Switch kubelet/aggregated API servers to use v1 tokenreviews

2025-09-21 01:50:55 +00:00 · 2019-11-04 22:41:32 -05:00
parent 0afc8423f8
commit 5ef4fe959a
11 changed files with 958 additions and 108 deletions
--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@@ -90,6 +90,7 @@ type TokenFileAuthenticationOptions struct {

 type WebHookAuthenticationOptions struct {
 	ConfigFile string
+	Version    string
 	CacheTTL   time.Duration
 }

@@ -155,6 +156,7 @@ func (s *BuiltInAuthenticationOptions) WithTokenFile() *BuiltInAuthenticationOpt

 func (s *BuiltInAuthenticationOptions) WithWebHook() *BuiltInAuthenticationOptions {
 	s.WebHook = &WebHookAuthenticationOptions{
+		Version:  "v1beta1",
 		CacheTTL: 2 * time.Minute,
 	}
 	return s
@@ -303,6 +305,9 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 			"File with webhook configuration for token authentication in kubeconfig format. "+
 			"The API server will query the remote service to determine authentication for bearer tokens.")

+		fs.StringVar(&s.WebHook.Version, "authentication-token-webhook-version", s.WebHook.Version, ""+
+			"The API version of the authentication.k8s.io TokenReview to send to and expect from the webhook.")
+
 		fs.DurationVar(&s.WebHook.CacheTTL, "authentication-token-webhook-cache-ttl", s.WebHook.CacheTTL,
 			"The duration to cache responses from the webhook token authenticator.")
 	}
@@ -370,6 +375,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat

 	if s.WebHook != nil {
 		ret.WebhookTokenAuthnConfigFile = s.WebHook.ConfigFile
+		ret.WebhookTokenAuthnVersion = s.WebHook.Version
 		ret.WebhookTokenAuthnCacheTTL = s.WebHook.CacheTTL

 		if len(s.WebHook.ConfigFile) > 0 && s.WebHook.CacheTTL > 0 {