Merge pull request #114523 from zshihang/token

graduate LegacyServiceAccountTokenTracking to beta
This commit is contained in:
Kubernetes Prow Robot 2023-01-18 07:12:33 -08:00 committed by GitHub
commit 4b2b4e19cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 26 additions and 5 deletions

View File

@ -479,6 +479,7 @@ const (
// owner: @zshihang
// kep: http://kep.k8s.io/2800
// alpha: v1.26
// beta: v1.27
//
// Enables tracking of secret-based service account tokens usage.
LegacyServiceAccountTokenTracking featuregate.Feature = "LegacyServiceAccountTokenTracking"
@ -959,7 +960,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
LegacyServiceAccountTokenNoAutoGeneration: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29
LegacyServiceAccountTokenTracking: {Default: false, PreRelease: featuregate.Alpha},
LegacyServiceAccountTokenTracking: {Default: true, PreRelease: featuregate.Beta},
LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha},

View File

@ -18,6 +18,7 @@ package authenticator
import (
"errors"
"fmt"
"time"
utilnet "k8s.io/apimachinery/pkg/util/net"
@ -277,8 +278,12 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud
}
allPublicKeys = append(allPublicKeys, publicKeys...)
}
validator, err := serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter)
if err != nil {
return nil, fmt.Errorf("while creating legacy validator, err: %w", err)
}
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter))
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, validator)
return tokenAuthenticator, nil
}

View File

@ -30,6 +30,7 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
clientset "k8s.io/client-go/kubernetes"
"k8s.io/client-go/kubernetes/fake"
typedv1core "k8s.io/client-go/kubernetes/typed/core/v1"
v1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/util/keyutil"
@ -342,7 +343,15 @@ func TestTokenGenerateAndValidate(t *testing.T) {
return tc.Client.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{})
})),
)
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, serviceaccount.NewLegacyValidator(tc.Client != nil, getter, nil))
var secretsWriter typedv1core.SecretsGetter
if tc.Client != nil {
secretsWriter = tc.Client.CoreV1()
}
validator, err := serviceaccount.NewLegacyValidator(tc.Client != nil, getter, secretsWriter)
if err != nil {
t.Fatalf("While creating legacy validator, err: %v", err)
}
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, validator)
// An invalid, non-JWT token should always fail
ctx := authenticator.WithAudiences(context.Background(), auds)

View File

@ -60,12 +60,18 @@ type legacyPrivateClaims struct {
Namespace string `json:"kubernetes.io/serviceaccount/namespace"`
}
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) Validator {
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator, error) {
if lookup && getter == nil {
return nil, errors.New("ServiceAccountTokenGetter must be provided")
}
if lookup && secretsWriter == nil && utilfeature.DefaultFeatureGate.Enabled(kubefeatures.LegacyServiceAccountTokenTracking) {
return nil, errors.New("SecretsWriter must be provided")
}
return &legacyValidator{
lookup: lookup,
getter: getter,
secretsWriter: secretsWriter,
}
}, nil
}
type legacyValidator struct {