diff --git a/federation/cmd/federated-apiserver/app/options/options.go b/federation/cmd/federated-apiserver/app/options/options.go index a0ca0be05a8..d4445ce685b 100644 --- a/federation/cmd/federated-apiserver/app/options/options.go +++ b/federation/cmd/federated-apiserver/app/options/options.go @@ -78,8 +78,6 @@ type APIServer struct { RuntimeConfig config.ConfigurationMap SSHKeyfile string SSHUser string - ServiceAccountKeyFile string - ServiceAccountLookup bool ServiceClusterIPRange net.IPNet // TODO: make this a list ServiceNodePortRange utilnet.PortRange StorageVersions string @@ -215,8 +213,6 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) { "The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not "+ "guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details.") fs.StringVar(&s.OIDCGroupsClaim, "oidc-groups-claim", "", "If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be an array of strings. This flag is experimental, please see the authentication documentation for further details.") - fs.StringVar(&s.ServiceAccountKeyFile, "service-account-key-file", s.ServiceAccountKeyFile, "File containing PEM-encoded x509 RSA private or public key, used to verify ServiceAccount tokens. If unspecified, --tls-private-key-file is used.") - fs.BoolVar(&s.ServiceAccountLookup, "service-account-lookup", s.ServiceAccountLookup, "If true, validate ServiceAccount tokens exist in etcd as part of authentication.") fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL, "If passed, activates the keystone authentication plugin") fs.StringVar(&s.AuthorizationMode, "authorization-mode", s.AuthorizationMode, "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+strings.Join(apiserver.AuthorizationModeChoices, ",")) fs.StringVar(&s.AuthorizationConfig.PolicyFile, "authorization-policy-file", s.AuthorizationConfig.PolicyFile, "File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.") diff --git a/federation/cmd/federated-apiserver/app/server.go b/federation/cmd/federated-apiserver/app/server.go index d59eaaafab0..96e84436f65 100644 --- a/federation/cmd/federated-apiserver/app/server.go +++ b/federation/cmd/federated-apiserver/app/server.go @@ -48,7 +48,6 @@ import ( "k8s.io/kubernetes/pkg/registry/cachesize" "k8s.io/kubernetes/pkg/runtime" "k8s.io/kubernetes/pkg/runtime/serializer/versioning" - "k8s.io/kubernetes/pkg/serviceaccount" "k8s.io/kubernetes/pkg/storage" etcdstorage "k8s.io/kubernetes/pkg/storage/etcd" utilnet "k8s.io/kubernetes/pkg/util/net" @@ -229,34 +228,16 @@ func Run(s *options.APIServer) error { n := s.ServiceClusterIPRange - // Default to the private server key for service account token signing - if s.ServiceAccountKeyFile == "" && s.TLSPrivateKeyFile != "" { - if authenticator.IsValidServiceAccountKeyFile(s.TLSPrivateKeyFile) { - s.ServiceAccountKeyFile = s.TLSPrivateKeyFile - } else { - glog.Warning("No RSA key provided, service account token authentication disabled") - } - } - - var serviceAccountGetter serviceaccount.ServiceAccountTokenGetter - if s.ServiceAccountLookup { - // TODO: Maybe do not expose this option in genericapiserver, if most servers do not need it? - glog.Fatalf("Invalid ServerRunOptions: ServiceAccountLookup should be false for ubernetes server") - } - authenticator, err := authenticator.New(authenticator.AuthenticatorConfig{ - BasicAuthFile: s.BasicAuthFile, - ClientCAFile: s.ClientCAFile, - TokenAuthFile: s.TokenAuthFile, - OIDCIssuerURL: s.OIDCIssuerURL, - OIDCClientID: s.OIDCClientID, - OIDCCAFile: s.OIDCCAFile, - OIDCUsernameClaim: s.OIDCUsernameClaim, - OIDCGroupsClaim: s.OIDCGroupsClaim, - ServiceAccountKeyFile: s.ServiceAccountKeyFile, - ServiceAccountLookup: s.ServiceAccountLookup, - ServiceAccountTokenGetter: serviceAccountGetter, - KeystoneURL: s.KeystoneURL, + BasicAuthFile: s.BasicAuthFile, + ClientCAFile: s.ClientCAFile, + TokenAuthFile: s.TokenAuthFile, + OIDCIssuerURL: s.OIDCIssuerURL, + OIDCClientID: s.OIDCClientID, + OIDCCAFile: s.OIDCCAFile, + OIDCUsernameClaim: s.OIDCUsernameClaim, + OIDCGroupsClaim: s.OIDCGroupsClaim, + KeystoneURL: s.KeystoneURL, }) if err != nil { glog.Fatalf("Invalid Authentication Config: %v", err)