github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/pkg/kubeapiserver
History
Kubernetes Submit Queue 714f97d7ba Merge pull request #47740 from liggitt/websocket-protocol 
Automatic merge from submit-queue

Add token authentication method for websocket browser clients

Closes #47967

Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)

This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`

1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`

This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.

For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
  "wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
  [
    "base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
    "base64.binary.k8s.io"
  ]
);
```

This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```

Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```

Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)

```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
 		2017-06-24 00:34:41 -07:00
..
admission run hack/update-all 2017-06-22 11:31:03 -07:00
authenticator Use websocket protocol authenticator in apiserver 2017-06-21 09:47:34 -04:00
authorizer Merge pull request #46212 from CaoShuFeng/RBACSuperUser 2017-05-31 00:14:11 -07:00
options run hack/update-all 2017-06-22 11:31:03 -07:00
server Implement audit policy logic 2017-05-25 07:38:07 -07:00
BUILD run hack/update-all 2017-06-22 11:31:03 -07:00
OWNERS add liggitt to kubeapiserver owners 2017-04-03 10:14:34 -04:00
default_storage_factory_builder.go k8s.io/apiserver: straighten EtcdOptions, backend Config and kube RESTOptionsFactory 2017-02-15 10:24:59 +01:00
default_storage_factory_builder_test.go run hack/update-all 2017-06-22 11:31:03 -07:00
doc.go