Merge pull request #41230 from xilabao/fix-token-validation-in-kubeadm

Automatic merge from submit-queue (batch tested with PRs 41342, 41257, 41295, 41367, 41230) fix token validation in kubeadm fix https://github.com/kubernetes/kubeadm/issues/157
2025-07-20 10:20:51 +00:00 · 2017-02-13 23:48:09 -08:00 · 2017-02-13 23:48:09 -08:00 · 739f4ffe0e
commit 739f4ffe0e
parent 416c1a498e 0e77e2b800
3 changed files with 32 additions and 0 deletions
--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go
@ -71,6 +71,12 @@ func ValidateHTTPSDiscovery(c *kubeadm.HTTPSDiscovery, fldPath *field.Path) fiel

 func ValidateTokenDiscovery(c *kubeadm.TokenDiscovery, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
+	if len(c.ID) == 0 || len(c.Secret) == 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath, nil, "token must be specific as <ID>:<Secret>"))
+	}
+	if len(c.Addresses) == 0 {
+		allErrs = append(allErrs, field.Invalid(fldPath, nil, "at least one address is required"))
+	}
 	return allErrs
 }

--- a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
+++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go
@ -23,6 +23,29 @@ import (
 	"k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 )

+func TestValidateTokenDiscovery(t *testing.T) {
+	var tests = []struct {
+		c        *kubeadm.TokenDiscovery
+		f        *field.Path
+		expected bool
+	}{
+		{&kubeadm.TokenDiscovery{ID: "772ef5", Secret: "6b6baab1d4a0a171", Addresses: []string{"192.168.122.100:9898"}}, nil, true},
+		{&kubeadm.TokenDiscovery{ID: "", Secret: "6b6baab1d4a0a171", Addresses: []string{"192.168.122.100:9898"}}, nil, false},
+		{&kubeadm.TokenDiscovery{ID: "772ef5", Secret: "", Addresses: []string{"192.168.122.100:9898"}}, nil, false},
+		{&kubeadm.TokenDiscovery{ID: "772ef5", Secret: "6b6baab1d4a0a171", Addresses: []string{}}, nil, false},
+	}
+	for _, rt := range tests {
+		err := ValidateTokenDiscovery(rt.c, rt.f).ToAggregate()
+		if (err == nil) != rt.expected {
+			t.Errorf(
+				"failed ValidateTokenDiscovery:\n\texpected: %t\n\t  actual: %t",
+				rt.expected,
+				(err == nil),
+			)
+		}
+	}
+}
+
 func TestValidateServiceSubnet(t *testing.T) {
 	var tests = []struct {
 		s        string
--- a/cmd/kubeadm/app/node/discovery.go
+++ b/cmd/kubeadm/app/node/discovery.go
@ -33,6 +33,9 @@ import (
 const discoveryRetryTimeout = 5 * time.Second

 func RetrieveTrustedClusterInfo(d *kubeadmapi.TokenDiscovery) (*kubeadmapi.ClusterInfo, error) {
+	if len(d.Addresses) == 0 {
+		return nil, fmt.Errorf("the address is required to generate the requestURL")
+	}
 	requestURL := fmt.Sprintf("http://%s/cluster-info/v1/?token-id=%s", d.Addresses[0], d.ID)
 	req, err := http.NewRequest("GET", requestURL, nil)
 	if err != nil {