mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #114523 from zshihang/token
graduate LegacyServiceAccountTokenTracking to beta
This commit is contained in:
commit
4b2b4e19cc
@ -479,6 +479,7 @@ const (
|
|||||||
// owner: @zshihang
|
// owner: @zshihang
|
||||||
// kep: http://kep.k8s.io/2800
|
// kep: http://kep.k8s.io/2800
|
||||||
// alpha: v1.26
|
// alpha: v1.26
|
||||||
|
// beta: v1.27
|
||||||
//
|
//
|
||||||
// Enables tracking of secret-based service account tokens usage.
|
// Enables tracking of secret-based service account tokens usage.
|
||||||
LegacyServiceAccountTokenTracking featuregate.Feature = "LegacyServiceAccountTokenTracking"
|
LegacyServiceAccountTokenTracking featuregate.Feature = "LegacyServiceAccountTokenTracking"
|
||||||
@ -959,7 +960,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
|||||||
|
|
||||||
LegacyServiceAccountTokenNoAutoGeneration: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29
|
LegacyServiceAccountTokenNoAutoGeneration: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29
|
||||||
|
|
||||||
LegacyServiceAccountTokenTracking: {Default: false, PreRelease: featuregate.Alpha},
|
LegacyServiceAccountTokenTracking: {Default: true, PreRelease: featuregate.Beta},
|
||||||
|
|
||||||
LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha},
|
LocalStorageCapacityIsolationFSQuotaMonitoring: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
|
|
||||||
|
@ -18,6 +18,7 @@ package authenticator
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
|
"fmt"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||||
@ -277,8 +278,12 @@ func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, apiAud
|
|||||||
}
|
}
|
||||||
allPublicKeys = append(allPublicKeys, publicKeys...)
|
allPublicKeys = append(allPublicKeys, publicKeys...)
|
||||||
}
|
}
|
||||||
|
validator, err := serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("while creating legacy validator, err: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, serviceaccount.NewLegacyValidator(lookup, serviceAccountGetter, secretsWriter))
|
tokenAuthenticator := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer}, allPublicKeys, apiAudiences, validator)
|
||||||
return tokenAuthenticator, nil
|
return tokenAuthenticator, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -30,6 +30,7 @@ import (
|
|||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/client-go/kubernetes/fake"
|
"k8s.io/client-go/kubernetes/fake"
|
||||||
|
typedv1core "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||||
v1listers "k8s.io/client-go/listers/core/v1"
|
v1listers "k8s.io/client-go/listers/core/v1"
|
||||||
"k8s.io/client-go/tools/cache"
|
"k8s.io/client-go/tools/cache"
|
||||||
"k8s.io/client-go/util/keyutil"
|
"k8s.io/client-go/util/keyutil"
|
||||||
@ -342,7 +343,15 @@ func TestTokenGenerateAndValidate(t *testing.T) {
|
|||||||
return tc.Client.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{})
|
return tc.Client.CoreV1().Pods(namespace).Get(context.TODO(), name, metav1.GetOptions{})
|
||||||
})),
|
})),
|
||||||
)
|
)
|
||||||
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, serviceaccount.NewLegacyValidator(tc.Client != nil, getter, nil))
|
var secretsWriter typedv1core.SecretsGetter
|
||||||
|
if tc.Client != nil {
|
||||||
|
secretsWriter = tc.Client.CoreV1()
|
||||||
|
}
|
||||||
|
validator, err := serviceaccount.NewLegacyValidator(tc.Client != nil, getter, secretsWriter)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("While creating legacy validator, err: %v", err)
|
||||||
|
}
|
||||||
|
authn := serviceaccount.JWTTokenAuthenticator([]string{serviceaccount.LegacyIssuer, "bar"}, tc.Keys, auds, validator)
|
||||||
|
|
||||||
// An invalid, non-JWT token should always fail
|
// An invalid, non-JWT token should always fail
|
||||||
ctx := authenticator.WithAudiences(context.Background(), auds)
|
ctx := authenticator.WithAudiences(context.Background(), auds)
|
||||||
|
@ -60,12 +60,18 @@ type legacyPrivateClaims struct {
|
|||||||
Namespace string `json:"kubernetes.io/serviceaccount/namespace"`
|
Namespace string `json:"kubernetes.io/serviceaccount/namespace"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) Validator {
|
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator, error) {
|
||||||
|
if lookup && getter == nil {
|
||||||
|
return nil, errors.New("ServiceAccountTokenGetter must be provided")
|
||||||
|
}
|
||||||
|
if lookup && secretsWriter == nil && utilfeature.DefaultFeatureGate.Enabled(kubefeatures.LegacyServiceAccountTokenTracking) {
|
||||||
|
return nil, errors.New("SecretsWriter must be provided")
|
||||||
|
}
|
||||||
return &legacyValidator{
|
return &legacyValidator{
|
||||||
lookup: lookup,
|
lookup: lookup,
|
||||||
getter: getter,
|
getter: getter,
|
||||||
secretsWriter: secretsWriter,
|
secretsWriter: secretsWriter,
|
||||||
}
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
type legacyValidator struct {
|
type legacyValidator struct {
|
||||||
|
Loading…
Reference in New Issue
Block a user