github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 04:06:03 +00:00
Code Issues Projects Releases Wiki Activity

Search client auth with and without port

Browse Source
This commit is contained in:
Jordan Liggitt 2019-09-02 22:38:55 -04:00
parent c7c89f8c61
commit 2f5dde7672
2 changed files with 101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
View File

@ -136,6 +136,23 @@ func (c *defaultAuthenticationInfoResolver) clientConfig(target string) (*rest.C
}
}
// If target included the default https port (443), search again without the port
if target, port, err := net.SplitHostPort(target); err == nil && port == "443" {
// exact match without port
if authConfig, ok := c.kubeconfig.AuthInfos[target]; ok {
return restConfigFromKubeconfig(authConfig)
}
// star prefixed match without port
serverSteps := strings.Split(target, ".")
for i := 1; i < len(serverSteps); i++ {
nickName := "*." + strings.Join(serverSteps[i:], ".")
if authConfig, ok := c.kubeconfig.AuthInfos[nickName]; ok {
return restConfigFromKubeconfig(authConfig)
}
}
}
// if we're trying to hit the kube-apiserver and there wasn't an explicit config, use the in-cluster config
if target == "kubernetes.default.svc" {
// if we can find an in-cluster-config use that. If we can't, fall through.

84
staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go
View File

@ -109,6 +109,90 @@ func TestAuthenticationDetection(t *testing.T) {
},
expected: rest.Config{BearerToken: "first"},
},
{
name: "exact match with default https port",
serverName: "one.two.three.com:443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"one.two.three.com:443": {Token: "exact"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "exact"},
},
{
name: "wildcard match with default https port",
serverName: "one.two.three.com:443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"*.two.three.com:443": {Token: "first-with-port"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "first-with-port"},
},
{
name: "wildcard match without default https port",
serverName: "one.two.three.com:443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "first"},
},
{
name: "exact match with non-default https port",
serverName: "one.two.three.com:8443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"one.two.three.com:8443": {Token: "exact"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "exact"},
},
{
name: "wildcard match with non-default https port",
serverName: "one.two.three.com:8443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"*.two.three.com:8443": {Token: "first-with-port"},
"one.two.three.com": {Token: "first-without-port"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "first-with-port"},
},
{
name: "wildcard match without non-default https port",
serverName: "one.two.three.com:8443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"one.two.three.com": {Token: "first-without-port"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "fallback"},
},
}
for _, tc := range tests {