Merge pull request #33378 from deads2k/rbac-10-allow-token

Automatic merge from submit-queue add anytoken authenticator Adds `--insecure-allow-any-token` as a flag to the API server to create an authenticator that will accept any bearer token and transform it into a user by parsing it out as `username/group1,group2,...`. This gives an easy way to identify as a user and check permissions: ```bash ALLOW_ANY_TOKEN=true hack/local-up-cluster.sh kubectl config set-cluster local-kube --server=https://localhost:6443 --insecure-skip-tls-verify=true kubectl config set-credentials david --token=david/group1 kubectl config set-context local --cluster=local-kube --user=david kubectl config use-context local ``` @kubernetes/sig-auth
2025-09-10 13:42:02 +00:00 · 2016-09-29 12:32:08 -07:00
parent 364caad0f0 5080a575ad
commit 6c5a187171
10 changed files with 140 additions and 4 deletions
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -280,6 +280,10 @@ function start_apiserver {
    CERT_DIR=/var/run/kubernetes
    ROOT_CA_FILE=$CERT_DIR/apiserver.crt

+    anytoken_arg=""
+    if [[ -n "${ALLOW_ANY_TOKEN:-}" ]]; then
+      anytoken_arg="--insecure-allow-any-token "
+    fi
    priv_arg=""
    if [[ -n "${ALLOW_PRIVILEGED}" ]]; then
      priv_arg="--allow-privileged "
@@ -297,7 +301,7 @@ function start_apiserver {
    fi

    APISERVER_LOG=/tmp/kube-apiserver.log
-    sudo -E "${GO_OUT}/hyperkube" apiserver ${priv_arg} ${runtime_config}\
+    sudo -E "${GO_OUT}/hyperkube" apiserver ${anytoken_arg} ${priv_arg} ${runtime_config}\
      ${advertise_address} \
      --v=${LOG_LEVEL} \
      --cert-dir="${CERT_DIR}" \