graduate LegacyServiceAccountTokenTracking to beta

This commit is contained in:
Shihang Zhang 2022-12-15 14:49:03 -08:00
parent 093c5964f7
commit 0852a49020
4 changed files with 26 additions and 5 deletions

View File

@ -478,6 +478,7 @@ const (
// owner: @zshihang
// kep: http://kep.k8s.io/2800
// alpha: v1.26
// beta: v1.27
//
// Enables tracking of secret-based service account tokens usage.
LegacyServiceAccountTokenTracking featuregate.Feature = "LegacyServiceAccountTokenTracking"
@ -958,7 +959,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
LegacyServiceAccountTokenNoAutoGeneration: {Default: true, PreRelease: featuregate.GA},
LegacyServiceAccountTokenTracking: {Default: false, PreRelease: featuregate.Alpha},
LegacyServiceAccountTokenTracking: {Default: true, PreRelease: featuregate.Beta},
LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha},

View File

@ -18,6 +18,7 @@ package authenticator
import (
"errors"
"fmt"
"time"
utilnet "k8s.io/apimachinery/pkg/util/net"
@ -277,8 +278,12 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud
}
allPublicKeys = append(allPublicKeys, publicKeys...)
}
validator, err := serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter)
if err != nil {
return nil, fmt.Errorf("while creating legacy validator, err: %w", err)
}
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter))
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, validator)
return tokenAuthenticator, nil
}

View File

@ -30,6 +30,7 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake"
typedv1core "k8s.io/client-go/kubernetes/typed/core/v1"
v1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/keyutil"
@ -342,7 +343,15 @@ func TestTokenGenerateAndValidate(t *testing.T) {
return tc.Client.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{})
})),
)
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, serviceaccount.NewLegacyValidator(tc.Client != nil, getter, nil))
var secretsWriter typedv1core.SecretsGetter
if tc.Client != nil {
secretsWriter = tc.Client.CoreV1()
}
validator, err := serviceaccount.NewLegacyValidator(tc.Client != nil, getter, secretsWriter)
if err != nil {
t.Fatalf("While creating legacy validator, err: %v", err)
}
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, validator)
// An invalid, non-JWT token should always fail
ctx := authenticator.WithAudiences(context.Background(), auds)

View File

@ -60,12 +60,18 @@ type legacyPrivateClaims struct {
Namespace string `json:"kubernetes.io/serviceaccount/namespace"`
}
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) Validator {
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator, error) {
if lookup && getter == nil {
return nil, errors.New("ServiceAccountTokenGetter must be provided")
}
if lookup && secretsWriter == nil {
return nil, errors.New("SecretsWriter must be provided")
}
return &legacyValidator{
lookup: lookup,
getter: getter,
secretsWriter: secretsWriter,
}
}, nil
}
type legacyValidator struct {