github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

default api audiences to service account token issuer if available 

This is a sane default that users can choose to migrate away from later.
pull/58/head
Mike Danese 2018-10-26 15:11:41 -07:00
parent a8934ff6fb
commit a13b48de94
3 changed files with 20 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/kubeapiserver/options/BUILD
View File

@ -61,6 +61,7 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/plugin/namespace/lifecycle:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/validating:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
@ -99,6 +100,7 @@ go_test(
"//pkg/kubeapiserver/authorizer/modes:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
], ],

16
pkg/kubeapiserver/options/authentication.go
View File

@ -26,6 +26,7 @@ import (
"github.com/spf13/pflag" "github.com/spf13/pflag"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapiserver "k8s.io/apiserver/pkg/server" genericapiserver "k8s.io/apiserver/pkg/server"
genericoptions "k8s.io/apiserver/pkg/server/options" genericoptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/util/flag" "k8s.io/apiserver/pkg/util/flag"
@ -176,7 +177,9 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+ fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+
"Identifiers of the API. The service account token authenticator will validate that "+ "Identifiers of the API. The service account token authenticator will validate that "+
"tokens used against the API are bound to at least one of these audiences.") "tokens used against the API are bound to at least one of these audiences. If the "+
"--service-account-issuer flag is configured and this flag is not, this field "+
"defaults to a single element list containing the issuer URL .")
if s.Anonymous != nil { if s.Anonymous != nil {
fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+ fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
@ -327,11 +330,14 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig() ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
} }
ret.APIAudiences = s.APIAudiences
if s.ServiceAccounts != nil { if s.ServiceAccounts != nil {
if s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 {
ret.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer}
}
ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
ret.APIAudiences = s.APIAudiences ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
} }
if s.TokenFile != nil { if s.TokenFile != nil {
@ -373,7 +379,11 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
} }
c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0 c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
c.Authentication.APIAudiences = o.APIAudiences c.Authentication.APIAudiences = o.APIAudiences
if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
c.Authentication.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}
}
return nil return nil
} }

8
pkg/kubeapiserver/options/authentication_test.go
View File

@ -23,9 +23,10 @@ import (
"time" "time"
utilerrors "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory" "k8s.io/apiserver/pkg/authentication/authenticatorfactory"
apiserveroptions "k8s.io/apiserver/pkg/server/options" apiserveroptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator" kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
) )
func TestAuthenticationValidate(t *testing.T) { func TestAuthenticationValidate(t *testing.T) {
@ -137,7 +138,8 @@ func TestToAuthenticationConfig(t *testing.T) {
TokenFailureCacheTTL: 0, TokenFailureCacheTTL: 0,
} }
expectConfig := authenticator.AuthenticatorConfig{ expectConfig := kubeauthenticator.AuthenticatorConfig{
APIAudiences: authenticator.Audiences{"http://foo.bar.com"},
Anonymous: false, Anonymous: false,
BasicAuthFile: "/testBasicAuthFile", BasicAuthFile: "/testBasicAuthFile",
BootstrapToken: false, BootstrapToken: false,
@ -167,6 +169,6 @@ func TestToAuthenticationConfig(t *testing.T) {
resultConfig := testOptions.ToAuthenticationConfig() resultConfig := testOptions.ToAuthenticationConfig()
if !reflect.DeepEqual(resultConfig, expectConfig) { if !reflect.DeepEqual(resultConfig, expectConfig) {
t.Errorf("Got AuthenticationConfig: %v, Expected AuthenticationConfig: %v", resultConfig, expectConfig) t.Errorf("Got AuthenticationConfig:\n\t%v\nExpected AuthenticationConfig:\n\t%v", resultConfig, expectConfig)
} }
} }