Removing ServiceAccount auth options from federated apiserver

2025-07-23 11:50:44 +00:00 · 2016-04-12 16:04:59 -07:00 · 2016-04-12 16:04:59 -07:00 · 58ead776b3
commit 58ead776b3
parent 831c8d7594
2 changed files with 9 additions and 32 deletions
--- a/federation/cmd/federated-apiserver/app/options/options.go
+++ b/federation/cmd/federated-apiserver/app/options/options.go
@ -78,8 +78,6 @@ type APIServer struct {
 	RuntimeConfig              config.ConfigurationMap
 	SSHKeyfile                 string
 	SSHUser                    string
-	ServiceAccountKeyFile      string
-	ServiceAccountLookup       bool
 	ServiceClusterIPRange      net.IPNet // TODO: make this a list
 	ServiceNodePortRange       utilnet.PortRange
 	StorageVersions            string
@ -215,8 +213,6 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) {
 		"The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not "+
 		"guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details.")
 	fs.StringVar(&s.OIDCGroupsClaim, "oidc-groups-claim", "", "If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be an array of strings. This flag is experimental, please see the authentication documentation for further details.")
-	fs.StringVar(&s.ServiceAccountKeyFile, "service-account-key-file", s.ServiceAccountKeyFile, "File containing PEM-encoded x509 RSA private or public key, used to verify ServiceAccount tokens. If unspecified, --tls-private-key-file is used.")
-	fs.BoolVar(&s.ServiceAccountLookup, "service-account-lookup", s.ServiceAccountLookup, "If true, validate ServiceAccount tokens exist in etcd as part of authentication.")
 	fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL, "If passed, activates the keystone authentication plugin")
 	fs.StringVar(&s.AuthorizationMode, "authorization-mode", s.AuthorizationMode, "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+strings.Join(apiserver.AuthorizationModeChoices, ","))
 	fs.StringVar(&s.AuthorizationConfig.PolicyFile, "authorization-policy-file", s.AuthorizationConfig.PolicyFile, "File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")
--- a/federation/cmd/federated-apiserver/app/server.go
+++ b/federation/cmd/federated-apiserver/app/server.go
@ -48,7 +48,6 @@ import (
 	"k8s.io/kubernetes/pkg/registry/cachesize"
 	"k8s.io/kubernetes/pkg/runtime"
 	"k8s.io/kubernetes/pkg/runtime/serializer/versioning"
-	"k8s.io/kubernetes/pkg/serviceaccount"
 	"k8s.io/kubernetes/pkg/storage"
 	etcdstorage "k8s.io/kubernetes/pkg/storage/etcd"
 	utilnet "k8s.io/kubernetes/pkg/util/net"
@ -229,34 +228,16 @@ func Run(s *options.APIServer) error {

 	n := s.ServiceClusterIPRange

-	// Default to the private server key for service account token signing
-	if s.ServiceAccountKeyFile == "" && s.TLSPrivateKeyFile != "" {
-		if authenticator.IsValidServiceAccountKeyFile(s.TLSPrivateKeyFile) {
-			s.ServiceAccountKeyFile = s.TLSPrivateKeyFile
-		} else {
-			glog.Warning("No RSA key provided, service account token authentication disabled")
-		}
-	}
-
-	var serviceAccountGetter serviceaccount.ServiceAccountTokenGetter
-	if s.ServiceAccountLookup {
-		// TODO: Maybe do not expose this option in genericapiserver, if most servers do not need it?
-		glog.Fatalf("Invalid ServerRunOptions: ServiceAccountLookup should be false for ubernetes server")
-	}
-
 	authenticator, err := authenticator.New(authenticator.AuthenticatorConfig{
-		BasicAuthFile:             s.BasicAuthFile,
-		ClientCAFile:              s.ClientCAFile,
-		TokenAuthFile:             s.TokenAuthFile,
-		OIDCIssuerURL:             s.OIDCIssuerURL,
-		OIDCClientID:              s.OIDCClientID,
-		OIDCCAFile:                s.OIDCCAFile,
-		OIDCUsernameClaim:         s.OIDCUsernameClaim,
-		OIDCGroupsClaim:           s.OIDCGroupsClaim,
-		ServiceAccountKeyFile:     s.ServiceAccountKeyFile,
-		ServiceAccountLookup:      s.ServiceAccountLookup,
-		ServiceAccountTokenGetter: serviceAccountGetter,
-		KeystoneURL:               s.KeystoneURL,
+		BasicAuthFile:     s.BasicAuthFile,
+		ClientCAFile:      s.ClientCAFile,
+		TokenAuthFile:     s.TokenAuthFile,
+		OIDCIssuerURL:     s.OIDCIssuerURL,
+		OIDCClientID:      s.OIDCClientID,
+		OIDCCAFile:        s.OIDCCAFile,
+		OIDCUsernameClaim: s.OIDCUsernameClaim,
+		OIDCGroupsClaim:   s.OIDCGroupsClaim,
+		KeystoneURL:       s.KeystoneURL,
 	})
 	if err != nil {
 		glog.Fatalf("Invalid Authentication Config: %v", err)