mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
Merge pull request #83192 from liggitt/improve-token-request-error
Improve error message for projected tokens when API is not enabled
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
40d4ddc7e5
@ -21,6 +21,7 @@ go_library(
|
|||||||
visibility = ["//visibility:public"],
|
visibility = ["//visibility:public"],
|
||||||
deps = [
|
deps = [
|
||||||
"//staging/src/k8s.io/api/authentication/v1:go_default_library",
|
"//staging/src/k8s.io/api/authentication/v1:go_default_library",
|
||||||
|
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
||||||
|
|||||||
@ -25,6 +25,7 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
authenticationv1 "k8s.io/api/authentication/v1"
|
authenticationv1 "k8s.io/api/authentication/v1"
|
||||||
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
"k8s.io/apimachinery/pkg/util/clock"
|
"k8s.io/apimachinery/pkg/util/clock"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
@ -39,12 +40,35 @@ const (
|
|||||||
|
|
||||||
// NewManager returns a new token manager.
|
// NewManager returns a new token manager.
|
||||||
func NewManager(c clientset.Interface) *Manager {
|
func NewManager(c clientset.Interface) *Manager {
|
||||||
|
// check whether the server supports token requests so we can give a more helpful error message
|
||||||
|
supported := false
|
||||||
|
once := &sync.Once{}
|
||||||
|
tokenRequestsSupported := func() bool {
|
||||||
|
once.Do(func() {
|
||||||
|
resources, err := c.Discovery().ServerResourcesForGroupVersion("v1")
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for _, resource := range resources.APIResources {
|
||||||
|
if resource.Name == "serviceaccounts/token" {
|
||||||
|
supported = true
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
return supported
|
||||||
|
}
|
||||||
|
|
||||||
m := &Manager{
|
m := &Manager{
|
||||||
getToken: func(name, namespace string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
|
getToken: func(name, namespace string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
|
||||||
if c == nil {
|
if c == nil {
|
||||||
return nil, errors.New("cannot use TokenManager when kubelet is in standalone mode")
|
return nil, errors.New("cannot use TokenManager when kubelet is in standalone mode")
|
||||||
}
|
}
|
||||||
return c.CoreV1().ServiceAccounts(namespace).CreateToken(name, tr)
|
tokenRequest, err := c.CoreV1().ServiceAccounts(namespace).CreateToken(name, tr)
|
||||||
|
if apierrors.IsNotFound(err) && !tokenRequestsSupported() {
|
||||||
|
return nil, fmt.Errorf("the API server does not have TokenRequest endpoints enabled")
|
||||||
|
}
|
||||||
|
return tokenRequest, err
|
||||||
},
|
},
|
||||||
cache: make(map[string]*authenticationv1.TokenRequest),
|
cache: make(map[string]*authenticationv1.TokenRequest),
|
||||||
clock: clock.RealClock{},
|
clock: clock.RealClock{},
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user