github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
76,355 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

25 Commits (af2659527f0bd2f7ad8500ffcd0e5640bfd53cc3)

Author SHA1 Message Date
Andrew Lytvynov 18458392ca Extract new keyutil package from client-go/util/cert 
This package contains public/private key utilities copied directly from
client-go/util/cert. All imports were updated.

Future PRs will actually refactor the libraries.

Updates #71004
 2019-02-19 09:48:59 -08:00
Jeff Grafton 23ceebac22 Run hack/update-bazel.sh 2018-06-22 16:22:57 -07:00
Mike Danese 024f57affe implement token authenticator for new id tokens 2018-02-27 17:20:46 -08:00
Di Xu ebd0c4011b initialize all known client auth plugins 2018-02-23 16:02:30 +08:00
Davanum Srinivas 18590378c4 Remove experimental keystone authenticator 
experimental-keystone-url and experimental-keystone-ca-file were always
experimental. So we don't need a deprecation period.
KeystoneAuthenticator was on the server side and needed userid/password
to be passed in and used that to authenticate with Keystone. We now
have authentication and authorization web hooks that can be used. There
is a external repo with a webook for keystone which works fine along
with the kubectl auth provider that was added in:
a0cebcb559

So we don't need this older style / hard coded / experimental code
anymore.
 2018-02-07 19:28:55 -05:00
Jeff Grafton aee5f457db update BUILD files 2017-10-15 18:18:13 -07:00
Kubernetes Submit Queue 42adb9ef25 Merge pull request #50258 from liggitt/token-cache 
Automatic merge from submit-queue (batch tested with PRs 49488, 50407, 46105, 50456, 50258)

Enable caching successful token authentication

Resolves #50472

To support revocation of service account tokens, an etcd lookup of the token and service account is done by the token authenticator. Controllers that make dozens or hundreds of API calls per second (like the endpoints controller) cause this lookup to be done very frequently on the same objects.

This PR:
* Implements a cached token authenticator that conforms to the authenticator.Token interface
* Implements a union token authenticator (same approach as the union request authenticator, conforming to the authenticator.Token interface)
* Cleans up the auth chain construction to group all token authenticators (means we only do bearer and websocket header parsing once)
* Adds a 10-second TTL cache to successful token authentication

```release-note
API server authentication now caches successful bearer token authentication results for a few seconds.
```
 2017-08-11 14:14:06 -07:00
Jeff Grafton a7f49c906d Use buildozer to delete licenses() rules except under third_party/ 2017-08-11 09:32:39 -07:00
Jeff Grafton 33276f06be Use buildozer to remove deprecated automanaged tags 2017-08-11 09:31:50 -07:00
Jordan Liggitt 0458fac8c0
Simplify bearer token auth chain, cache successful authentications 2017-08-09 23:37:24 -04:00
Eric Chiang e2f2ab67f2 *: remove --insecure-allow-any-token option 
e2e and integration tests have been switched over to the tokenfile
authenticator instead.

```release-note
The --insecure-allow-any-token flag has been removed from kube-apiserver. Users of the flag should use impersonation headers instead for debugging.
```
 2017-07-18 16:03:15 -07:00
Jordan Liggitt 6a872c09eb
Use websocket protocol authenticator in apiserver 2017-06-21 09:47:34 -04:00
Mike Danese a05c3c0efd autogenerated 2017-04-14 10:40:57 -07:00
deads2k 379a73a8db make the system:authenticated group adder smarter 2017-03-03 12:32:52 -05:00
deads2k 0d8e6b8500 move genericapiserver authenticator and authorizer factories 2017-01-26 08:50:47 -05:00
Dr. Stefan Schimanski 2b8e938128 Update generated files 2017-01-24 20:56:03 +01:00
deads2k 5a8f075197 move authoritative client-go utils out of pkg 2017-01-24 08:59:18 -05:00
deads2k ee6752ef20 find and replace 2017-01-20 08:04:53 -05:00
deads2k 31b6ba4e94 mechanicals 2017-01-13 16:33:09 -05:00
deads2k c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
deads2k 1df5b658f2 switch webhook to clientgo 2017-01-09 16:53:24 -05:00
Jeff Grafton 20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
deads2k 4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
deads2k ab1b77673f decouple genericapiserver from non-generic authenticator 2016-12-22 07:48:08 -05:00