mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #114523 from zshihang/token
graduate LegacyServiceAccountTokenTracking to beta
This commit is contained in:
commit
4b2b4e19cc
@ -479,6 +479,7 @@ const (
|
||||
// owner: @zshihang
|
||||
// kep: http://kep.k8s.io/2800
|
||||
// alpha: v1.26
|
||||
// beta: v1.27
|
||||
//
|
||||
// Enables tracking of secret-based service account tokens usage.
|
||||
LegacyServiceAccountTokenTracking featuregate.Feature = "LegacyServiceAccountTokenTracking"
|
||||
@ -959,7 +960,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
||||
|
||||
LegacyServiceAccountTokenNoAutoGeneration: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29
|
||||
|
||||
LegacyServiceAccountTokenTracking: {Default: false, PreRelease: featuregate.Alpha},
|
||||
LegacyServiceAccountTokenTracking: {Default: true, PreRelease: featuregate.Beta},
|
||||
|
||||
LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha},
|
||||
|
||||
|
@ -18,6 +18,7 @@ package authenticator
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
@ -277,8 +278,12 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud
|
||||
}
|
||||
allPublicKeys = append(allPublicKeys, publicKeys...)
|
||||
}
|
||||
validator, err := serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("while creating legacy validator, err: %w", err)
|
||||
}
|
||||
|
||||
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter))
|
||||
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, validator)
|
||||
return tokenAuthenticator, nil
|
||||
}
|
||||
|
||||
|
@ -30,6 +30,7 @@ import (
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
typedv1core "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||
v1listers "k8s.io/client-go/listers/core/v1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/util/keyutil"
|
||||
@ -342,7 +343,15 @@ func TestTokenGenerateAndValidate(t *testing.T) {
|
||||
return tc.Client.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{})
|
||||
})),
|
||||
)
|
||||
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, serviceaccount.NewLegacyValidator(tc.Client != nil, getter, nil))
|
||||
var secretsWriter typedv1core.SecretsGetter
|
||||
if tc.Client != nil {
|
||||
secretsWriter = tc.Client.CoreV1()
|
||||
}
|
||||
validator, err := serviceaccount.NewLegacyValidator(tc.Client != nil, getter, secretsWriter)
|
||||
if err != nil {
|
||||
t.Fatalf("While creating legacy validator, err: %v", err)
|
||||
}
|
||||
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, validator)
|
||||
|
||||
// An invalid, non-JWT token should always fail
|
||||
ctx := authenticator.WithAudiences(context.Background(), auds)
|
||||
|
@ -60,12 +60,18 @@ type legacyPrivateClaims struct {
|
||||
Namespace string `json:"kubernetes.io/serviceaccount/namespace"`
|
||||
}
|
||||
|
||||
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) Validator {
|
||||
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator, error) {
|
||||
if lookup && getter == nil {
|
||||
return nil, errors.New("ServiceAccountTokenGetter must be provided")
|
||||
}
|
||||
if lookup && secretsWriter == nil && utilfeature.DefaultFeatureGate.Enabled(kubefeatures.LegacyServiceAccountTokenTracking) {
|
||||
return nil, errors.New("SecretsWriter must be provided")
|
||||
}
|
||||
return &legacyValidator{
|
||||
lookup: lookup,
|
||||
getter: getter,
|
||||
secretsWriter: secretsWriter,
|
||||
}
|
||||
}, nil
|
||||
}
|
||||
|
||||
type legacyValidator struct {
|
||||
|
Loading…
Reference in New Issue
Block a user