github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 07:20:13 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #48343 from deads2k/auth-06-sa-token

Browse Source 
Automatic merge from submit-queue

don't accept delete tokens that are waiting to be reaped

With garbage collection, it becomes possible (even likely) that we will have finalizers specified on resources before they are reaped.  A secret or an SA which has been deleted and is awaiting reaping should not be considered valid.  This adds checking for whether those have been deleted.

@kubernetes/sig-auth-misc 

```release-note
Previously a deleted service account token secret would be considered valid until it was reaped.  Now it is invalid as soon as the deletionTimestamp is set.
```
This commit is contained in:
Kubernetes Submit Queue 2017-06-30 08:33:32 -07:00 committed by GitHub
commit 586642a55c
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/serviceaccount/jwt.go
View File

@ -290,6 +290,10 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
return nil, false, errors.New("Token has been invalidated")
}
if secret.DeletionTimestamp != nil {
glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
return nil, false, errors.New("Token has been invalidated")
}
if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(token)) != 0 {
glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
return nil, false, errors.New("Token does not match server's copy")
@ -301,6 +305,10 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
return nil, false, err
}
if serviceAccount.DeletionTimestamp != nil {
glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
return nil, false, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
}
if string(serviceAccount.UID) != serviceAccountUID {
glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
return nil, false, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)