Kubelet auth flags

cmd/kubelet/app/BUILD

@@ -13,6 +13,7 @@ load(
 go_library(
     name = "go_default_library",
     srcs = [
+        "auth.go",
         "bootstrap.go",
         "plugins.go",
         "server.go",
@@ -24,9 +25,15 @@ go_library(
         "//pkg/api:go_default_library",
         "//pkg/apis/componentconfig:go_default_library",
         "//pkg/apis/componentconfig/v1alpha1:go_default_library",
+        "//pkg/auth/authenticator:go_default_library",
+        "//pkg/auth/authenticator/bearertoken:go_default_library",
+        "//pkg/auth/authorizer:go_default_library",
+        "//pkg/auth/group:go_default_library",
         "//pkg/capabilities:go_default_library",
         "//pkg/client/chaosclient:go_default_library",
         "//pkg/client/clientset_generated/internalclientset:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset/typed/authentication/unversioned:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset/typed/authorization/unversioned:go_default_library",
         "//pkg/client/clientset_generated/internalclientset/typed/certificates/unversioned:go_default_library",
         "//pkg/client/clientset_generated/internalclientset/typed/core/unversioned:go_default_library",
         "//pkg/client/record:go_default_library",
@@ -39,6 +46,7 @@ go_library(
         "//pkg/credentialprovider:go_default_library",
         "//pkg/credentialprovider/aws:go_default_library",
         "//pkg/credentialprovider/gcp:go_default_library",
+        "//pkg/genericapiserver/authorizer:go_default_library",
         "//pkg/healthz:go_default_library",
         "//pkg/kubelet:go_default_library",
         "//pkg/kubelet/cadvisor:go_default_library",
@@ -89,6 +97,11 @@ go_library(
         "//pkg/volume/rbd:go_default_library",
         "//pkg/volume/secret:go_default_library",
         "//pkg/volume/vsphere_volume:go_default_library",
+        "//plugin/pkg/auth/authenticator/request/anonymous:go_default_library",
+        "//plugin/pkg/auth/authenticator/request/union:go_default_library",
+        "//plugin/pkg/auth/authenticator/request/x509:go_default_library",
+        "//plugin/pkg/auth/authenticator/token/webhook:go_default_library",
+        "//plugin/pkg/auth/authorizer/webhook:go_default_library",
         "//vendor:github.com/golang/glog",
         "//vendor:github.com/spf13/cobra",
         "//vendor:github.com/spf13/pflag",

cmd/kubelet/app/options/options.go

@@ -98,6 +98,29 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) {
 	fs.Var(componentconfig.IPVar{Val: &s.Address}, "address", "The IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces)")
 	fs.Int32Var(&s.Port, "port", s.Port, "The port for the Kubelet to serve on.")
 	fs.Int32Var(&s.ReadOnlyPort, "read-only-port", s.ReadOnlyPort, "The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable)")
+
+	// Authentication
+	fs.BoolVar(&s.Authentication.Anonymous.Enabled, "anonymous-auth", s.Authentication.Anonymous.Enabled, ""+
+		"Enables anonymous requests to the Kubelet server. Requests that are not rejected by another "+
+		"authentication method are treated as anonymous requests. Anonymous requests have a username "+
+		"of system:anonymous, and a group name of system:unauthenticated.")
+	fs.BoolVar(&s.Authentication.Webhook.Enabled, "authentication-token-webhook", s.Authentication.Webhook.Enabled, ""+
+		"Use the TokenReview API to determine authentication for bearer tokens.")
+	fs.DurationVar(&s.Authentication.Webhook.CacheTTL.Duration, "authentication-token-webhook-cache-ttl", s.Authentication.Webhook.CacheTTL.Duration, ""+
+		"The duration to cache responses from the webhook token authenticator.")
+	fs.StringVar(&s.Authentication.X509.ClientCAFile, "client-ca-file", s.Authentication.X509.ClientCAFile, ""+
+		"If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file "+
+		"is authenticated with an identity corresponding to the CommonName of the client certificate.")
+
+	// Authorization
+	fs.StringVar((*string)(&s.Authorization.Mode), "authorization-mode", string(s.Authorization.Mode), ""+
+		"Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. "+
+		"Webhook mode uses the SubjectAccessReview API to determine authorization.")
+	fs.DurationVar(&s.Authorization.Webhook.CacheAuthorizedTTL.Duration, "authorization-webhook-cache-authorized-ttl", s.Authorization.Webhook.CacheAuthorizedTTL.Duration, ""+
+		"The duration to cache 'authorized' responses from the webhook authorizer.")
+	fs.DurationVar(&s.Authorization.Webhook.CacheUnauthorizedTTL.Duration, "authorization-webhook-cache-unauthorized-ttl", s.Authorization.Webhook.CacheUnauthorizedTTL.Duration, ""+
+		"The duration to cache 'unauthorized' responses from the webhook authorizer.")
+
 	fs.StringVar(&s.TLSCertFile, "tls-cert-file", s.TLSCertFile, ""+
 		"File containing x509 Certificate for HTTPS.  (CA cert, if any, concatenated after server cert). "+
 		"If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+

hack/verify-flags/known-flags.txt

@@ -32,6 +32,7 @@ auth-provider
 auth-provider
 auth-provider-arg
 auth-provider-arg
+authentication-token-webhook
 authentication-token-webhook-cache-ttl
 authentication-token-webhook-config-file
 authorization-mode