60dd4a5d26
interesting changes to add tokenreviews endpoint to implement webhook
2016-08-03 08:37:45 -04:00
4d0d115690
Revert "add tokenreviews endpoint to implement webhook"
2016-07-21 09:40:35 +02:00
2c4a9f2e8d
interesting changes to add tokenreviews endpoint to implement webhook
2016-07-20 15:11:56 -04:00
426fdc431a
Merge branch 'master' into fix-typos
2016-07-04 11:20:47 +08:00
038ac428f4
Merge pull request #28036 from ericchiang/oidc-auth-plugin-dont-error-if-provider-is-unavailable
...
Automatic merge from submit-queue
oidc auth plugin: don't hard fail if provider is unavailable
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.
Errors are now deferred to the authenticate method.
cc @sym3tri @erictune @aaronlevy @kubernetes/sig-auth
2016-06-30 13:02:16 -07:00
2f6db37ff5
oidc auth plugin: don't hard fail if provider is unavailable
...
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.
Errors are now deferred to the authenticate method.
2016-06-29 23:20:26 -07:00
ef0c9f0c5b
Remove "All rights reserved" from all the headers.
2016-06-29 17:47:36 -07:00
38a1042199
Add a 5x exponential backoff on 429s & 5xxs to the webhook Authenticator/Authorizer.
2016-06-23 18:15:39 -07:00
ae67a4e209
Check HTTP Status code in webhook authorizer/authenticator.
2016-06-22 11:15:33 -07:00
fd27cd47f7
fix some typos
...
Signed-off-by: bin liu <liubin0329@gmail.com>
2016-06-22 18:14:26 +08:00
346f965871
Merge pull request #25694 from cjcullen/authncache
...
Automatic merge from submit-queue
Cache Webhook Authentication responses
Add a simple LRU cache w/ 2 minute TTL to the webhook authenticator.
Kubectl is a little spammy, w/ >= 4 API requests per command. This also prevents a single unauthenticated user from being able to DOS the remote authenticator.
2016-05-21 10:48:38 -07:00
e85940ed17
add tests for newOIDCAuthProvider
2016-05-18 17:03:11 -07:00
c990462d0f
Refactor test oidc provider into its own package
...
This makes it easier to test other OIDC code.
2016-05-18 17:03:11 -07:00
57f96a932f
Add expiration LRU cache for webhook token authenticator.
2016-05-18 11:58:11 -07:00
eb3b0e78b4
Add a webhook token authenticator plugin.
2016-05-10 14:54:35 -07:00
bf1a3f99c0
Uncomment the code that cause by #19254
2016-04-25 23:21:31 +08:00
ae79677fd0
Remove global var for OIDC retry/backoff, and remove retries from unit tests.
2016-04-07 14:18:29 -07:00
a4d04095d0
Refactor crlf & crypto
2016-03-21 20:20:05 +08:00
8df55ddbe5
plugin/pkg/auth/authenticator/token/oidc: update test to new go-oidc types
...
The provider config has changed a little bit in go-oidc. It is more
complete and now throws errors when unmarshaling provider configs
that are missing required fields (as defined by the OpenID Connect
Discovery spec).
Update the oidc plugin to use the new type.
2016-03-01 11:39:18 -08:00
7f1b699880
Merge pull request #21071 from soltysh/server_close
...
Auto commit by PR queue bot
2016-02-23 06:34:27 -08:00
f366baeaeb
Merge pull request #21128 from yifan-gu/fix_oidc_tailing_slash_issuer
...
Auto commit by PR queue bot
2016-02-15 17:46:49 -08:00
43fb544a4a
Merge pull request #21001 from ericchiang/oidc_groups
...
Auto commit by PR queue bot
2016-02-14 05:24:43 -08:00
92d37d5cc5
plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim
2016-02-12 09:58:18 -08:00
905dfd9b77
Fix another instance of golang #12262
...
Reliably reproducible on two up-to-date Fedora 23 machines using
go 1.5.3, both one Core i7-4770R and a Core i7-4790.
https://github.com/golang/go/issues/12262
2016-02-12 10:04:48 -06:00
36bd693d3a
oidc: Remove tailing slash before fetching the provider config.
2016-02-12 16:40:45 +08:00
72654d347c
Comment out calls to httptest.Server.Close() to work around
...
https://github.com/golang/go/issues/12262 . See #19254 for
more details. This change should be reverted when we upgrade
to Go 1.6.
2016-02-11 16:16:11 +01:00
936a11e775
Use networking to hold network related pkgs
...
Change names of unclear methods
Use net as pkg name for short
2016-01-15 13:46:16 +08:00
8ac484793d
Comment out calls to httptest.Server.Close() to work around
...
https://github.com/golang/go/issues/12262 . See #19254 for
more details. This change should be reverted when we upgrade
to Go 1.6.
2016-01-11 23:02:11 -08:00
04db432fb4
auth: Add Close() for OIDC authenticator.
2015-12-23 01:26:20 -08:00
207fb721b9
Godeps: bump go-oidc to fix the race in tests.
2015-12-14 13:32:16 -08:00
ee691aa1ab
[tokenfile]
...
- the groups field has been changed to a single column option as requested in https://github.com/kubernetes/kubernetes/pull/15704
[docs]
- updated the docs related the the tokefile along with an example
2015-10-21 10:37:35 +01:00
f02c80584b
[plugin/auth/tokenfile]
...
- allowing for variable length groups to be added to the static token file
[docs/admin/authentication]
- updating the documentation for token file
2015-10-19 17:14:14 +01:00
2a1286c8f2
Add util to set transport defaults
2015-10-02 02:29:46 -04:00
ae22bd5710
plugin/pkg/auth: add tests for OpenID Connect authenticator.
2015-08-21 15:27:08 -07:00
6376e41850
plugin/pkg/auth: add OpenID Connect token authenticator.
...
Also add related new flags to apiserver:
"--oidc-issuer-url", "--oidc-client-id", "--oidc-ca-file", "--oidc-username-claim",
to enable OpenID Connect authentication.
2015-08-21 15:27:08 -07:00
8e33cbfa28
rewrite go imports
2015-08-05 17:30:03 -07:00
6b3a6e6b98
Make copyright ownership statement generic
...
Instead of saying "Google Inc." (which is not always correct) say "The
Kubernetes Authors", which is generic.
2015-05-01 17:49:56 -04:00
c895331277
Make master take authenticator.Request interface instead of tokenfile
2014-11-19 15:07:51 -05:00
deads2k