diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 8069c573468..101a59dd7f1 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -479,6 +479,7 @@ const ( // owner: @zshihang // kep: http://kep.k8s.io/2800 // alpha: v1.26 + // beta: v1.27 // // Enables tracking of secret-based service account tokens usage. LegacyServiceAccountTokenTracking featuregate.Feature = "LegacyServiceAccountTokenTracking" @@ -959,7 +960,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS LegacyServiceAccountTokenNoAutoGeneration: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29 - LegacyServiceAccountTokenTracking: {Default: false, PreRelease: featuregate.Alpha}, + LegacyServiceAccountTokenTracking: {Default: true, PreRelease: featuregate.Beta}, LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go index e10c76384f9..52715eb3087 100644 --- a/pkg/kubeapiserver/authenticator/config.go +++ b/pkg/kubeapiserver/authenticator/config.go @@ -18,6 +18,7 @@ package authenticator import ( "errors" + "fmt" "time" utilnet "k8s.io/apimachinery/pkg/util/net" @@ -277,8 +278,12 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud } allPublicKeys = append(allPublicKeys, publicKeys...) } + validator, err := serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter) + if err != nil { + return nil, fmt.Errorf("while creating legacy validator, err: %w", err) + } - tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter)) + tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, validator) return tokenAuthenticator, nil } diff --git a/pkg/serviceaccount/jwt_test.go b/pkg/serviceaccount/jwt_test.go index 675e43cf3a9..ade7924aa71 100644 --- a/pkg/serviceaccount/jwt_test.go +++ b/pkg/serviceaccount/jwt_test.go @@ -30,6 +30,7 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/fake" + typedv1core "k8s.io/client-go/kubernetes/typed/core/v1" v1listers "k8s.io/client-go/listers/core/v1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/keyutil" @@ -342,7 +343,15 @@ func TestTokenGenerateAndValidate(t *testing.T) { return tc.Client.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{}) })), ) - authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, serviceaccount.NewLegacyValidator(tc.Client != nil, getter, nil)) + var secretsWriter typedv1core.SecretsGetter + if tc.Client != nil { + secretsWriter = tc.Client.CoreV1() + } + validator, err := serviceaccount.NewLegacyValidator(tc.Client != nil, getter, secretsWriter) + if err != nil { + t.Fatalf("While creating legacy validator, err: %v", err) + } + authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, validator) // An invalid, non-JWT token should always fail ctx := authenticator.WithAudiences(context.Background(), auds) diff --git a/pkg/serviceaccount/legacy.go b/pkg/serviceaccount/legacy.go index 8ebdbabe898..9657f95c351 100644 --- a/pkg/serviceaccount/legacy.go +++ b/pkg/serviceaccount/legacy.go @@ -60,12 +60,18 @@ type legacyPrivateClaims struct { Namespace string `json:"kubernetes.io/serviceaccount/namespace"` } -func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) Validator { +func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator, error) { + if lookup && getter == nil { + return nil, errors.New("ServiceAccountTokenGetter must be provided") + } + if lookup && secretsWriter == nil && utilfeature.DefaultFeatureGate.Enabled(kubefeatures.LegacyServiceAccountTokenTracking) { + return nil, errors.New("SecretsWriter must be provided") + } return &legacyValidator{ lookup: lookup, getter: getter, secretsWriter: secretsWriter, - } + }, nil } type legacyValidator struct {