diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go index 7d2fb436d1..2aab2e220a 100644 --- a/cmd/kubelet/app/auth.go +++ b/cmd/kubelet/app/auth.go @@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel // BuildAuthn creates an authenticator compatible with the kubelet's needs func BuildAuthn(client authenticationclient.TokenReviewInterface, authn kubeletconfig.KubeletAuthentication) (authenticator.Request, error) { authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{ - Anonymous: authn.Anonymous.Enabled, CacheTTL: authn.Webhook.CacheTTL.Duration, ClientCAFile: authn.X509.ClientCAFile, } diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go index a9ecdc47e7..8450e379f3 100644 --- a/pkg/kubeapiserver/authenticator/config.go +++ b/pkg/kubeapiserver/authenticator/config.go @@ -22,7 +22,6 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticatorfactory" "k8s.io/apiserver/pkg/authentication/group" - "k8s.io/apiserver/pkg/authentication/request/anonymous" "k8s.io/apiserver/pkg/authentication/request/bearertoken" "k8s.io/apiserver/pkg/authentication/request/headerrequest" "k8s.io/apiserver/pkg/authentication/request/union" @@ -46,7 +45,6 @@ import ( // Config contains the data on how to authenticate a request to the Kube API Server type Config struct { - Anonymous bool BasicAuthFile string ClientCAFile string TokenAuthFile string @@ -147,9 +145,6 @@ func (config Config) New() (authenticator.Request, error) { } if len(authenticators) == 0 { - if config.Anonymous { - return anonymous.NewAuthenticator(), nil - } return nil, nil } @@ -157,12 +152,6 @@ func (config Config) New() (authenticator.Request, error) { authenticator = group.NewAuthenticatedGroupAdder(authenticator) - if config.Anonymous { - // If the authenticator chain returns an error, return an error (don't consider a bad bearer token - // or invalid username/password combination anonymous). - authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator()) - } - return authenticator, nil } diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index 096305421e..3b6d003752 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -25,17 +25,14 @@ import ( "github.com/spf13/pflag" "k8s.io/klog" - "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/authentication/authenticator" genericapiserver "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator" - authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" ) type BuiltInAuthenticationOptions struct { APIAudiences []string - Anonymous *AnonymousAuthenticationOptions ClientCert *genericoptions.ClientCertAuthenticationOptions PasswordFile *PasswordFileAuthenticationOptions RequestHeader *genericoptions.RequestHeaderAuthenticationOptions @@ -47,10 +44,6 @@ type BuiltInAuthenticationOptions struct { TokenFailureCacheTTL time.Duration } -type AnonymousAuthenticationOptions struct { - Allow bool -} - type PasswordFileAuthenticationOptions struct { BasicAuthFile string } @@ -80,7 +73,6 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions { func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { return s. - WithAnonymous(). WithClientCert(). WithPasswordFile(). WithRequestHeader(). @@ -89,11 +81,6 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { WithWebHook() } -func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions { - s.Anonymous = &AnonymousAuthenticationOptions{Allow: true} - return s -} - func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions { s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{} return s @@ -146,13 +133,6 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { "--service-account-issuer flag is configured and this flag is not, this field "+ "defaults to a single element list containing the issuer URL .") - if s.Anonymous != nil { - fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+ - "Enables anonymous requests to the secure port of the API server. "+ - "Requests that are not rejected by another authentication method are treated as anonymous requests. "+ - "Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.") - } - if s.ClientCert != nil { s.ClientCert.AddFlags(fs) } @@ -215,10 +195,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato TokenFailureCacheTTL: s.TokenFailureCacheTTL, } - if s.Anonymous != nil { - ret.Anonymous = s.Anonymous.Allow - } - if s.ClientCert != nil { ret.ClientCAFile = s.ClientCert.ClientCA } @@ -291,14 +267,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error // ApplyAuthorization will conditionally modify the authentication options based on the authorization options func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) { - if o == nil || authorization == nil || o.Anonymous == nil { + if o == nil || authorization == nil { return } - - // authorization ModeAlwaysAllow cannot be combined with AnonymousAuth. - // in such a case the AnonymousAuth is stomped to false and you get a message - if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) { - klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer") - o.Anonymous.Allow = false - } } diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go index 1c281d5562..4fa4c11cde 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go @@ -23,7 +23,6 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/group" - "k8s.io/apiserver/pkg/authentication/request/anonymous" "k8s.io/apiserver/pkg/authentication/request/bearertoken" "k8s.io/apiserver/pkg/authentication/request/headerrequest" unionauth "k8s.io/apiserver/pkg/authentication/request/union" @@ -38,8 +37,6 @@ import ( // DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator // built to delegate authentication to a kube API server type DelegatingAuthenticatorConfig struct { - Anonymous bool - // TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored. TokenAccessReviewClient authenticationclient.TokenReviewInterface @@ -94,15 +91,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) { } if len(authenticators) == 0 { - if c.Anonymous { - return anonymous.NewAuthenticator(), nil - } return nil, errors.New("No authentication method configured") } authenticator := group.NewAuthenticatedGroupAdder(unionauth.New(authenticators...)) - if c.Anonymous { - authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator()) - } return authenticator, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD deleted file mode 100644 index 329b92ecc5..0000000000 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD +++ /dev/null @@ -1,42 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", - "go_test", -) - -go_test( - name = "go_default_test", - srcs = ["anonymous_test.go"], - embed = [":go_default_library"], - deps = [ - "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", - ], -) - -go_library( - name = "go_default_library", - srcs = ["anonymous.go"], - importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous", - importpath = "k8s.io/apiserver/pkg/authentication/request/anonymous", - deps = [ - "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go deleted file mode 100644 index f9177d1513..0000000000 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go +++ /dev/null @@ -1,43 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package anonymous - -import ( - "net/http" - - "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/authentication/user" -) - -const ( - anonymousUser = user.Anonymous - - unauthenticatedGroup = user.AllUnauthenticated -) - -func NewAuthenticator() authenticator.Request { - return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) { - auds, _ := authenticator.AudiencesFrom(req.Context()) - return &authenticator.Response{ - User: &user.DefaultInfo{ - Name: anonymousUser, - Groups: []string{unauthenticatedGroup}, - }, - Audiences: auds, - }, true, nil - }) -} diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go deleted file mode 100644 index 494ab60974..0000000000 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go +++ /dev/null @@ -1,43 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package anonymous - -import ( - "net/http" - "testing" - - "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/authentication/user" -) - -func TestAnonymous(t *testing.T) { - var a authenticator.Request = NewAuthenticator() - r, ok, err := a.AuthenticateRequest(&http.Request{}) - if err != nil { - t.Fatalf("Unexpected error %v", err) - } - if !ok { - t.Fatalf("Unexpectedly unauthenticated") - } - if r.User.GetName() != user.Anonymous { - t.Fatalf("Expected username %s, got %s", user.Anonymous, r.User.GetName()) - } - if !sets.NewString(r.User.GetGroups()...).Equal(sets.NewString(user.AllUnauthenticated)) { - t.Fatalf("Expected group %s, got %v", user.AllUnauthenticated, r.User.GetGroups()) - } -} diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go index 3204fb0705..9dfeec8c4c 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go @@ -176,7 +176,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo, } cfg := authenticatorfactory.DelegatingAuthenticatorConfig{ - Anonymous: true, CacheTTL: s.CacheTTL, }