diff --git a/cmd/kube-apiserver/app/BUILD b/cmd/kube-apiserver/app/BUILD index d22b706c8a8..322419ed9a1 100644 --- a/cmd/kube-apiserver/app/BUILD +++ b/cmd/kube-apiserver/app/BUILD @@ -41,7 +41,6 @@ go_library( "//pkg/master:go_default_library", "//pkg/registry/cachesize:go_default_library", "//pkg/runtime/schema:go_default_library", - "//pkg/serviceaccount:go_default_library", "//pkg/util/errors:go_default_library", "//pkg/util/net:go_default_library", "//pkg/util/wait:go_default_library", diff --git a/cmd/kubelet/app/BUILD b/cmd/kubelet/app/BUILD index b681156b224..e18832368fe 100644 --- a/cmd/kubelet/app/BUILD +++ b/cmd/kubelet/app/BUILD @@ -26,10 +26,9 @@ go_library( "//pkg/api/v1:go_default_library", "//pkg/apis/componentconfig:go_default_library", "//pkg/apis/componentconfig/v1alpha1:go_default_library", + "//pkg/apiserver/authenticator:go_default_library", "//pkg/auth/authenticator:go_default_library", - "//pkg/auth/authenticator/bearertoken:go_default_library", "//pkg/auth/authorizer:go_default_library", - "//pkg/auth/group:go_default_library", "//pkg/capabilities:go_default_library", "//pkg/client/chaosclient:go_default_library", "//pkg/client/clientset_generated/release_1_5:go_default_library", @@ -99,10 +98,6 @@ go_library( "//pkg/volume/rbd:go_default_library", "//pkg/volume/secret:go_default_library", "//pkg/volume/vsphere_volume:go_default_library", - "//plugin/pkg/auth/authenticator/request/anonymous:go_default_library", - "//plugin/pkg/auth/authenticator/request/union:go_default_library", - "//plugin/pkg/auth/authenticator/request/x509:go_default_library", - "//plugin/pkg/auth/authenticator/token/webhook:go_default_library", "//plugin/pkg/auth/authorizer/webhook:go_default_library", "//vendor:github.com/golang/glog", "//vendor:github.com/spf13/cobra", diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go index aa2a496e8da..ba9618d68ac 100644 --- a/cmd/kubelet/app/auth.go +++ b/cmd/kubelet/app/auth.go @@ -22,21 +22,15 @@ import ( "reflect" "k8s.io/kubernetes/pkg/apis/componentconfig" + apiserverauthenticator "k8s.io/kubernetes/pkg/apiserver/authenticator" "k8s.io/kubernetes/pkg/auth/authenticator" - "k8s.io/kubernetes/pkg/auth/authenticator/bearertoken" "k8s.io/kubernetes/pkg/auth/authorizer" - "k8s.io/kubernetes/pkg/auth/group" clientset "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5" authenticationclient "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authentication/v1beta1" authorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authorization/v1beta1" alwaysallowauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer" "k8s.io/kubernetes/pkg/kubelet/server" "k8s.io/kubernetes/pkg/types" - "k8s.io/kubernetes/pkg/util/cert" - "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/anonymous" - unionauth "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union" - "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509" - webhooktoken "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/webhook" webhooksar "k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook" ) @@ -67,43 +61,21 @@ func buildAuth(nodeName types.NodeName, client clientset.Interface, config compo } func buildAuthn(client authenticationclient.TokenReviewInterface, authn componentconfig.KubeletAuthentication) (authenticator.Request, error) { - authenticators := []authenticator.Request{} - - // x509 client cert auth - if len(authn.X509.ClientCAFile) > 0 { - clientCAs, err := cert.NewPool(authn.X509.ClientCAFile) - if err != nil { - return nil, fmt.Errorf("unable to load client CA file %s: %v", authn.X509.ClientCAFile, err) - } - verifyOpts := x509.DefaultVerifyOptions() - verifyOpts.Roots = clientCAs - authenticators = append(authenticators, x509.New(verifyOpts, x509.CommonNameUserConversion)) + authenticatorConfig := apiserverauthenticator.DelegatingAuthenticatorConfig{ + Anonymous: authn.Anonymous.Enabled, + CacheTTL: authn.Webhook.CacheTTL.Duration, + ClientCAFile: authn.X509.ClientCAFile, } - // bearer token auth that uses authentication.k8s.io TokenReview to determine userinfo if authn.Webhook.Enabled { if client == nil { return nil, errors.New("no client provided, cannot use webhook authentication") } - tokenAuth, err := webhooktoken.NewFromInterface(client, authn.Webhook.CacheTTL.Duration) - if err != nil { - return nil, err - } - authenticators = append(authenticators, bearertoken.New(tokenAuth)) + authenticatorConfig.TokenAccessReviewClient = client } - if len(authenticators) == 0 { - if authn.Anonymous.Enabled { - return anonymous.NewAuthenticator(), nil - } - return nil, errors.New("No authentication method configured") - } - - authenticator := group.NewGroupAdder(unionauth.New(authenticators...), []string{"system:authenticated"}) - if authn.Anonymous.Enabled { - authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator()) - } - return authenticator, nil + authenticator, _, err := authenticatorConfig.New() + return authenticator, err } func buildAuthz(client authorizationclient.SubjectAccessReviewInterface, authz componentconfig.KubeletAuthorization) (authorizer.Authorizer, error) { diff --git a/federation/apis/openapi-spec/swagger.json b/federation/apis/openapi-spec/swagger.json index 456cfce5ea8..85c745a8148 100644 --- a/federation/apis/openapi-spec/swagger.json +++ b/federation/apis/openapi-spec/swagger.json @@ -31,6 +31,9 @@ "schema": { "$ref": "#/definitions/unversioned.APIVersions" } + }, + "401": { + "description": "Unauthorized" } } } @@ -61,6 +64,9 @@ "schema": { "$ref": "#/definitions/unversioned.APIResourceList" } + }, + "401": { + "description": "Unauthorized" } } } @@ -91,6 +97,9 @@ "schema": { "$ref": "#/definitions/v1.ConfigMapList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -165,6 +174,9 @@ "schema": { "$ref": "#/definitions/v1.EventList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -276,6 +288,9 @@ "schema": { "$ref": "#/definitions/v1.NamespaceList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -312,6 +327,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -375,6 +393,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -451,6 +472,9 @@ "schema": { "$ref": "#/definitions/v1.ConfigMapList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -487,6 +511,9 @@ "schema": { "$ref": "#/definitions/v1.ConfigMap" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -550,6 +577,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -611,6 +641,9 @@ "schema": { "$ref": "#/definitions/v1.ConfigMap" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -647,6 +680,9 @@ "schema": { "$ref": "#/definitions/v1.ConfigMap" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -697,6 +733,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -735,6 +774,9 @@ "schema": { "$ref": "#/definitions/v1.ConfigMap" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -827,6 +869,9 @@ "schema": { "$ref": "#/definitions/v1.EventList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -863,6 +908,9 @@ "schema": { "$ref": "#/definitions/v1.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -926,6 +974,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -987,6 +1038,9 @@ "schema": { "$ref": "#/definitions/v1.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1023,6 +1077,9 @@ "schema": { "$ref": "#/definitions/v1.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1073,6 +1130,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1111,6 +1171,9 @@ "schema": { "$ref": "#/definitions/v1.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1203,6 +1266,9 @@ "schema": { "$ref": "#/definitions/v1.SecretList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1239,6 +1305,9 @@ "schema": { "$ref": "#/definitions/v1.Secret" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1302,6 +1371,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1363,6 +1435,9 @@ "schema": { "$ref": "#/definitions/v1.Secret" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1399,6 +1474,9 @@ "schema": { "$ref": "#/definitions/v1.Secret" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1449,6 +1527,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1487,6 +1568,9 @@ "schema": { "$ref": "#/definitions/v1.Secret" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1579,6 +1663,9 @@ "schema": { "$ref": "#/definitions/v1.ServiceList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1615,6 +1702,9 @@ "schema": { "$ref": "#/definitions/v1.Service" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1678,6 +1768,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1739,6 +1832,9 @@ "schema": { "$ref": "#/definitions/v1.Service" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1775,6 +1871,9 @@ "schema": { "$ref": "#/definitions/v1.Service" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1825,6 +1924,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1863,6 +1965,9 @@ "schema": { "$ref": "#/definitions/v1.Service" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1916,6 +2021,9 @@ "schema": { "$ref": "#/definitions/v1.Service" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1952,6 +2060,9 @@ "schema": { "$ref": "#/definitions/v1.Service" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -1990,6 +2101,9 @@ "schema": { "$ref": "#/definitions/v1.Service" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2059,6 +2173,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2095,6 +2212,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2145,6 +2265,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2183,6 +2306,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2228,6 +2354,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2281,6 +2410,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2317,6 +2449,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2355,6 +2490,9 @@ "schema": { "$ref": "#/definitions/v1.Namespace" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2402,6 +2540,9 @@ "schema": { "$ref": "#/definitions/v1.SecretList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2476,6 +2617,9 @@ "schema": { "$ref": "#/definitions/v1.ServiceList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2550,6 +2694,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2624,6 +2771,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2698,6 +2848,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2772,6 +2925,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2854,6 +3010,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -2944,6 +3103,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3026,6 +3188,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3116,6 +3281,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3198,6 +3366,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3288,6 +3459,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3370,6 +3544,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3460,6 +3637,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3542,6 +3722,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3616,6 +3799,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3690,6 +3876,9 @@ "schema": { "$ref": "#/definitions/unversioned.APIGroupList" } + }, + "401": { + "description": "Unauthorized" } } } @@ -3720,6 +3909,9 @@ "schema": { "$ref": "#/definitions/unversioned.APIGroup" } + }, + "401": { + "description": "Unauthorized" } } } @@ -3750,6 +3942,9 @@ "schema": { "$ref": "#/definitions/unversioned.APIResourceList" } + }, + "401": { + "description": "Unauthorized" } } } @@ -3780,6 +3975,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSetList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3854,6 +4052,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DeploymentList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -3928,6 +4129,9 @@ "schema": { "$ref": "#/definitions/v1beta1.IngressList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4039,6 +4243,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSetList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4075,6 +4282,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4138,6 +4348,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4199,6 +4412,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4235,6 +4451,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4285,6 +4504,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4323,6 +4545,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4376,6 +4601,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4412,6 +4640,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4450,6 +4681,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DaemonSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4542,6 +4776,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DeploymentList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4578,6 +4815,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Deployment" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4641,6 +4881,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4702,6 +4945,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Deployment" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4738,6 +4984,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Deployment" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4788,6 +5037,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4826,6 +5078,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Deployment" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4879,6 +5134,9 @@ "schema": { "$ref": "#/definitions/v1beta1.DeploymentRollback" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4940,6 +5198,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Scale" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -4976,6 +5237,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Scale" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5014,6 +5278,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Scale" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5067,6 +5334,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Deployment" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5103,6 +5373,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Deployment" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5141,6 +5414,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Deployment" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5233,6 +5509,9 @@ "schema": { "$ref": "#/definitions/v1beta1.IngressList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5269,6 +5548,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Ingress" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5332,6 +5614,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5393,6 +5678,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Ingress" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5429,6 +5717,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Ingress" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5479,6 +5770,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5517,6 +5811,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Ingress" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5570,6 +5867,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Ingress" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5606,6 +5906,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Ingress" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5644,6 +5947,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Ingress" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5736,6 +6042,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSetList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5772,6 +6081,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5835,6 +6147,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5896,6 +6211,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5932,6 +6250,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -5982,6 +6303,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6020,6 +6344,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6073,6 +6400,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Scale" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6109,6 +6439,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Scale" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6147,6 +6480,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Scale" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6200,6 +6536,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6236,6 +6575,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6274,6 +6616,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSet" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6329,6 +6674,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ReplicaSetList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6403,6 +6751,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6477,6 +6828,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6551,6 +6905,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6625,6 +6982,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6707,6 +7067,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6797,6 +7160,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6879,6 +7245,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -6969,6 +7338,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7051,6 +7423,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7141,6 +7516,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7223,6 +7601,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7313,6 +7694,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7387,6 +7771,9 @@ "schema": { "$ref": "#/definitions/unversioned.APIGroup" } + }, + "401": { + "description": "Unauthorized" } } } @@ -7417,6 +7804,9 @@ "schema": { "$ref": "#/definitions/unversioned.APIResourceList" } + }, + "401": { + "description": "Unauthorized" } } } @@ -7484,6 +7874,9 @@ "schema": { "$ref": "#/definitions/v1beta1.ClusterList" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7520,6 +7913,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Cluster" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7583,6 +7979,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7636,6 +8035,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Cluster" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7672,6 +8074,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Cluster" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7722,6 +8127,9 @@ "schema": { "$ref": "#/definitions/unversioned.Status" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7760,6 +8168,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Cluster" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7805,6 +8216,9 @@ "schema": { "$ref": "#/definitions/v1beta1.Cluster" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7860,6 +8274,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -7934,6 +8351,9 @@ "schema": { "$ref": "#/definitions/versioned.Event" } + }, + "401": { + "description": "Unauthorized" } } }, @@ -8000,8 +8420,8 @@ ], "operationId": "logFileListHandler", "responses": { - "default": { - "description": "Default Response." + "401": { + "description": "Unauthorized" } } } @@ -8016,8 +8436,8 @@ ], "operationId": "logFileHandler", "responses": { - "default": { - "description": "Default Response." + "401": { + "description": "Unauthorized" } } }, @@ -8054,6 +8474,9 @@ "schema": { "$ref": "#/definitions/version.Info" } + }, + "401": { + "description": "Unauthorized" } } } @@ -10322,5 +10745,10 @@ "name": "authorization", "in": "header" } - } + }, + "security": [ + { + "BearerToken": [] + } + ] } diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go index 9038fe8dfed..6a1f2abd191 100644 --- a/federation/cmd/federation-apiserver/app/server.go +++ b/federation/cmd/federation-apiserver/app/server.go @@ -127,7 +127,7 @@ func Run(s *options.ServerRunOptions) error { storageFactory.SetEtcdLocation(groupResource, servers) } - apiAuthenticator, securityDefinitions, err := authenticator.New(s.Authentication.ToAuthenticationConfig()) + apiAuthenticator, securityDefinitions, err := authenticator.New(s.Authentication.ToAuthenticationConfig(s.SecureServing.ClientCA)) if err != nil { glog.Fatalf("Invalid Authentication Config: %v", err) } diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index 7197d287344..a508872963c 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -32,6 +32,7 @@ auth-provider auth-provider auth-provider-arg auth-provider-arg +authentication-kubeconfig authentication-token-webhook authentication-token-webhook-cache-ttl authentication-token-webhook-config-file diff --git a/pkg/apiserver/authenticator/BUILD b/pkg/apiserver/authenticator/BUILD index 79517cdd26f..e4a92917b58 100644 --- a/pkg/apiserver/authenticator/BUILD +++ b/pkg/apiserver/authenticator/BUILD @@ -12,13 +12,17 @@ load( go_library( name = "go_default_library", - srcs = ["authn.go"], + srcs = [ + "builtin.go", + "delegating.go", + ], tags = ["automanaged"], deps = [ "//pkg/auth/authenticator:go_default_library", "//pkg/auth/authenticator/bearertoken:go_default_library", "//pkg/auth/group:go_default_library", "//pkg/auth/user:go_default_library", + "//pkg/client/clientset_generated/release_1_5/typed/authentication/v1beta1:go_default_library", "//pkg/serviceaccount:go_default_library", "//pkg/util/cert:go_default_library", "//plugin/pkg/auth/authenticator/password/keystone:go_default_library", diff --git a/pkg/apiserver/authenticator/authn.go b/pkg/apiserver/authenticator/builtin.go similarity index 100% rename from pkg/apiserver/authenticator/authn.go rename to pkg/apiserver/authenticator/builtin.go diff --git a/pkg/apiserver/authenticator/delegating.go b/pkg/apiserver/authenticator/delegating.go new file mode 100644 index 00000000000..185323bc869 --- /dev/null +++ b/pkg/apiserver/authenticator/delegating.go @@ -0,0 +1,97 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package authenticator + +import ( + "errors" + "fmt" + "time" + + "github.com/go-openapi/spec" + + "k8s.io/kubernetes/pkg/auth/authenticator" + "k8s.io/kubernetes/pkg/auth/authenticator/bearertoken" + "k8s.io/kubernetes/pkg/auth/group" + "k8s.io/kubernetes/pkg/auth/user" + authenticationclient "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authentication/v1beta1" + "k8s.io/kubernetes/pkg/util/cert" + "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/anonymous" + unionauth "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union" + "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509" + webhooktoken "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/webhook" +) + +// DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator +// built to delegate authentication to a kube API server +type DelegatingAuthenticatorConfig struct { + Anonymous bool + + TokenAccessReviewClient authenticationclient.TokenReviewInterface + + // CacheTTL is the length of time that a token authentication answer will be cached. + CacheTTL time.Duration + + // ClientCAFile is the CA bundle file used to authenticate client certificates + ClientCAFile string +} + +func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDefinitions, error) { + authenticators := []authenticator.Request{} + securityDefinitions := spec.SecurityDefinitions{} + + // x509 client cert auth + if len(c.ClientCAFile) > 0 { + clientCAs, err := cert.NewPool(c.ClientCAFile) + if err != nil { + return nil, nil, fmt.Errorf("unable to load client CA file %s: %v", c.ClientCAFile, err) + } + verifyOpts := x509.DefaultVerifyOptions() + verifyOpts.Roots = clientCAs + authenticators = append(authenticators, x509.New(verifyOpts, x509.CommonNameUserConversion)) + } + + if c.TokenAccessReviewClient != nil { + tokenAuth, err := webhooktoken.NewFromInterface(c.TokenAccessReviewClient, c.CacheTTL) + if err != nil { + return nil, nil, err + } + authenticators = append(authenticators, bearertoken.New(tokenAuth)) + + securityDefinitions["BearerToken"] = &spec.SecurityScheme{ + SecuritySchemeProps: spec.SecuritySchemeProps{ + Type: "apiKey", + Name: "authorization", + In: "header", + Description: "Bearer Token authentication", + }, + } + } + + if len(authenticators) == 0 { + if c.Anonymous { + return anonymous.NewAuthenticator(), &securityDefinitions, nil + } + return nil, nil, errors.New("No authentication method configured") + } + + authenticator := group.NewGroupAdder(unionauth.New(authenticators...), []string{user.AllAuthenticated}) + if c.Anonymous { + authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator()) + } + return authenticator, &securityDefinitions, nil + +} diff --git a/pkg/genericapiserver/options/BUILD b/pkg/genericapiserver/options/BUILD index 8b6f319af02..7bbd1316e56 100644 --- a/pkg/genericapiserver/options/BUILD +++ b/pkg/genericapiserver/options/BUILD @@ -13,7 +13,7 @@ load( go_library( name = "go_default_library", srcs = [ - "authenticator.go", + "authentication.go", "doc.go", "etcd.go", "server_run_options.go", @@ -25,7 +25,9 @@ go_library( "//pkg/api:go_default_library", "//pkg/apimachinery/registered:go_default_library", "//pkg/apiserver/authenticator:go_default_library", + "//pkg/client/clientset_generated/release_1_5/typed/authentication/v1beta1:go_default_library", "//pkg/client/restclient:go_default_library", + "//pkg/client/unversioned/clientcmd:go_default_library", "//pkg/runtime/schema:go_default_library", "//pkg/storage/storagebackend:go_default_library", "//pkg/util/config:go_default_library", diff --git a/pkg/genericapiserver/options/authentication.go b/pkg/genericapiserver/options/authentication.go index e3f9a233b8c..83dda7cc506 100644 --- a/pkg/genericapiserver/options/authentication.go +++ b/pkg/genericapiserver/options/authentication.go @@ -22,6 +22,8 @@ import ( "github.com/spf13/pflag" "k8s.io/kubernetes/pkg/apiserver/authenticator" + authenticationclient "k8s.io/kubernetes/pkg/client/clientset_generated/release_1_5/typed/authentication/v1beta1" + "k8s.io/kubernetes/pkg/client/unversioned/clientcmd" ) type BuiltInAuthenticationOptions struct { @@ -243,8 +245,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { } } -func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.AuthenticatorConfig { - ret := authenticator.AuthenticatorConfig{} +func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile string) authenticator.AuthenticatorConfig { + ret := authenticator.AuthenticatorConfig{ + ClientCAFile: clientCAFile, + } if s.Anonymous != nil { ret.Anonymous = s.Anonymous.Allow } @@ -305,11 +309,21 @@ func (s *RequestHeaderAuthenticationOptions) AuthenticationRequestHeaderConfig() } } +// DelegatingAuthenticationOptions provides an easy way for composing API servers to delegate their authentication to +// the root kube API server type DelegatingAuthenticationOptions struct { + // RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the + // TokenAcessReview.authentication.k8s.io endpoint for checking tokens. + RemoteKubeConfigFile string + + // CacheTTL is the length of time that a token authentication answer will be cached. + CacheTTL time.Duration } func NewDelegatingAuthenticationOptions() *DelegatingAuthenticationOptions { - return &DelegatingAuthenticationOptions{} + return &DelegatingAuthenticationOptions{ + CacheTTL: 5 * time.Minute, + } } func (s *DelegatingAuthenticationOptions) Validate() []error { @@ -318,4 +332,44 @@ func (s *DelegatingAuthenticationOptions) Validate() []error { } func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { + fs.StringVar(&s.RemoteKubeConfigFile, "authentication-kubeconfig", s.RemoteKubeConfigFile, ""+ + "kubeconfig file pointing at the 'core' kubernetes server with enough rights to create "+ + " tokenaccessreviews.authencation.k8s.io.") +} + +func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig(clientCAFile string) (authenticator.DelegatingAuthenticatorConfig, error) { + tokenClient, err := s.newTokenAccessReview() + if err != nil { + return authenticator.DelegatingAuthenticatorConfig{}, err + } + + ret := authenticator.DelegatingAuthenticatorConfig{ + Anonymous: true, + TokenAccessReviewClient: tokenClient, + CacheTTL: s.CacheTTL, + ClientCAFile: clientCAFile, + } + return ret, nil +} + +func (s *DelegatingAuthenticationOptions) newTokenAccessReview() (authenticationclient.TokenReviewInterface, error) { + if len(s.RemoteKubeConfigFile) == 0 { + return nil, nil + } + + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + loadingRules.ExplicitPath = s.RemoteKubeConfigFile + loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{}) + + clientConfig, err := loader.ClientConfig() + if err != nil { + return nil, err + } + + client, err := authenticationclient.NewForConfig(clientConfig) + if err != nil { + return nil, err + } + + return client.TokenReviews(), nil }