector)
if err != nil {
return nil, err
}
tokenSecrets := []*api.Secret{}
for i := range secrets.Items {
secret := &secrets.Items[i]
if IsServiceAccountToken(secret, sa) {
tokenSecrets = append(tokenSecrets, secret)
}
}
return tokenSecrets, nil
}
// IsServiceAccountToken returns true if the secret is a valid api token for the service account
func IsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool {
if secret.Type != api.SecretTypeServiceAccountToken {
return false
}
name := secret.Annotations[api.ServiceAccountNameKey]
uid := secret.Annotations[api.ServiceAccountUIDKey]
if name != sa.Name {
// Name must match
return false
}
if len(uid) > 0 && uid != string(sa.UID) {
// If UID is specified, it must match
return false
}
return true
}

17
plugin/pkg/admission/serviceaccount/admission.go
View File

@ -27,6 +27,7 @@ import (
"k8s.io/kubernetes/pkg/api/errors" "k8s.io/kubernetes/pkg/api/errors"
"k8s.io/kubernetes/pkg/client/cache" "k8s.io/kubernetes/pkg/client/cache"
client "k8s.io/kubernetes/pkg/client/unversioned" client "k8s.io/kubernetes/pkg/client/unversioned"
"k8s.io/kubernetes/pkg/controller/serviceaccount"
"k8s.io/kubernetes/pkg/fields" "k8s.io/kubernetes/pkg/fields"
"k8s.io/kubernetes/pkg/kubelet" "k8s.io/kubernetes/pkg/kubelet"
"k8s.io/kubernetes/pkg/labels" "k8s.io/kubernetes/pkg/labels"
@ -273,20 +274,10 @@ func (s *serviceAccount) getServiceAccountTokens(serviceAccount *api.ServiceAcco
tokens := []*api.Secret{} tokens := []*api.Secret{}
for _, obj := range index { for _, obj := range index {
token := obj.(*api.Secret) token := obj.(*api.Secret)
if token.Type != api.SecretTypeServiceAccountToken {
continue if serviceaccount.IsServiceAccountToken(token, serviceAccount) {
tokens = append(tokens, token)
} }
name := token.Annotations[api.ServiceAccountNameKey]
uid := token.Annotations[api.ServiceAccountUIDKey]
if name != serviceAccount.Name {
// Name must match
continue
}
if len(uid) > 0 && uid != string(serviceAccount.UID) {
// If UID is set, it must match
continue
}
tokens = append(tokens, token)
} }
return tokens, nil return tokens, nil
} }