github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 19:31:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #60329 from mikedanese/id-fix1

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 59723, 60379, 60329). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

 tokenrequest: reject tokens bound to pods running as other svcaccts

second commit

ref #58790
```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2018-02-25 00:52:36 -08:00 committed by GitHub
commit 049b76201a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/registry/core/serviceaccount/storage/token.go
View File

@ -74,6 +74,9 @@ func (r *TokenREST) Create(ctx genericapirequest.Context, name string, obj runti
return nil, err return nil, err
} }
pod = podObj.(*api.Pod) pod = podObj.(*api.Pod)
if name != pod.Spec.ServiceAccountName {
return nil, errors.NewBadRequest(fmt.Sprintf("cannot bind token for serviceaccount %q to pod running with serviceaccount %q", name, pod.Spec.ServiceAccountName))
}
uid = pod.UID uid = pod.UID
case gvk.Group == "" && gvk.Kind == "Secret": case gvk.Group == "" && gvk.Kind == "Secret":
secretObj, err := r.secrets.Get(ctx, ref.Name, &metav1.GetOptions{}) secretObj, err := r.secrets.Get(ctx, ref.Name, &metav1.GetOptions{})

33
test/integration/auth/svcaccttoken_test.go
View File

@ -81,6 +81,16 @@ func TestServiceAccountTokenCreate(t *testing.T) {
Containers: []v1.Container{{Name: "test-container", Image: "nginx"}}, Containers: []v1.Container{{Name: "test-container", Image: "nginx"}},
}, },
} }
otherpod = &v1.Pod{
ObjectMeta: metav1.ObjectMeta{
Name: "other-test-pod",
Namespace: sa.Namespace,
},
Spec: v1.PodSpec{
ServiceAccountName: "other-" + sa.Name,
Containers: []v1.Container{{Name: "test-container", Image: "nginx"}},
},
}
secret = &v1.Secret{ secret = &v1.Secret{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: "test-secret", Name: "test-secret",
@ -220,6 +230,29 @@ func TestServiceAccountTokenCreate(t *testing.T) {
checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace") checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name") checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
}) })
t.Run("bound to service account and pod running as different service account", func(t *testing.T) {
treq := &authenticationv1.TokenRequest{
Spec: authenticationv1.TokenRequestSpec{
Audiences: []string{"api"},
ExpirationSeconds: &one,
BoundObjectRef: &authenticationv1.BoundObjectReference{
Kind: "Pod",
APIVersion: "v1",
Name: otherpod.Name,
},
},
}
sa, del := createDeleteSvcAcct(t, cs, sa)
defer del()
_, del = createDeletePod(t, cs, otherpod)
defer del()
if resp, err := cs.CoreV1().ServiceAccounts(sa.Namespace).CreateToken(sa.Name, treq); err == nil {
t.Fatalf("expected err but got: %#v", resp)
}
})
} }
func checkPayload(t *testing.T, tok string, want string, parts ...string) { func checkPayload(t *testing.T, tok string, want string, parts ...string) {