mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-07-17 20:00:07 +00:00
Relax external signer path validation to allow relative paths
This commit is contained in:
@@ -94,7 +94,7 @@ func validateUnknownVersionInteroperabilityProxyFlags(options *Options) []error
|
||||
return err
|
||||
}
|
||||
|
||||
var pathOrSocket = regexp.MustCompile(`(^(/[^/ ]*)+/?$)|(^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$)`)
|
||||
var abstractSocketRegex = regexp.MustCompile(`^@([a-zA-Z0-9_-]+\.)*[a-zA-Z0-9_-]+$`)
|
||||
|
||||
func validateServiceAccountTokenSigningConfig(options *Options) []error {
|
||||
if len(options.ServiceAccountSigningEndpoint) == 0 {
|
||||
@@ -109,9 +109,9 @@ func validateServiceAccountTokenSigningConfig(options *Options) []error {
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.ExternalServiceAccountTokenSigner) {
|
||||
errors = append(errors, fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"))
|
||||
}
|
||||
// Check if ServiceAccountSigningEndpoint is a linux file path or an abstract socket name.
|
||||
if !pathOrSocket.MatchString(options.ServiceAccountSigningEndpoint) {
|
||||
errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace", options.ServiceAccountSigningEndpoint))
|
||||
// Ensure ServiceAccountSigningEndpoint is a valid abstract socket name if prefixed with '@'.
|
||||
if strings.HasPrefix(options.ServiceAccountSigningEndpoint, "@") && !abstractSocketRegex.MatchString(options.ServiceAccountSigningEndpoint) {
|
||||
errors = append(errors, fmt.Errorf("invalid value %q passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name", options.ServiceAccountSigningEndpoint))
|
||||
}
|
||||
|
||||
return errors
|
||||
|
||||
@@ -303,11 +303,9 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "invalid external signer endpoint provided - 1",
|
||||
name: "relative external signer endpoint provided",
|
||||
featureEnabled: true,
|
||||
expectedErrors: []error{
|
||||
fmt.Errorf("invalid value \"abc\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
|
||||
},
|
||||
expectedErrors: []error{},
|
||||
options: &Options{
|
||||
ServiceAccountSigningEndpoint: "abc",
|
||||
},
|
||||
@@ -316,7 +314,7 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
|
||||
name: "invalid external signer endpoint provided - 2",
|
||||
featureEnabled: true,
|
||||
expectedErrors: []error{
|
||||
fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
|
||||
fmt.Errorf("invalid value \"@abc@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
|
||||
},
|
||||
options: &Options{
|
||||
ServiceAccountSigningEndpoint: "@abc@",
|
||||
@@ -326,32 +324,12 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
|
||||
name: "invalid external signer endpoint provided - 3",
|
||||
featureEnabled: true,
|
||||
expectedErrors: []error{
|
||||
fmt.Errorf("invalid value \"@abc.abc .ae\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
|
||||
fmt.Errorf("invalid value \"@abc.abc .ae\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
|
||||
},
|
||||
options: &Options{
|
||||
ServiceAccountSigningEndpoint: "@abc.abc .ae",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "invalid external signer endpoint provided - 4",
|
||||
featureEnabled: true,
|
||||
expectedErrors: []error{
|
||||
fmt.Errorf("invalid value \"/@e_adnb/xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
|
||||
},
|
||||
options: &Options{
|
||||
ServiceAccountSigningEndpoint: "/@e_adnb/xyz /efg",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "invalid external signer endpoint provided - 5",
|
||||
featureEnabled: true,
|
||||
expectedErrors: []error{
|
||||
fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
|
||||
},
|
||||
options: &Options{
|
||||
ServiceAccountSigningEndpoint: "/e /xyz /efg",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid external signer endpoint provided - 1",
|
||||
featureEnabled: true,
|
||||
@@ -382,10 +360,10 @@ func TestValidateServcieAccountTokenSigningConfig(t *testing.T) {
|
||||
expectedErrors: []error{
|
||||
fmt.Errorf("can't set `--service-account-signing-key-file` and/or `--service-account-key-file` with `--service-account-signing-endpoint` (They are mutually exclusive)"),
|
||||
fmt.Errorf("setting `--service-account-signing-endpoint` requires enabling ExternalServiceAccountTokenSigner feature gate"),
|
||||
fmt.Errorf("invalid value \"/e /xyz /efg\" passed for `--service-account-signing-endpoint`, should be a valid location on the filesystem or must be prefixed with @ to name UDS in abstract namespace"),
|
||||
fmt.Errorf("invalid value \"@a@\" passed for `--service-account-signing-endpoint`, when prefixed with @ must be a valid abstract socket name"),
|
||||
},
|
||||
options: &Options{
|
||||
ServiceAccountSigningEndpoint: "/e /xyz /efg",
|
||||
ServiceAccountSigningEndpoint: "@a@",
|
||||
ServiceAccountSigningKeyFile: "/abc/efg",
|
||||
Authentication: &kubeoptions.BuiltInAuthenticationOptions{
|
||||
ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{
|
||||
|
||||
Reference in New Issue
Block a user