mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
Merge pull request #70105 from mikedanese/trev1
promote --service-account-api-audiences to top level kube-apiserver config
This commit is contained in:
k8s-ci-robot
GitHub
commit
4d182cec03
@ -333,14 +333,14 @@ func CreateKubeAPIServerConfig(
|
|||||||
|
|
||||||
if s.ServiceAccountSigningKeyFile != "" ||
|
if s.ServiceAccountSigningKeyFile != "" ||
|
||||||
s.Authentication.ServiceAccounts.Issuer != "" ||
|
s.Authentication.ServiceAccounts.Issuer != "" ||
|
||||||
len(s.Authentication.ServiceAccounts.APIAudiences) > 0 {
|
len(s.Authentication.APIAudiences) > 0 {
|
||||||
if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
|
if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
|
||||||
lastErr = fmt.Errorf("the TokenRequest feature is not enabled but --service-account-signing-key-file, --service-account-issuer and/or --service-account-api-audiences flags were passed")
|
lastErr = fmt.Errorf("the TokenRequest feature is not enabled but --service-account-signing-key-file, --service-account-issuer and/or --service-account-api-audiences flags were passed")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if s.ServiceAccountSigningKeyFile == "" ||
|
if s.ServiceAccountSigningKeyFile == "" ||
|
||||||
s.Authentication.ServiceAccounts.Issuer == "" ||
|
s.Authentication.ServiceAccounts.Issuer == "" ||
|
||||||
len(s.Authentication.ServiceAccounts.APIAudiences) == 0 ||
|
len(s.Authentication.APIAudiences) == 0 ||
|
||||||
len(s.Authentication.ServiceAccounts.KeyFiles) == 0 {
|
len(s.Authentication.ServiceAccounts.KeyFiles) == 0 {
|
||||||
lastErr = fmt.Errorf("service-account-signing-key-file, service-account-issuer, service-account-api-audiences and service-account-key-file should be specified together")
|
lastErr = fmt.Errorf("service-account-signing-key-file, service-account-issuer, service-account-api-audiences and service-account-key-file should be specified together")
|
||||||
return
|
return
|
||||||
@ -365,7 +365,7 @@ func CreateKubeAPIServerConfig(
|
|||||||
lastErr = fmt.Errorf("failed to build token generator: %v", err)
|
lastErr = fmt.Errorf("failed to build token generator: %v", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
apiAudiences = s.Authentication.ServiceAccounts.APIAudiences
|
apiAudiences = s.Authentication.APIAudiences
|
||||||
maxExpiration = s.Authentication.ServiceAccounts.MaxExpiration
|
maxExpiration = s.Authentication.ServiceAccounts.MaxExpiration
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -401,7 +401,7 @@ func CreateKubeAPIServerConfig(
|
|||||||
MasterCount: s.MasterCount,
|
MasterCount: s.MasterCount,
|
||||||
|
|
||||||
ServiceAccountIssuer: issuer,
|
ServiceAccountIssuer: issuer,
|
||||||
ServiceAccountAPIAudiences: apiAudiences,
|
APIAudiences: apiAudiences,
|
||||||
ServiceAccountMaxExpiration: maxExpiration,
|
ServiceAccountMaxExpiration: maxExpiration,
|
||||||
|
|
||||||
InternalInformers: sharedInformers,
|
InternalInformers: sharedInformers,
|
||||||
|
|||||||
@ -63,7 +63,7 @@ type AuthenticatorConfig struct {
|
|||||||
ServiceAccountKeyFiles []string
|
ServiceAccountKeyFiles []string
|
||||||
ServiceAccountLookup bool
|
ServiceAccountLookup bool
|
||||||
ServiceAccountIssuer string
|
ServiceAccountIssuer string
|
||||||
ServiceAccountAPIAudiences []string
|
APIAudiences []string
|
||||||
WebhookTokenAuthnConfigFile string
|
WebhookTokenAuthnConfigFile string
|
||||||
WebhookTokenAuthnCacheTTL time.Duration
|
WebhookTokenAuthnCacheTTL time.Duration
|
||||||
|
|
||||||
@ -141,7 +141,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
|
|||||||
tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
|
tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
|
||||||
}
|
}
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) && config.ServiceAccountIssuer != "" {
|
if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) && config.ServiceAccountIssuer != "" {
|
||||||
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.ServiceAccountAPIAudiences, config.ServiceAccountKeyFiles, config.ServiceAccountTokenGetter)
|
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.APIAudiences, config.ServiceAccountKeyFiles, config.ServiceAccountTokenGetter)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@ -34,6 +34,7 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type BuiltInAuthenticationOptions struct {
|
type BuiltInAuthenticationOptions struct {
|
||||||
|
APIAudiences []string
|
||||||
Anonymous *AnonymousAuthenticationOptions
|
Anonymous *AnonymousAuthenticationOptions
|
||||||
BootstrapToken *BootstrapTokenAuthenticationOptions
|
BootstrapToken *BootstrapTokenAuthenticationOptions
|
||||||
ClientCert *genericoptions.ClientCertAuthenticationOptions
|
ClientCert *genericoptions.ClientCertAuthenticationOptions
|
||||||
@ -76,7 +77,6 @@ type ServiceAccountAuthenticationOptions struct {
|
|||||||
KeyFiles []string
|
KeyFiles []string
|
||||||
Lookup bool
|
Lookup bool
|
||||||
Issuer string
|
Issuer string
|
||||||
APIAudiences []string
|
|
||||||
MaxExpiration time.Duration
|
MaxExpiration time.Duration
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -174,6 +174,10 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
|
func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
|
||||||
|
fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+
|
||||||
|
"Identifiers of the API. The service account token authenticator will validate that "+
|
||||||
|
"tokens used against the API are bound to at least one of these audiences.")
|
||||||
|
|
||||||
if s.Anonymous != nil {
|
if s.Anonymous != nil {
|
||||||
fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
|
fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
|
||||||
"Enables anonymous requests to the secure port of the API server. "+
|
"Enables anonymous requests to the secure port of the API server. "+
|
||||||
@ -258,9 +262,11 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
|
|||||||
"Identifier of the service account token issuer. The issuer will assert this identifier "+
|
"Identifier of the service account token issuer. The issuer will assert this identifier "+
|
||||||
"in \"iss\" claim of issued tokens. This value is a string or URI.")
|
"in \"iss\" claim of issued tokens. This value is a string or URI.")
|
||||||
|
|
||||||
fs.StringSliceVar(&s.ServiceAccounts.APIAudiences, "service-account-api-audiences", s.ServiceAccounts.APIAudiences, ""+
|
// Deprecated in 1.13
|
||||||
|
fs.StringSliceVar(&s.APIAudiences, "service-account-api-audiences", s.APIAudiences, ""+
|
||||||
"Identifiers of the API. The service account token authenticator will validate that "+
|
"Identifiers of the API. The service account token authenticator will validate that "+
|
||||||
"tokens used against the API are bound to at least one of these audiences.")
|
"tokens used against the API are bound to at least one of these audiences.")
|
||||||
|
fs.MarkDeprecated("service-account-api-audiences", "Use --api-audiences")
|
||||||
|
|
||||||
fs.DurationVar(&s.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", s.ServiceAccounts.MaxExpiration, ""+
|
fs.DurationVar(&s.ServiceAccounts.MaxExpiration, "service-account-max-token-expiration", s.ServiceAccounts.MaxExpiration, ""+
|
||||||
"The maximum validity duration of a token created by the service account token issuer. If an otherwise valid "+
|
"The maximum validity duration of a token created by the service account token issuer. If an otherwise valid "+
|
||||||
@ -325,7 +331,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
|
|||||||
ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
|
ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
|
||||||
ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
|
ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
|
||||||
ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
|
ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
|
||||||
ret.ServiceAccountAPIAudiences = s.ServiceAccounts.APIAudiences
|
ret.APIAudiences = s.APIAudiences
|
||||||
}
|
}
|
||||||
|
|
||||||
if s.TokenFile != nil {
|
if s.TokenFile != nil {
|
||||||
@ -367,7 +373,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
|
|||||||
}
|
}
|
||||||
|
|
||||||
c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
|
c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
|
||||||
c.Authentication.APIAudiences = o.ServiceAccounts.APIAudiences
|
c.Authentication.APIAudiences = o.APIAudiences
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
@ -169,9 +169,10 @@ type ExtraConfig struct {
|
|||||||
EndpointReconcilerType reconcilers.Type
|
EndpointReconcilerType reconcilers.Type
|
||||||
|
|
||||||
ServiceAccountIssuer serviceaccount.TokenGenerator
|
ServiceAccountIssuer serviceaccount.TokenGenerator
|
||||||
ServiceAccountAPIAudiences []string
|
|
||||||
ServiceAccountMaxExpiration time.Duration
|
ServiceAccountMaxExpiration time.Duration
|
||||||
|
|
||||||
|
APIAudiences []string
|
||||||
|
|
||||||
VersionedInformers informers.SharedInformerFactory
|
VersionedInformers informers.SharedInformerFactory
|
||||||
InternalInformers internalinformers.SharedInformerFactory
|
InternalInformers internalinformers.SharedInformerFactory
|
||||||
}
|
}
|
||||||
@ -334,8 +335,8 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
|
|||||||
ServiceNodePortRange: c.ExtraConfig.ServiceNodePortRange,
|
ServiceNodePortRange: c.ExtraConfig.ServiceNodePortRange,
|
||||||
LoopbackClientConfig: c.GenericConfig.LoopbackClientConfig,
|
LoopbackClientConfig: c.GenericConfig.LoopbackClientConfig,
|
||||||
ServiceAccountIssuer: c.ExtraConfig.ServiceAccountIssuer,
|
ServiceAccountIssuer: c.ExtraConfig.ServiceAccountIssuer,
|
||||||
ServiceAccountAPIAudiences: c.ExtraConfig.ServiceAccountAPIAudiences,
|
|
||||||
ServiceAccountMaxExpiration: c.ExtraConfig.ServiceAccountMaxExpiration,
|
ServiceAccountMaxExpiration: c.ExtraConfig.ServiceAccountMaxExpiration,
|
||||||
|
APIAudiences: c.ExtraConfig.APIAudiences,
|
||||||
}
|
}
|
||||||
m.InstallLegacyAPI(&c, c.GenericConfig.RESTOptionsGetter, legacyRESTStorageProvider)
|
m.InstallLegacyAPI(&c, c.GenericConfig.RESTOptionsGetter, legacyRESTStorageProvider)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -80,9 +80,10 @@ type LegacyRESTStorageProvider struct {
|
|||||||
ServiceNodePortRange utilnet.PortRange
|
ServiceNodePortRange utilnet.PortRange
|
||||||
|
|
||||||
ServiceAccountIssuer serviceaccount.TokenGenerator
|
ServiceAccountIssuer serviceaccount.TokenGenerator
|
||||||
ServiceAccountAPIAudiences []string
|
|
||||||
ServiceAccountMaxExpiration time.Duration
|
ServiceAccountMaxExpiration time.Duration
|
||||||
|
|
||||||
|
APIAudiences []string
|
||||||
|
|
||||||
LoopbackClientConfig *restclient.Config
|
LoopbackClientConfig *restclient.Config
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -142,7 +143,7 @@ func (c LegacyRESTStorageProvider) NewLegacyRESTStorage(restOptionsGetter generi
|
|||||||
|
|
||||||
var serviceAccountStorage *serviceaccountstore.REST
|
var serviceAccountStorage *serviceaccountstore.REST
|
||||||
if c.ServiceAccountIssuer != nil && utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
|
if c.ServiceAccountIssuer != nil && utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
|
||||||
serviceAccountStorage = serviceaccountstore.NewREST(restOptionsGetter, c.ServiceAccountIssuer, c.ServiceAccountAPIAudiences, c.ServiceAccountMaxExpiration, podStorage.Pod.Store, secretStorage.Store)
|
serviceAccountStorage = serviceaccountstore.NewREST(restOptionsGetter, c.ServiceAccountIssuer, c.APIAudiences, c.ServiceAccountMaxExpiration, podStorage.Pod.Store, secretStorage.Store)
|
||||||
} else {
|
} else {
|
||||||
serviceAccountStorage = serviceaccountstore.NewREST(restOptionsGetter, nil, nil, 0, nil, nil)
|
serviceAccountStorage = serviceaccountstore.NewREST(restOptionsGetter, nil, nil, 0, nil, nil)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -27,6 +27,7 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"gopkg.in/square/go-jose.v2/jwt"
|
"gopkg.in/square/go-jose.v2/jwt"
|
||||||
|
|
||||||
authenticationv1 "k8s.io/api/authentication/v1"
|
authenticationv1 "k8s.io/api/authentication/v1"
|
||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
@ -87,8 +88,8 @@ func TestServiceAccountTokenCreate(t *testing.T) {
|
|||||||
t.Fatalf("err: %v", err)
|
t.Fatalf("err: %v", err)
|
||||||
}
|
}
|
||||||
masterConfig.ExtraConfig.ServiceAccountIssuer = tokenGenerator
|
masterConfig.ExtraConfig.ServiceAccountIssuer = tokenGenerator
|
||||||
masterConfig.ExtraConfig.ServiceAccountAPIAudiences = aud
|
|
||||||
masterConfig.ExtraConfig.ServiceAccountMaxExpiration = maxExpirationDuration
|
masterConfig.ExtraConfig.ServiceAccountMaxExpiration = maxExpirationDuration
|
||||||
|
masterConfig.ExtraConfig.APIAudiences = aud
|
||||||
|
|
||||||
master, _, closeFn := framework.RunAMaster(masterConfig)
|
master, _, closeFn := framework.RunAMaster(masterConfig)
|
||||||
defer closeFn()
|
defer closeFn()
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user