github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-01 07:47:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #117713 from flant/ssr-ga

Browse Source 
KEP-3325: Promote SelfSubjectReview to GA
This commit is contained in:
Kubernetes Prow Robot 2023-05-03 08:54:24 -07:00 committed by GitHub
commit 78833e1b33
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 1416 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
api/openapi-spec/swagger.json generated
View File

@ -1978,6 +1978,45 @@
},
"type": "object"
},
"io.k8s.api.authentication.v1.SelfSubjectReview": {
"description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta",
"description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
},
"status": {
"$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReviewStatus",
"description": "Status is filled in by the server with the user attributes."
}
},
"type": "object",
"x-kubernetes-group-version-kind": [
{
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1"
}
]
},
"io.k8s.api.authentication.v1.SelfSubjectReviewStatus": {
"description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
"properties": {
"userInfo": {
"$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo",
"description": "User attributes of the user making this request."
}
},
"type": "object"
},
"io.k8s.api.authentication.v1.TokenRequest": {
"description": "TokenRequest requests a token for a given service account.",
"properties": {
@ -50768,6 +50807,95 @@
]
}
},
"/apis/authentication.k8s.io/v1/selfsubjectreviews": {
"parameters": [
{
"description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
"in": "query",
"name": "dryRun",
"type": "string",
"uniqueItems": true
},
{
"description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
"in": "query",
"name": "fieldManager",
"type": "string",
"uniqueItems": true
},
{
"description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
"in": "query",
"name": "fieldValidation",
"type": "string",
"uniqueItems": true
},
{
"description": "If 'true', then the output is pretty printed.",
"in": "query",
"name": "pretty",
"type": "string",
"uniqueItems": true
}
],
"post": {
"consumes": [
"*/*"
],
"description": "create a SelfSubjectReview",
"operationId": "createAuthenticationV1SelfSubjectReview",
"parameters": [
{
"in": "body",
"name": "body",
"required": true,
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"
}
}
],
"produces": [
"application/json",
"application/yaml",
"application/vnd.kubernetes.protobuf"
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"201": {
"description": "Created",
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"202": {
"description": "Accepted",
"schema": {
"$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"401": {
"description": "Unauthorized"
}
},
"schemes": [
"https"
],
"tags": [
"authentication_v1"
],
"x-kubernetes-action": "post",
"x-kubernetes-group-version-kind": {
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1"
}
}
},
"/apis/authentication.k8s.io/v1/tokenreviews": {
"parameters": [
{

181
api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json
View File

@ -1,6 +1,60 @@
{
"components": {
"schemas": {
"io.k8s.api.authentication.v1.SelfSubjectReview": {
"description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
}
],
"default": {},
"description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"
},
"status": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReviewStatus"
}
],
"default": {},
"description": "Status is filled in by the server with the user attributes."
}
},
"type": "object",
"x-kubernetes-group-version-kind": [
{
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1"
}
]
},
"io.k8s.api.authentication.v1.SelfSubjectReviewStatus": {
"description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
"properties": {
"userInfo": {
"allOf": [
{
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.UserInfo"
}
],
"default": {},
"description": "User attributes of the user making this request."
}
},
"type": "object"
},
"io.k8s.api.authentication.v1.TokenReview": {
"description": "TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.",
"properties": {
@ -495,6 +549,133 @@
]
}
},
"/apis/authentication.k8s.io/v1/selfsubjectreviews": {
"parameters": [
{
"description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed",
"in": "query",
"name": "dryRun",
"schema": {
"type": "string",
"uniqueItems": true
}
},
{
"description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.",
"in": "query",
"name": "fieldManager",
"schema": {
"type": "string",
"uniqueItems": true
}
},
{
"description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.",
"in": "query",
"name": "fieldValidation",
"schema": {
"type": "string",
"uniqueItems": true
}
},
{
"description": "If 'true', then the output is pretty printed.",
"in": "query",
"name": "pretty",
"schema": {
"type": "string",
"uniqueItems": true
}
}
],
"post": {
"description": "create a SelfSubjectReview",
"operationId": "createAuthenticationV1SelfSubjectReview",
"requestBody": {
"content": {
"*/*": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
}
}
},
"responses": {
"200": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"application/vnd.kubernetes.protobuf": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"application/yaml": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
}
},
"description": "OK"
},
"201": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"application/vnd.kubernetes.protobuf": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"application/yaml": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
}
},
"description": "Created"
},
"202": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"application/vnd.kubernetes.protobuf": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
},
"application/yaml": {
"schema": {
"$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview"
}
}
},
"description": "Accepted"
},
"401": {
"description": "Unauthorized"
}
},
"tags": [
"authentication_v1"
],
"x-kubernetes-action": "post",
"x-kubernetes-group-version-kind": {
"group": "authentication.k8s.io",
"kind": "SelfSubjectReview",
"version": "v1"
}
}
},
"/apis/authentication.k8s.io/v1/tokenreviews": {
"parameters": [
{

70
pkg/apis/authentication/v1/zz_generated.conversion.go generated
View File

@ -49,6 +49,26 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1.SelfSubjectReview)(nil), (*authentication.SelfSubjectReview)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(a.(*v1.SelfSubjectReview), b.(*authentication.SelfSubjectReview), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*authentication.SelfSubjectReview)(nil), (*v1.SelfSubjectReview)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(a.(*authentication.SelfSubjectReview), b.(*v1.SelfSubjectReview), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1.SelfSubjectReviewStatus)(nil), (*authentication.SelfSubjectReviewStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(a.(*v1.SelfSubjectReviewStatus), b.(*authentication.SelfSubjectReviewStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*authentication.SelfSubjectReviewStatus)(nil), (*v1.SelfSubjectReviewStatus)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(a.(*authentication.SelfSubjectReviewStatus), b.(*v1.SelfSubjectReviewStatus), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1.TokenRequest)(nil), (*authentication.TokenRequest)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1_TokenRequest_To_authentication_TokenRequest(a.(*v1.TokenRequest), b.(*authentication.TokenRequest), scope)
}); err != nil {
@ -148,6 +168,56 @@ func Convert_authentication_BoundObjectReference_To_v1_BoundObjectReference(in *
return autoConvert_authentication_BoundObjectReference_To_v1_BoundObjectReference(in, out, s)
}
func autoConvert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(in *v1.SelfSubjectReview, out *authentication.SelfSubjectReview, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview is an autogenerated conversion function.
func Convert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(in *v1.SelfSubjectReview, out *authentication.SelfSubjectReview, s conversion.Scope) error {
return autoConvert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(in, out, s)
}
func autoConvert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(in *authentication.SelfSubjectReview, out *v1.SelfSubjectReview, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
// Convert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview is an autogenerated conversion function.
func Convert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(in *authentication.SelfSubjectReview, out *v1.SelfSubjectReview, s conversion.Scope) error {
return autoConvert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(in, out, s)
}
func autoConvert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in *v1.SelfSubjectReviewStatus, out *authentication.SelfSubjectReviewStatus, s conversion.Scope) error {
if err := Convert_v1_UserInfo_To_authentication_UserInfo(&in.UserInfo, &out.UserInfo, s); err != nil {
return err
}
return nil
}
// Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus is an autogenerated conversion function.
func Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in *v1.SelfSubjectReviewStatus, out *authentication.SelfSubjectReviewStatus, s conversion.Scope) error {
return autoConvert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in, out, s)
}
func autoConvert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(in *authentication.SelfSubjectReviewStatus, out *v1.SelfSubjectReviewStatus, s conversion.Scope) error {
if err := Convert_authentication_UserInfo_To_v1_UserInfo(&in.UserInfo, &out.UserInfo, s); err != nil {
return err
}
return nil
}
// Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus is an autogenerated conversion function.
func Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(in *authentication.SelfSubjectReviewStatus, out *v1.SelfSubjectReviewStatus, s conversion.Scope) error {
return autoConvert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(in, out, s)
}
func autoConvert_v1_TokenRequest_To_authentication_TokenRequest(in *v1.TokenRequest, out *authentication.TokenRequest, s conversion.Scope) error {
out.ObjectMeta = in.ObjectMeta
if err := Convert_v1_TokenRequestSpec_To_authentication_TokenRequestSpec(&in.Spec, &out.Spec, s); err != nil {

1
pkg/controlplane/storageversionhashdata/data.go
View File

@ -26,6 +26,7 @@ import (
var NoStorageVersionHash = sets.NewString(
"v1/bindings",
"v1/componentstatuses",
"authentication.k8s.io/v1/selfsubjectreviews",
"authentication.k8s.io/v1/tokenreviews",
"authorization.k8s.io/v1/localsubjectaccessreviews",
"authorization.k8s.io/v1/selfsubjectaccessreviews",

3
pkg/features/kube_features.go
View File

@ -53,6 +53,7 @@ const (
// owner: @nabokihms
// alpha: v1.26
// beta: v1.27
// GA: v1.28
//
// Enables API to get self subject attributes after authentication.
APISelfSubjectReview featuregate.Feature = "APISelfSubjectReview"
@ -872,7 +873,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
AnyVolumeDataSource: {Default: true, PreRelease: featuregate.Beta}, // on by default in 1.24
APISelfSubjectReview: {Default: true, PreRelease: featuregate.Beta}, // on by default in 1.27
APISelfSubjectReview: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.28; remove in 1.30
AppArmor: {Default: true, PreRelease: featuregate.Beta},

67
pkg/generated/openapi/zz_generated.openapi.go generated
View File

@ -169,6 +169,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
"k8s.io/api/apps/v1beta2.StatefulSetStatus": schema_k8sio_api_apps_v1beta2_StatefulSetStatus(ref),
"k8s.io/api/apps/v1beta2.StatefulSetUpdateStrategy": schema_k8sio_api_apps_v1beta2_StatefulSetUpdateStrategy(ref),
"k8s.io/api/authentication/v1.BoundObjectReference": schema_k8sio_api_authentication_v1_BoundObjectReference(ref),
"k8s.io/api/authentication/v1.SelfSubjectReview": schema_k8sio_api_authentication_v1_SelfSubjectReview(ref),
"k8s.io/api/authentication/v1.SelfSubjectReviewStatus": schema_k8sio_api_authentication_v1_SelfSubjectReviewStatus(ref),
"k8s.io/api/authentication/v1.TokenRequest": schema_k8sio_api_authentication_v1_TokenRequest(ref),
"k8s.io/api/authentication/v1.TokenRequestSpec": schema_k8sio_api_authentication_v1_TokenRequestSpec(ref),
"k8s.io/api/authentication/v1.TokenRequestStatus": schema_k8sio_api_authentication_v1_TokenRequestStatus(ref),
@ -8437,6 +8439,71 @@ func schema_k8sio_api_authentication_v1_BoundObjectReference(ref common.Referenc
}
}
func schema_k8sio_api_authentication_v1_SelfSubjectReview(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"kind": {
SchemaProps: spec.SchemaProps{
Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
Type: []string{"string"},
Format: "",
},
},
"apiVersion": {
SchemaProps: spec.SchemaProps{
Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
Type: []string{"string"},
Format: "",
},
},
"metadata": {
SchemaProps: spec.SchemaProps{
Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
Default: map[string]interface{}{},
Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
},
},
"status": {
SchemaProps: spec.SchemaProps{
Description: "Status is filled in by the server with the user attributes.",
Default: map[string]interface{}{},
Ref: ref("k8s.io/api/authentication/v1.SelfSubjectReviewStatus"),
},
},
},
},
},
Dependencies: []string{
"k8s.io/api/authentication/v1.SelfSubjectReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
}
}
func schema_k8sio_api_authentication_v1_SelfSubjectReviewStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{
SchemaProps: spec.SchemaProps{
Description: "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
Type: []string{"object"},
Properties: map[string]spec.Schema{
"userInfo": {
SchemaProps: spec.SchemaProps{
Description: "User attributes of the user making this request.",
Default: map[string]interface{}{},
Ref: ref("k8s.io/api/authentication/v1.UserInfo"),
},
},
},
},
},
Dependencies: []string{
"k8s.io/api/authentication/v1.UserInfo"},
}
}
func schema_k8sio_api_authentication_v1_TokenRequest(ref common.ReferenceCallback) common.OpenAPIDefinition {
return common.OpenAPIDefinition{
Schema: spec.Schema{

23
pkg/registry/authentication/rest/storage_authentication.go
View File

@ -25,11 +25,8 @@ import (
"k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server"
serverstorage "k8s.io/apiserver/pkg/server/storage"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/klog/v2"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/authentication"
"k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/registry/authentication/selfsubjectreview"
"k8s.io/kubernetes/pkg/registry/authentication/tokenreview"
)
@ -72,6 +69,10 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API
tokenReviewStorage := tokenreview.NewREST(p.Authenticator, p.APIAudiences)
storage[resource] = tokenReviewStorage
}
if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1.SchemeGroupVersion.WithResource(resource)) {
selfSRStorage := selfsubjectreview.NewREST()
storage[resource] = selfSRStorage
}
return storage
}
@ -81,12 +82,8 @@ func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstora
// selfsubjectreviews
if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1alpha1.SchemeGroupVersion.WithResource(resource)) {
if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) {
selfSRStorage := selfsubjectreview.NewREST()
storage[resource] = selfSRStorage
} else {
klog.Warningln("SelfSubjectReview API is disabled because corresponding feature gate APISelfSubjectReview is not enabled.")
}
selfSRStorage := selfsubjectreview.NewREST()
storage[resource] = selfSRStorage
}
return storage
}
@ -96,12 +93,8 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorag
// selfsubjectreviews
if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1beta1.SchemeGroupVersion.WithResource(resource)) {
if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) {
selfSRStorage := selfsubjectreview.NewREST()
storage[resource] = selfSRStorage
} else {
klog.Warningln("SelfSubjectReview API is disabled because corresponding feature gate APISelfSubjectReview is not enabled.")
}
selfSRStorage := selfsubjectreview.NewREST()
storage[resource] = selfSRStorage
}
return storage
}

5
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -231,10 +231,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
basicUserRules := []rbacv1.PolicyRule{
rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews", "selfsubjectrulesreviews").RuleOrDie(),
}
if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) {
basicUserRules = append(basicUserRules, rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("selfsubjectreviews").RuleOrDie())
rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("selfsubjectreviews").RuleOrDie(),
}
roles = append(roles, []rbacv1.ClusterRole{

511
staging/src/k8s.io/api/authentication/v1/generated.pb.go generated
View File

@ -102,10 +102,66 @@ func (m *ExtraValue) XXX_DiscardUnknown() {
var xxx_messageInfo_ExtraValue proto.InternalMessageInfo
func (m *SelfSubjectReview) Reset() { *m = SelfSubjectReview{} }
func (*SelfSubjectReview) ProtoMessage() {}
func (*SelfSubjectReview) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{2}
}
func (m *SelfSubjectReview) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *SelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
func (m *SelfSubjectReview) XXX_Merge(src proto.Message) {
xxx_messageInfo_SelfSubjectReview.Merge(m, src)
}
func (m *SelfSubjectReview) XXX_Size() int {
return m.Size()
}
func (m *SelfSubjectReview) XXX_DiscardUnknown() {
xxx_messageInfo_SelfSubjectReview.DiscardUnknown(m)
}
var xxx_messageInfo_SelfSubjectReview proto.InternalMessageInfo
func (m *SelfSubjectReviewStatus) Reset() { *m = SelfSubjectReviewStatus{} }
func (*SelfSubjectReviewStatus) ProtoMessage() {}
func (*SelfSubjectReviewStatus) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{3}
}
func (m *SelfSubjectReviewStatus) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
}
func (m *SelfSubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
b = b[:cap(b)]
n, err := m.MarshalToSizedBuffer(b)
if err != nil {
return nil, err
}
return b[:n], nil
}
func (m *SelfSubjectReviewStatus) XXX_Merge(src proto.Message) {
xxx_messageInfo_SelfSubjectReviewStatus.Merge(m, src)
}
func (m *SelfSubjectReviewStatus) XXX_Size() int {
return m.Size()
}
func (m *SelfSubjectReviewStatus) XXX_DiscardUnknown() {
xxx_messageInfo_SelfSubjectReviewStatus.DiscardUnknown(m)
}
var xxx_messageInfo_SelfSubjectReviewStatus proto.InternalMessageInfo
func (m *TokenRequest) Reset() { *m = TokenRequest{} }
func (*TokenRequest) ProtoMessage() {}
func (*TokenRequest) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{2}
return fileDescriptor_2953ea822e7ffe1e, []int{4}
}
func (m *TokenRequest) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
@ -133,7 +189,7 @@ var xxx_messageInfo_TokenRequest proto.InternalMessageInfo
func (m *TokenRequestSpec) Reset() { *m = TokenRequestSpec{} }
func (*TokenRequestSpec) ProtoMessage() {}
func (*TokenRequestSpec) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{3}
return fileDescriptor_2953ea822e7ffe1e, []int{5}
}
func (m *TokenRequestSpec) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
@ -161,7 +217,7 @@ var xxx_messageInfo_TokenRequestSpec proto.InternalMessageInfo
func (m *TokenRequestStatus) Reset() { *m = TokenRequestStatus{} }
func (*TokenRequestStatus) ProtoMessage() {}
func (*TokenRequestStatus) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{4}
return fileDescriptor_2953ea822e7ffe1e, []int{6}
}
func (m *TokenRequestStatus) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
@ -189,7 +245,7 @@ var xxx_messageInfo_TokenRequestStatus proto.InternalMessageInfo
func (m *TokenReview) Reset() { *m = TokenReview{} }
func (*TokenReview) ProtoMessage() {}
func (*TokenReview) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{5}
return fileDescriptor_2953ea822e7ffe1e, []int{7}
}
func (m *TokenReview) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
@ -217,7 +273,7 @@ var xxx_messageInfo_TokenReview proto.InternalMessageInfo
func (m *TokenReviewSpec) Reset() { *m = TokenReviewSpec{} }
func (*TokenReviewSpec) ProtoMessage() {}
func (*TokenReviewSpec) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{6}
return fileDescriptor_2953ea822e7ffe1e, []int{8}
}
func (m *TokenReviewSpec) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
@ -245,7 +301,7 @@ var xxx_messageInfo_TokenReviewSpec proto.InternalMessageInfo
func (m *TokenReviewStatus) Reset() { *m = TokenReviewStatus{} }
func (*TokenReviewStatus) ProtoMessage() {}
func (*TokenReviewStatus) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{7}
return fileDescriptor_2953ea822e7ffe1e, []int{9}
}
func (m *TokenReviewStatus) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
@ -273,7 +329,7 @@ var xxx_messageInfo_TokenReviewStatus proto.InternalMessageInfo
func (m *UserInfo) Reset() { *m = UserInfo{} }
func (*UserInfo) ProtoMessage() {}
func (*UserInfo) Descriptor() ([]byte, []int) {
return fileDescriptor_2953ea822e7ffe1e, []int{8}
return fileDescriptor_2953ea822e7ffe1e, []int{10}
}
func (m *UserInfo) XXX_Unmarshal(b []byte) error {
return m.Unmarshal(b)
@ -301,6 +357,8 @@ var xxx_messageInfo_UserInfo proto.InternalMessageInfo
func init() {
proto.RegisterType((*BoundObjectReference)(nil), "k8s.io.api.authentication.v1.BoundObjectReference")
proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authentication.v1.ExtraValue")
proto.RegisterType((*SelfSubjectReview)(nil), "k8s.io.api.authentication.v1.SelfSubjectReview")
proto.RegisterType((*SelfSubjectReviewStatus)(nil), "k8s.io.api.authentication.v1.SelfSubjectReviewStatus")
proto.RegisterType((*TokenRequest)(nil), "k8s.io.api.authentication.v1.TokenRequest")
proto.RegisterType((*TokenRequestSpec)(nil), "k8s.io.api.authentication.v1.TokenRequestSpec")
proto.RegisterType((*TokenRequestStatus)(nil), "k8s.io.api.authentication.v1.TokenRequestStatus")
@ -316,64 +374,67 @@ func init() {
}
var fileDescriptor_2953ea822e7ffe1e = []byte{
// 907 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcf, 0x6f, 0xe3, 0x44,
0x14, 0x8e, 0xf3, 0xa3, 0x4a, 0x26, 0xdb, 0xd2, 0xce, 0xb2, 0x52, 0x54, 0x96, 0xa4, 0x78, 0x25,
0x54, 0x01, 0x6b, 0x6f, 0x23, 0x04, 0xab, 0x45, 0x42, 0xaa, 0x69, 0x04, 0x11, 0x82, 0x5d, 0xcd,
0x6e, 0x0b, 0xe2, 0xc4, 0xc4, 0x7e, 0x4d, 0x87, 0xe0, 0xb1, 0xb1, 0xc7, 0x61, 0x73, 0xdb, 0x3f,
0x81, 0x23, 0x48, 0x1c, 0xf8, 0x23, 0x90, 0xf8, 0x17, 0x7a, 0x5c, 0x71, 0xea, 0x01, 0x45, 0xd4,
0x5c, 0x39, 0x72, 0xe2, 0x84, 0x66, 0x3c, 0xad, 0xe3, 0xa4, 0x4d, 0x73, 0xe2, 0x96, 0x79, 0xef,
0x7b, 0xdf, 0xbc, 0xf7, 0xcd, 0xe7, 0x99, 0xa0, 0xde, 0xe8, 0x61, 0x6c, 0xb1, 0xc0, 0x1e, 0x25,
0x03, 0x88, 0x38, 0x08, 0x88, 0xed, 0x31, 0x70, 0x2f, 0x88, 0x6c, 0x9d, 0xa0, 0x21, 0xb3, 0x69,
0x22, 0x4e, 0x80, 0x0b, 0xe6, 0x52, 0xc1, 0x02, 0x6e, 0x8f, 0xf7, 0xec, 0x21, 0x70, 0x88, 0xa8,
0x00, 0xcf, 0x0a, 0xa3, 0x40, 0x04, 0xf8, 0x6e, 0x86, 0xb6, 0x68, 0xc8, 0xac, 0x22, 0xda, 0x1a,
0xef, 0x6d, 0xdf, 0x1f, 0x32, 0x71, 0x92, 0x0c, 0x2c, 0x37, 0xf0, 0xed, 0x61, 0x30, 0x0c, 0x6c,
0x55, 0x34, 0x48, 0x8e, 0xd5, 0x4a, 0x2d, 0xd4, 0xaf, 0x8c, 0x6c, 0xfb, 0xdd, 0x7c, 0x6b, 0x9f,
0xba, 0x27, 0x8c, 0x43, 0x34, 0xb1, 0xc3, 0xd1, 0x50, 0x06, 0x62, 0xdb, 0x07, 0x41, 0xaf, 0x68,
0x61, 0xdb, 0xbe, 0xae, 0x2a, 0x4a, 0xb8, 0x60, 0x3e, 0x2c, 0x14, 0xbc, 0x77, 0x53, 0x41, 0xec,
0x9e, 0x80, 0x4f, 0xe7, 0xeb, 0xcc, 0xdf, 0x0d, 0xf4, 0xaa, 0x13, 0x24, 0xdc, 0x7b, 0x3c, 0xf8,
0x06, 0x5c, 0x41, 0xe0, 0x18, 0x22, 0xe0, 0x2e, 0xe0, 0x1d, 0x54, 0x1d, 0x31, 0xee, 0xb5, 0x8c,
0x1d, 0x63, 0xb7, 0xe1, 0xdc, 0x3a, 0x9d, 0x76, 0x4a, 0xe9, 0xb4, 0x53, 0xfd, 0x94, 0x71, 0x8f,
0xa8, 0x0c, 0xee, 0x22, 0x44, 0x43, 0x76, 0x04, 0x51, 0xcc, 0x02, 0xde, 0x2a, 0x2b, 0x1c, 0xd6,
0x38, 0xb4, 0xff, 0xa4, 0xaf, 0x33, 0x64, 0x06, 0x25, 0x59, 0x39, 0xf5, 0xa1, 0x55, 0x29, 0xb2,
0x7e, 0x4e, 0x7d, 0x20, 0x2a, 0x83, 0x1d, 0x54, 0x49, 0xfa, 0x07, 0xad, 0xaa, 0x02, 0x3c, 0xd0,
0x80, 0xca, 0x61, 0xff, 0xe0, 0xdf, 0x69, 0xe7, 0x8d, 0xeb, 0x86, 0x14, 0x93, 0x10, 0x62, 0xeb,
0xb0, 0x7f, 0x40, 0x64, 0xb1, 0xf9, 0x3e, 0x42, 0xbd, 0xe7, 0x22, 0xa2, 0x47, 0xf4, 0xdb, 0x04,
0x70, 0x07, 0xd5, 0x98, 0x00, 0x3f, 0x6e, 0x19, 0x3b, 0x95, 0xdd, 0x86, 0xd3, 0x48, 0xa7, 0x9d,
0x5a, 0x5f, 0x06, 0x48, 0x16, 0x7f, 0x54, 0xff, 0xf1, 0x97, 0x4e, 0xe9, 0xc5, 0x1f, 0x3b, 0x25,
0xf3, 0xe7, 0x32, 0xba, 0xf5, 0x2c, 0x18, 0x01, 0x27, 0xf0, 0x5d, 0x02, 0xb1, 0xc0, 0x5f, 0xa3,
0xba, 0x3c, 0x22, 0x8f, 0x0a, 0xaa, 0x94, 0x68, 0x76, 0x1f, 0x58, 0xb9, 0x3b, 0x2e, 0x9b, 0xb0,
0xc2, 0xd1, 0x50, 0x06, 0x62, 0x4b, 0xa2, 0xad, 0xf1, 0x9e, 0x95, 0xc9, 0xf9, 0x19, 0x08, 0x9a,
0x6b, 0x92, 0xc7, 0xc8, 0x25, 0x2b, 0x7e, 0x82, 0xaa, 0x71, 0x08, 0xae, 0xd2, 0xaf, 0xd9, 0xb5,
0xac, 0x65, 0xde, 0xb3, 0x66, 0x7b, 0x7b, 0x1a, 0x82, 0x9b, 0x2b, 0x28, 0x57, 0x44, 0x31, 0xe1,
0x2f, 0xd1, 0x5a, 0x2c, 0xa8, 0x48, 0x62, 0xa5, 0x72, 0xb1, 0xe3, 0x9b, 0x38, 0x55, 0x9d, 0xb3,
0xa1, 0x59, 0xd7, 0xb2, 0x35, 0xd1, 0x7c, 0xe6, 0x3f, 0x06, 0xda, 0x9c, 0x6f, 0x01, 0xbf, 0x8d,
0x1a, 0x34, 0xf1, 0x98, 0x34, 0xcd, 0x85, 0xc4, 0xeb, 0xe9, 0xb4, 0xd3, 0xd8, 0xbf, 0x08, 0x92,
0x3c, 0x8f, 0x3f, 0x42, 0x5b, 0xf0, 0x3c, 0x64, 0x91, 0xda, 0xfd, 0x29, 0xb8, 0x01, 0xf7, 0x62,
0x75, 0xd6, 0x15, 0xe7, 0x4e, 0x3a, 0xed, 0x6c, 0xf5, 0xe6, 0x93, 0x64, 0x11, 0x8f, 0x39, 0xda,
0x18, 0x14, 0x2c, 0xab, 0x07, 0xed, 0x2e, 0x1f, 0xf4, 0x2a, 0x9b, 0x3b, 0x38, 0x9d, 0x76, 0x36,
0x8a, 0x19, 0x32, 0xc7, 0x6e, 0xfe, 0x6a, 0x20, 0xbc, 0xa8, 0x12, 0xbe, 0x87, 0x6a, 0x42, 0x46,
0xf5, 0x27, 0xb2, 0xae, 0x45, 0xab, 0x65, 0xd0, 0x2c, 0x87, 0x27, 0xe8, 0x76, 0x3e, 0xc0, 0x33,
0xe6, 0x43, 0x2c, 0xa8, 0x1f, 0xea, 0xd3, 0x7e, 0x6b, 0x35, 0x2f, 0xc9, 0x32, 0xe7, 0x35, 0x4d,
0x7f, 0xbb, 0xb7, 0x48, 0x47, 0xae, 0xda, 0xc3, 0xfc, 0xa9, 0x8c, 0x9a, 0xba, 0xed, 0x31, 0x83,
0xef, 0xff, 0x07, 0x2f, 0x3f, 0x2e, 0x78, 0xf9, 0xfe, 0x4a, 0xbe, 0x93, 0xad, 0x5d, 0x6b, 0xe5,
0x2f, 0xe6, 0xac, 0x6c, 0xaf, 0x4e, 0xb9, 0xdc, 0xc9, 0x2e, 0x7a, 0x65, 0x6e, 0xff, 0xd5, 0x8e,
0xb3, 0x60, 0xf6, 0xf2, 0x72, 0xb3, 0x9b, 0x7f, 0x1b, 0x68, 0x6b, 0xa1, 0x25, 0xfc, 0x01, 0x5a,
0x9f, 0xe9, 0x1c, 0xb2, 0x1b, 0xb6, 0xee, 0xdc, 0xd1, 0xfb, 0xad, 0xef, 0xcf, 0x26, 0x49, 0x11,
0x8b, 0x3f, 0x41, 0xd5, 0x24, 0x86, 0x48, 0x2b, 0xfc, 0xe6, 0x72, 0x39, 0x0e, 0x63, 0x88, 0xfa,
0xfc, 0x38, 0xc8, 0xa5, 0x95, 0x11, 0xa2, 0x18, 0x8a, 0x93, 0x54, 0x6f, 0xf8, 0x6c, 0xef, 0xa1,
0x1a, 0x44, 0x51, 0x10, 0xe9, 0x7b, 0xfb, 0x52, 0x9b, 0x9e, 0x0c, 0x92, 0x2c, 0x67, 0xfe, 0x56,
0x46, 0xf5, 0x8b, 0x2d, 0xf1, 0x3b, 0xa8, 0x2e, 0xb7, 0x51, 0x97, 0x7d, 0x26, 0xe8, 0xa6, 0x2e,
0x52, 0x18, 0x19, 0x27, 0x97, 0x08, 0xfc, 0x3a, 0xaa, 0x24, 0xcc, 0xd3, 0x6f, 0x48, 0x73, 0xe6,
0xd2, 0x27, 0x32, 0x8e, 0x4d, 0xb4, 0x36, 0x8c, 0x82, 0x24, 0x94, 0x36, 0x90, 0x8d, 0x22, 0x79,
0xa2, 0x1f, 0xab, 0x08, 0xd1, 0x19, 0x7c, 0x84, 0x6a, 0x20, 0xef, 0x7c, 0x35, 0x4b, 0xb3, 0xbb,
0xb7, 0x9a, 0x34, 0x96, 0x7a, 0x27, 0x7a, 0x5c, 0x44, 0x93, 0x99, 0xa9, 0x64, 0x8c, 0x64, 0x74,
0xdb, 0x03, 0xfd, 0x96, 0x28, 0x0c, 0xde, 0x44, 0x95, 0x11, 0x4c, 0xb2, 0x89, 0x88, 0xfc, 0x89,
0x3f, 0x44, 0xb5, 0xb1, 0x7c, 0x66, 0xf4, 0x91, 0xec, 0x2e, 0xdf, 0x37, 0x7f, 0x96, 0x48, 0x56,
0xf6, 0xa8, 0xfc, 0xd0, 0x70, 0x9c, 0xd3, 0xf3, 0x76, 0xe9, 0xe5, 0x79, 0xbb, 0x74, 0x76, 0xde,
0x2e, 0xbd, 0x48, 0xdb, 0xc6, 0x69, 0xda, 0x36, 0x5e, 0xa6, 0x6d, 0xe3, 0x2c, 0x6d, 0x1b, 0x7f,
0xa6, 0x6d, 0xe3, 0x87, 0xbf, 0xda, 0xa5, 0xaf, 0xee, 0x2e, 0xfb, 0x13, 0xf3, 0x5f, 0x00, 0x00,
0x00, 0xff, 0xff, 0x12, 0xb8, 0x31, 0x91, 0xfc, 0x08, 0x00, 0x00,
// 958 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4b, 0x6f, 0x23, 0x45,
0x10, 0xf6, 0xf8, 0x11, 0xd9, 0xe5, 0x4d, 0x48, 0x7a, 0x59, 0x61, 0x85, 0xc5, 0x0e, 0xb3, 0x12,
0x8a, 0x80, 0x9d, 0xd9, 0x58, 0x3c, 0x56, 0x8b, 0x84, 0x94, 0x21, 0x16, 0x58, 0x08, 0x76, 0xd5,
0x4e, 0x02, 0x42, 0x42, 0xa2, 0x3d, 0xae, 0x38, 0x83, 0x77, 0x1e, 0xcc, 0xf4, 0x98, 0xf5, 0x6d,
0x7f, 0x02, 0x47, 0x90, 0x38, 0xf0, 0x23, 0x90, 0xf8, 0x0b, 0x39, 0xae, 0x10, 0x87, 0x3d, 0x20,
0x8b, 0x0c, 0x57, 0x8e, 0x9c, 0x38, 0xa1, 0xee, 0xe9, 0xf8, 0x99, 0x4c, 0x7c, 0xda, 0x9b, 0xa7,
0x1e, 0x5f, 0x55, 0x7d, 0x55, 0x5d, 0x65, 0x68, 0x0d, 0xee, 0x47, 0x86, 0xe3, 0x9b, 0x83, 0xb8,
0x8b, 0xa1, 0x87, 0x1c, 0x23, 0x73, 0x88, 0x5e, 0xcf, 0x0f, 0x4d, 0xa5, 0x60, 0x81, 0x63, 0xb2,
0x98, 0x9f, 0xa2, 0xc7, 0x1d, 0x9b, 0x71, 0xc7, 0xf7, 0xcc, 0xe1, 0x9e, 0xd9, 0x47, 0x0f, 0x43,
0xc6, 0xb1, 0x67, 0x04, 0xa1, 0xcf, 0x7d, 0x72, 0x3b, 0xb5, 0x36, 0x58, 0xe0, 0x18, 0xf3, 0xd6,
0xc6, 0x70, 0x6f, 0xfb, 0x6e, 0xdf, 0xe1, 0xa7, 0x71, 0xd7, 0xb0, 0x7d, 0xd7, 0xec, 0xfb, 0x7d,
0xdf, 0x94, 0x4e, 0xdd, 0xf8, 0x44, 0x7e, 0xc9, 0x0f, 0xf9, 0x2b, 0x05, 0xdb, 0x7e, 0x67, 0x1a,
0xda, 0x65, 0xf6, 0xa9, 0xe3, 0x61, 0x38, 0x32, 0x83, 0x41, 0x5f, 0x08, 0x22, 0xd3, 0x45, 0xce,
0x2e, 0x49, 0x61, 0xdb, 0xbc, 0xca, 0x2b, 0x8c, 0x3d, 0xee, 0xb8, 0xb8, 0xe4, 0xf0, 0xde, 0x75,
0x0e, 0x91, 0x7d, 0x8a, 0x2e, 0x5b, 0xf4, 0xd3, 0x7f, 0xd7, 0xe0, 0x65, 0xcb, 0x8f, 0xbd, 0xde,
0xc3, 0xee, 0xb7, 0x68, 0x73, 0x8a, 0x27, 0x18, 0xa2, 0x67, 0x23, 0xd9, 0x81, 0xe2, 0xc0, 0xf1,
0x7a, 0x35, 0x6d, 0x47, 0xdb, 0xad, 0x58, 0x37, 0xce, 0xc6, 0x8d, 0x5c, 0x32, 0x6e, 0x14, 0x3f,
0x75, 0xbc, 0x1e, 0x95, 0x1a, 0xd2, 0x04, 0x60, 0x81, 0x73, 0x8c, 0x61, 0xe4, 0xf8, 0x5e, 0x2d,
0x2f, 0xed, 0x88, 0xb2, 0x83, 0xfd, 0x47, 0x6d, 0xa5, 0xa1, 0x33, 0x56, 0x02, 0xd5, 0x63, 0x2e,
0xd6, 0x0a, 0xf3, 0xa8, 0x9f, 0x33, 0x17, 0xa9, 0xd4, 0x10, 0x0b, 0x0a, 0x71, 0xfb, 0xa0, 0x56,
0x94, 0x06, 0xf7, 0x94, 0x41, 0xe1, 0xa8, 0x7d, 0xf0, 0xdf, 0xb8, 0xf1, 0xfa, 0x55, 0x45, 0xf2,
0x51, 0x80, 0x91, 0x71, 0xd4, 0x3e, 0xa0, 0xc2, 0x59, 0x7f, 0x1f, 0xa0, 0xf5, 0x84, 0x87, 0xec,
0x98, 0x3d, 0x8e, 0x91, 0x34, 0xa0, 0xe4, 0x70, 0x74, 0xa3, 0x9a, 0xb6, 0x53, 0xd8, 0xad, 0x58,
0x95, 0x64, 0xdc, 0x28, 0xb5, 0x85, 0x80, 0xa6, 0xf2, 0x07, 0xe5, 0x1f, 0x7f, 0x69, 0xe4, 0x9e,
0xfe, 0xb9, 0x93, 0xd3, 0xff, 0xd0, 0x60, 0xab, 0x83, 0x8f, 0x4f, 0x3a, 0xb1, 0x62, 0x63, 0xe8,
0xe0, 0xf7, 0xe4, 0x1b, 0x28, 0x8b, 0x3e, 0xf5, 0x18, 0x67, 0x92, 0x8e, 0x6a, 0xf3, 0x9e, 0x31,
0x1d, 0x91, 0x49, 0x26, 0x46, 0x30, 0xe8, 0x0b, 0x41, 0x64, 0x08, 0x6b, 0x63, 0xb8, 0x67, 0xa4,
0x9c, 0x7e, 0x86, 0x9c, 0x4d, 0x89, 0x99, 0xca, 0xe8, 0x04, 0x95, 0x7c, 0x0d, 0x6b, 0x11, 0x67,
0x3c, 0x8e, 0x24, 0x8d, 0xd5, 0xe6, 0xbb, 0x46, 0xd6, 0x08, 0x1a, 0x4b, 0x29, 0x76, 0xa4, 0xb3,
0xb5, 0xa1, 0x82, 0xac, 0xa5, 0xdf, 0x54, 0x81, 0xea, 0x3e, 0xbc, 0x72, 0x85, 0x0b, 0x39, 0x84,
0x72, 0x1c, 0x61, 0xd8, 0xf6, 0x4e, 0x7c, 0x55, 0xdb, 0x1b, 0xd9, 0xb1, 0x8f, 0x94, 0xb5, 0xb5,
0xa9, 0x82, 0x95, 0x2f, 0x24, 0x74, 0x82, 0xa4, 0xff, 0x9c, 0x87, 0x1b, 0x87, 0xfe, 0x00, 0x3d,
0x8a, 0xdf, 0xc5, 0x18, 0xf1, 0x17, 0x40, 0xe1, 0x23, 0x28, 0x46, 0x01, 0xda, 0x8a, 0x40, 0x23,
0xbb, 0x88, 0xd9, 0xdc, 0x3a, 0x01, 0xda, 0xd3, 0x49, 0x14, 0x5f, 0x54, 0x22, 0x91, 0x2f, 0x27,
0x4d, 0x29, 0x2c, 0x65, 0x7c, 0x1d, 0x66, 0x76, 0x3f, 0xfe, 0xd5, 0x60, 0x73, 0x31, 0x05, 0xf2,
0x16, 0x54, 0x58, 0xdc, 0x73, 0xc4, 0xe3, 0xbb, 0x18, 0xd5, 0xf5, 0x64, 0xdc, 0xa8, 0xec, 0x5f,
0x08, 0xe9, 0x54, 0x4f, 0x3e, 0x82, 0x2d, 0x7c, 0x12, 0x38, 0xa1, 0x8c, 0xde, 0x41, 0xdb, 0xf7,
0x7a, 0x91, 0x7c, 0x33, 0x05, 0xeb, 0x56, 0x32, 0x6e, 0x6c, 0xb5, 0x16, 0x95, 0x74, 0xd9, 0x9e,
0x78, 0xb0, 0xd1, 0x9d, 0x7b, 0xfa, 0xaa, 0xd0, 0x66, 0x76, 0xa1, 0x97, 0xad, 0x0b, 0x8b, 0x24,
0xe3, 0xc6, 0xc6, 0xbc, 0x86, 0x2e, 0xa0, 0xeb, 0xbf, 0x6a, 0x40, 0x96, 0x59, 0x22, 0x77, 0xa0,
0xc4, 0x85, 0x54, 0xad, 0x9a, 0x75, 0x45, 0x5a, 0x29, 0x35, 0x4d, 0x75, 0x64, 0x04, 0x37, 0xa7,
0x05, 0x1c, 0x3a, 0x2e, 0x46, 0x9c, 0xb9, 0x81, 0xea, 0xf6, 0x9b, 0xab, 0xcd, 0x92, 0x70, 0xb3,
0x5e, 0x55, 0xf0, 0x37, 0x5b, 0xcb, 0x70, 0xf4, 0xb2, 0x18, 0xfa, 0x4f, 0x79, 0xa8, 0xaa, 0xb4,
0x5f, 0xd0, 0x3a, 0x78, 0x38, 0x37, 0xcb, 0x77, 0x57, 0x9a, 0x3b, 0xf9, 0xa6, 0xaf, 0x1a, 0xe5,
0x2f, 0x16, 0x46, 0xd9, 0x5c, 0x1d, 0x32, 0x7b, 0x92, 0x6d, 0x78, 0x69, 0x21, 0xfe, 0x6a, 0xed,
0x9c, 0x1b, 0xf6, 0x7c, 0xf6, 0xb0, 0xeb, 0xff, 0x68, 0xb0, 0xb5, 0x94, 0x12, 0xf9, 0x00, 0xd6,
0x67, 0x32, 0xc7, 0xf4, 0x52, 0x95, 0xad, 0x5b, 0x2a, 0xde, 0xfa, 0xfe, 0xac, 0x92, 0xce, 0xdb,
0x92, 0x4f, 0xa0, 0x28, 0x96, 0x95, 0x62, 0x78, 0xd5, 0x95, 0x37, 0xa1, 0x56, 0x48, 0xa8, 0x44,
0x98, 0xaf, 0xa4, 0x78, 0xcd, 0xb3, 0xbd, 0x03, 0x25, 0x0c, 0x43, 0x3f, 0x54, 0xf7, 0x6f, 0xc2,
0x4d, 0x4b, 0x08, 0x69, 0xaa, 0xd3, 0x7f, 0xcb, 0xc3, 0x64, 0xa7, 0x92, 0xb7, 0xd3, 0xfd, 0x2c,
0x8f, 0x66, 0x4a, 0xe8, 0xdc, 0xde, 0x15, 0x72, 0x3a, 0xb1, 0x20, 0xaf, 0x41, 0x21, 0x76, 0x7a,
0xea, 0x16, 0x57, 0x67, 0x8e, 0x27, 0x15, 0x72, 0xa2, 0xc3, 0x5a, 0x3f, 0xf4, 0xe3, 0x40, 0x8c,
0x81, 0x48, 0x14, 0x44, 0x47, 0x3f, 0x96, 0x12, 0xaa, 0x34, 0xe4, 0x18, 0x4a, 0x28, 0x6e, 0xa7,
0xac, 0xa5, 0xda, 0xdc, 0x5b, 0x8d, 0x1a, 0x43, 0xde, 0xdb, 0x96, 0xc7, 0xc3, 0xd1, 0x4c, 0x55,
0x42, 0x46, 0x53, 0xb8, 0xed, 0xae, 0xba, 0xc9, 0xd2, 0x86, 0x6c, 0x42, 0x61, 0x80, 0xa3, 0xb4,
0x22, 0x2a, 0x7e, 0x92, 0x0f, 0xa1, 0x34, 0x14, 0xe7, 0x5a, 0xb5, 0x64, 0x37, 0x3b, 0xee, 0xf4,
0xbc, 0xd3, 0xd4, 0xed, 0x41, 0xfe, 0xbe, 0x66, 0x59, 0x67, 0xe7, 0xf5, 0xdc, 0xb3, 0xf3, 0x7a,
0xee, 0xf9, 0x79, 0x3d, 0xf7, 0x34, 0xa9, 0x6b, 0x67, 0x49, 0x5d, 0x7b, 0x96, 0xd4, 0xb5, 0xe7,
0x49, 0x5d, 0xfb, 0x2b, 0xa9, 0x6b, 0x3f, 0xfc, 0x5d, 0xcf, 0x7d, 0x75, 0x3b, 0xeb, 0xcf, 0xe0,
0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0x0d, 0x9a, 0x38, 0x17, 0x44, 0x0a, 0x00, 0x00,
}
func (m *BoundObjectReference) Marshal() (dAtA []byte, err error) {
@ -451,6 +512,82 @@ func (m ExtraValue) MarshalToSizedBuffer(dAtA []byte) (int, error) {
return len(dAtA) - i, nil
}
func (m *SelfSubjectReview) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *SelfSubjectReview) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *SelfSubjectReview) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
{
size, err := m.Status.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x12
{
size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
return len(dAtA) - i, nil
}
func (m *SelfSubjectReviewStatus) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
n, err := m.MarshalToSizedBuffer(dAtA[:size])
if err != nil {
return nil, err
}
return dAtA[:n], nil
}
func (m *SelfSubjectReviewStatus) MarshalTo(dAtA []byte) (int, error) {
size := m.Size()
return m.MarshalToSizedBuffer(dAtA[:size])
}
func (m *SelfSubjectReviewStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i := len(dAtA)
_ = i
var l int
_ = l
{
size, err := m.UserInfo.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintGenerated(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0xa
return len(dAtA) - i, nil
}
func (m *TokenRequest) Marshal() (dAtA []byte, err error) {
size := m.Size()
dAtA = make([]byte, size)
@ -850,6 +987,30 @@ func (m ExtraValue) Size() (n int) {
return n
}
func (m *SelfSubjectReview) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
l = m.ObjectMeta.Size()
n += 1 + l + sovGenerated(uint64(l))
l = m.Status.Size()
n += 1 + l + sovGenerated(uint64(l))
return n
}
func (m *SelfSubjectReviewStatus) Size() (n int) {
if m == nil {
return 0
}
var l int
_ = l
l = m.UserInfo.Size()
n += 1 + l + sovGenerated(uint64(l))
return n
}
func (m *TokenRequest) Size() (n int) {
if m == nil {
return 0
@ -999,6 +1160,27 @@ func (this *BoundObjectReference) String() string {
}, "")
return s
}
func (this *SelfSubjectReview) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&SelfSubjectReview{`,
`ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`,
`Status:` + strings.Replace(strings.Replace(this.Status.String(), "SelfSubjectReviewStatus", "SelfSubjectReviewStatus", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
}
func (this *SelfSubjectReviewStatus) String() string {
if this == nil {
return "nil"
}
s := strings.Join([]string{`&SelfSubjectReviewStatus{`,
`UserInfo:` + strings.Replace(strings.Replace(this.UserInfo.String(), "UserInfo", "UserInfo", 1), `&`, ``, 1) + `,`,
`}`,
}, "")
return s
}
func (this *TokenRequest) String() string {
if this == nil {
return "nil"
@ -1361,6 +1543,205 @@ func (m *ExtraValue) Unmarshal(dAtA []byte) error {
}
return nil
}
func (m *SelfSubjectReview) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: SelfSubjectReview: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: SelfSubjectReview: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
case 2:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if (skippy < 0) || (iNdEx+skippy) < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *SelfSubjectReviewStatus) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0
for iNdEx < l {
preIndex := iNdEx
var wire uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
wire |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
fieldNum := int32(wire >> 3)
wireType := int(wire & 0x7)
if wireType == 4 {
return fmt.Errorf("proto: SelfSubjectReviewStatus: wiretype end group for non-group")
}
if fieldNum <= 0 {
return fmt.Errorf("proto: SelfSubjectReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire)
}
switch fieldNum {
case 1:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field UserInfo", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if err := m.UserInfo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
if err != nil {
return err
}
if (skippy < 0) || (iNdEx+skippy) < 0 {
return ErrInvalidLengthGenerated
}
if (iNdEx + skippy) > l {
return io.ErrUnexpectedEOF
}
iNdEx += skippy
}
}
if iNdEx > l {
return io.ErrUnexpectedEOF
}
return nil
}
func (m *TokenRequest) Unmarshal(dAtA []byte) error {
l := len(dAtA)
iNdEx := 0

20
staging/src/k8s.io/api/authentication/v1/generated.proto
View File

@ -56,6 +56,26 @@ message ExtraValue {
repeated string items = 1;
}
// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
message SelfSubjectReview {
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Status is filled in by the server with the user attributes.
optional SelfSubjectReviewStatus status = 2;
}
// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
message SelfSubjectReviewStatus {
// User attributes of the user making this request.
// +optional
optional UserInfo userInfo = 1;
}
// TokenRequest requests a token for a given service account.
message TokenRequest {
// Standard object's metadata.

1
staging/src/k8s.io/api/authentication/v1/register.go
View File

@ -46,6 +46,7 @@ func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&TokenReview{},
&TokenRequest{},
&SelfSubjectReview{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil

25
staging/src/k8s.io/api/authentication/v1/types.go
View File

@ -197,3 +197,28 @@ type BoundObjectReference struct {
// +optional
UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID"`
}
// +genclient
// +genclient:nonNamespaced
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
type SelfSubjectReview struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Status is filled in by the server with the user attributes.
Status SelfSubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}
// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
type SelfSubjectReviewStatus struct {
// User attributes of the user making this request.
// +optional
UserInfo UserInfo `json:"userInfo,omitempty" protobuf:"bytes,1,opt,name=userInfo"`
}

19
staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go generated
View File

@ -39,6 +39,25 @@ func (BoundObjectReference) SwaggerDoc() map[string]string {
return map_BoundObjectReference
}
var map_SelfSubjectReview = map[string]string{
"": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.",
"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",
"status": "Status is filled in by the server with the user attributes.",
}
func (SelfSubjectReview) SwaggerDoc() map[string]string {
return map_SelfSubjectReview
}
var map_SelfSubjectReviewStatus = map[string]string{
"": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.",
"userInfo": "User attributes of the user making this request.",
}
func (SelfSubjectReviewStatus) SwaggerDoc() map[string]string {
return map_SelfSubjectReviewStatus
}
var map_TokenRequest = map[string]string{
"": "TokenRequest requests a token for a given service account.",
"metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata",

44
staging/src/k8s.io/api/authentication/v1/zz_generated.deepcopy.go generated
View File

@ -61,6 +61,50 @@ func (in ExtraValue) DeepCopy() ExtraValue {
return *out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSubjectReview) DeepCopyInto(out *SelfSubjectReview) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReview.
func (in *SelfSubjectReview) DeepCopy() *SelfSubjectReview {
if in == nil {
return nil
}
out := new(SelfSubjectReview)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *SelfSubjectReview) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SelfSubjectReviewStatus) DeepCopyInto(out *SelfSubjectReviewStatus) {
*out = *in
in.UserInfo.DeepCopyInto(&out.UserInfo)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReviewStatus.
func (in *SelfSubjectReviewStatus) DeepCopy() *SelfSubjectReviewStatus {
if in == nil {
return nil
}
out := new(SelfSubjectReviewStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TokenRequest) DeepCopyInto(out *TokenRequest) {
*out = *in

60
staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.json vendored Normal file
View File

@ -0,0 +1,60 @@
{
"kind": "SelfSubjectReview",
"apiVersion": "authentication.k8s.io/v1",
"metadata": {
"name": "nameValue",
"generateName": "generateNameValue",
"namespace": "namespaceValue",
"selfLink": "selfLinkValue",
"uid": "uidValue",
"resourceVersion": "resourceVersionValue",
"generation": 7,
"creationTimestamp": "2008-01-01T01:01:01Z",
"deletionTimestamp": "2009-01-01T01:01:01Z",
"deletionGracePeriodSeconds": 10,
"labels": {
"labelsKey": "labelsValue"
},
"annotations": {
"annotationsKey": "annotationsValue"
},
"ownerReferences": [
{
"apiVersion": "apiVersionValue",
"kind": "kindValue",
"name": "nameValue",
"uid": "uidValue",
"controller": true,
"blockOwnerDeletion": true
}
],
"finalizers": [
"finalizersValue"
],
"managedFields": [
{
"manager": "managerValue",
"operation": "operationValue",
"apiVersion": "apiVersionValue",
"time": "2004-01-01T01:01:01Z",
"fieldsType": "fieldsTypeValue",
"fieldsV1": {},
"subresource": "subresourceValue"
}
]
},
"status": {
"userInfo": {
"username": "usernameValue",
"uid": "uidValue",
"groups": [
"groupsValue"
],
"extra": {
"extraKey": [
"extraValue"
]
}
}
}
}

BIN
staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.pb vendored Normal file
View File

Binary file not shown.

43
staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.yaml vendored Normal file
View File

@ -0,0 +1,43 @@
apiVersion: authentication.k8s.io/v1
kind: SelfSubjectReview
metadata:
annotations:
annotationsKey: annotationsValue
creationTimestamp: "2008-01-01T01:01:01Z"
deletionGracePeriodSeconds: 10
deletionTimestamp: "2009-01-01T01:01:01Z"
finalizers:
- finalizersValue
generateName: generateNameValue
generation: 7
labels:
labelsKey: labelsValue
managedFields:
- apiVersion: apiVersionValue
fieldsType: fieldsTypeValue
fieldsV1: {}
manager: managerValue
operation: operationValue
subresource: subresourceValue
time: "2004-01-01T01:01:01Z"
name: nameValue
namespace: namespaceValue
ownerReferences:
- apiVersion: apiVersionValue
blockOwnerDeletion: true
controller: true
kind: kindValue
name: nameValue
uid: uidValue
resourceVersion: resourceVersionValue
selfLink: selfLinkValue
uid: uidValue
status:
userInfo:
extra:
extraKey:
- extraValue
groups:
- groupsValue
uid: uidValue
username: usernameValue

5
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go
View File

@ -28,6 +28,7 @@ import (
type AuthenticationV1Interface interface {
RESTClient() rest.Interface
SelfSubjectReviewsGetter
TokenReviewsGetter
}
@ -36,6 +37,10 @@ type AuthenticationV1Client struct {
restClient rest.Interface
}
func (c *AuthenticationV1Client) SelfSubjectReviews() SelfSubjectReviewInterface {
return newSelfSubjectReviews(c)
}
func (c *AuthenticationV1Client) TokenReviews() TokenReviewInterface {
return newTokenReviews(c)
}

4
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_authentication_client.go
View File

@ -28,6 +28,10 @@ type FakeAuthenticationV1 struct {
*testing.Fake
}
func (c *FakeAuthenticationV1) SelfSubjectReviews() v1.SelfSubjectReviewInterface {
return &FakeSelfSubjectReviews{c}
}
func (c *FakeAuthenticationV1) TokenReviews() v1.TokenReviewInterface {
return &FakeTokenReviews{c}
}

46
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_selfsubjectreview.go Normal file
View File

@ -0,0 +1,46 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package fake
import (
"context"
v1 "k8s.io/api/authentication/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
testing "k8s.io/client-go/testing"
)
// FakeSelfSubjectReviews implements SelfSubjectReviewInterface
type FakeSelfSubjectReviews struct {
Fake *FakeAuthenticationV1
}
var selfsubjectreviewsResource = v1.SchemeGroupVersion.WithResource("selfsubjectreviews")
var selfsubjectreviewsKind = v1.SchemeGroupVersion.WithKind("SelfSubjectReview")
// Create takes the representation of a selfSubjectReview and creates it. Returns the server's representation of the selfSubjectReview, and an error, if there is any.
func (c *FakeSelfSubjectReviews) Create(ctx context.Context, selfSubjectReview *v1.SelfSubjectReview, opts metav1.CreateOptions) (result *v1.SelfSubjectReview, err error) {
obj, err := c.Fake.
Invokes(testing.NewRootCreateAction(selfsubjectreviewsResource, selfSubjectReview), &v1.SelfSubjectReview{})
if obj == nil {
return nil, err
}
return obj.(*v1.SelfSubjectReview), err
}

2
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go
View File

@ -18,4 +18,6 @@ limitations under the License.
package v1
type SelfSubjectReviewExpansion interface{}
type TokenReviewExpansion interface{}

64
staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/selfsubjectreview.go Normal file
View File

@ -0,0 +1,64 @@
/*
Copyright The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Code generated by client-gen. DO NOT EDIT.
package v1
import (
"context"
v1 "k8s.io/api/authentication/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
scheme "k8s.io/client-go/kubernetes/scheme"
rest "k8s.io/client-go/rest"
)
// SelfSubjectReviewsGetter has a method to return a SelfSubjectReviewInterface.
// A group's client should implement this interface.
type SelfSubjectReviewsGetter interface {
SelfSubjectReviews() SelfSubjectReviewInterface
}
// SelfSubjectReviewInterface has methods to work with SelfSubjectReview resources.
type SelfSubjectReviewInterface interface {
Create(ctx context.Context, selfSubjectReview *v1.SelfSubjectReview, opts metav1.CreateOptions) (*v1.SelfSubjectReview, error)
SelfSubjectReviewExpansion
}
// selfSubjectReviews implements SelfSubjectReviewInterface
type selfSubjectReviews struct {
client rest.Interface
}
// newSelfSubjectReviews returns a SelfSubjectReviews
func newSelfSubjectReviews(c *AuthenticationV1Client) *selfSubjectReviews {
return &selfSubjectReviews{
client: c.RESTClient(),
}
}
// Create takes the representation of a selfSubjectReview and creates it. Returns the server's representation of the selfSubjectReview, and an error, if there is any.
func (c *selfSubjectReviews) Create(ctx context.Context, selfSubjectReview *v1.SelfSubjectReview, opts metav1.CreateOptions) (result *v1.SelfSubjectReview, err error) {
result = &v1.SelfSubjectReview{}
err = c.client.Post().
Resource("selfsubjectreviews").
VersionedParams(&opts, scheme.ParameterCodec).
Body(selfSubjectReview).
Do(ctx).
Into(result)
return
}

25
staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go
View File

@ -32,6 +32,7 @@ import (
"k8s.io/cli-runtime/pkg/genericclioptions"
"k8s.io/cli-runtime/pkg/genericiooptions"
"k8s.io/cli-runtime/pkg/printers"
authenticationv1client "k8s.io/client-go/kubernetes/typed/authentication/v1"
authenticationv1alpha1client "k8s.io/client-go/kubernetes/typed/authentication/v1alpha1"
authenticationv1beta1client "k8s.io/client-go/kubernetes/typed/authentication/v1beta1"
cmdutil "k8s.io/kubectl/pkg/cmd/util"
@ -85,6 +86,11 @@ func (flags *WhoAmIFlags) ToOptions(ctx context.Context, args []string) (*WhoAmI
return nil, err
}
w.authV1Client, err = authenticationv1client.NewForConfig(clientConfig)
if err != nil {
return nil, err
}
if !flags.PrintFlags.OutputFlagSpecified() {
w.resourcePrinterFunc = printTableSelfSubjectAccessReview
} else {
@ -103,6 +109,7 @@ func (flags *WhoAmIFlags) ToOptions(ctx context.Context, args []string) (*WhoAmI
type WhoAmIOptions struct {
authV1alpha1Client authenticationv1alpha1client.AuthenticationV1alpha1Interface
authV1beta1Client authenticationv1beta1client.AuthenticationV1beta1Interface
authV1Client authenticationv1client.AuthenticationV1Interface
ctx context.Context
@ -166,14 +173,20 @@ func (o WhoAmIOptions) Run() error {
err error
)
res, err = o.authV1beta1Client.
res, err = o.authV1Client.
SelfSubjectReviews().
Create(context.TODO(), &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
if err != nil && errors.IsNotFound(err) {
// Fallback to Alpha API if Beta is not enabled
res, err = o.authV1alpha1Client.
// Fallback to Beta API if Beta is not enabled
res, err = o.authV1beta1Client.
SelfSubjectReviews().
Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
Create(context.TODO(), &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
if err != nil && errors.IsNotFound(err) {
// Fallback to Alpha API if Beta is not enabled
res, err = o.authV1alpha1Client.
SelfSubjectReviews().
Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
}
}
if err != nil {
switch {
@ -194,6 +207,8 @@ func getUserInfo(obj runtime.Object) (authenticationv1.UserInfo, error) {
return obj.(*authenticationv1alpha1.SelfSubjectReview).Status.UserInfo, nil
case *authenticationv1beta1.SelfSubjectReview:
return obj.(*authenticationv1beta1.SelfSubjectReview).Status.UserInfo, nil
case *authenticationv1.SelfSubjectReview:
return obj.(*authenticationv1.SelfSubjectReview).Status.UserInfo, nil
default:
return authenticationv1.UserInfo{}, fmt.Errorf("unexpected response type %T, expected SelfSubjectReview", obj)
}

46
staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami_test.go
View File

@ -38,12 +38,13 @@ import (
func TestWhoAmIRun(t *testing.T) {
tests := []struct {
name string
o *WhoAmIOptions
args []string
serverErr error
alphaDisabled bool
betaDisabled bool
name string
o *WhoAmIOptions
args []string
serverErr error
alphaDisabled bool
betaDisabled bool
stableDisabled bool
expectedError error
expectedBodyStrings []string
@ -73,7 +74,7 @@ func TestWhoAmIRun(t *testing.T) {
expectedBodyStrings: []string{
`{
"kind": "SelfSubjectReview",
"apiVersion": "authentication.k8s.io/v1beta1",
"apiVersion": "authentication.k8s.io/v1",
"metadata": {
"creationTimestamp": null
},
@ -119,12 +120,13 @@ func TestWhoAmIRun(t *testing.T) {
},
},
{
name: "JSON test no alpha",
name: "JSON test no alpha and stable",
o: &WhoAmIOptions{
resourcePrinterFunc: printers.NewTypeSetter(scheme.Scheme).ToPrinter(&printers.JSONPrinter{}).PrintObj,
},
args: []string{},
alphaDisabled: true,
args: []string{},
alphaDisabled: true,
stableDisabled: true,
expectedBodyStrings: []string{
`{
"kind": "SelfSubjectReview",
@ -183,7 +185,7 @@ func TestWhoAmIRun(t *testing.T) {
expectedBodyStrings: []string{
`{
"kind": "SelfSubjectReview",
"apiVersion": "authentication.k8s.io/v1alpha1",
"apiVersion": "authentication.k8s.io/v1",
"metadata": {
"creationTimestamp": null
},
@ -212,14 +214,15 @@ func TestWhoAmIRun(t *testing.T) {
},
},
{
name: "both API disabled",
name: "all API disabled",
o: &WhoAmIOptions{
resourcePrinterFunc: printTableSelfSubjectAccessReview,
},
args: []string{},
betaDisabled: true,
alphaDisabled: true,
expectedError: notEnabledErr,
args: []string{},
betaDisabled: true,
alphaDisabled: true,
stableDisabled: true,
expectedError: notEnabledErr,
},
{
name: "Forbidden error",
@ -304,12 +307,23 @@ func TestWhoAmIRun(t *testing.T) {
},
}
return true, res, nil
case "authentication.k8s.io/v1":
if test.stableDisabled {
return true, nil, errors.NewNotFound(corev1.Resource("selfsubjectreviews"), "foo")
}
res := &authenticationv1.SelfSubjectReview{
Status: authenticationv1.SelfSubjectReviewStatus{
UserInfo: ui,
},
}
return true, res, nil
default:
return false, nil, fmt.Errorf("unknown API")
}
})
test.o.authV1beta1Client = fakeAuthClientSet.AuthenticationV1beta1()
test.o.authV1alpha1Client = fakeAuthClientSet.AuthenticationV1alpha1()
test.o.authV1Client = fakeAuthClientSet.AuthenticationV1()
err := test.o.Run()
switch {

35
test/cmd/auth_whoami.sh Executable file
View File

@ -0,0 +1,35 @@
#!/usr/bin/env bash
# Copyright 2023 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -o errexit
set -o nounset
set -o pipefail
run_kubectl_auth_whoami_tests() {
set -o nounset
set -o errexit
kube::log::status "Testing kubectl auth whoami"
# Command
output_message=$(kubectl auth whoami -o json 2>&1)
# Post-condition: should return user attributes.
kube::test::if_has_string "${output_message}" '"kind": "SelfSubjectReview"'
set +o nounset
set +o errexit
}

8
test/cmd/legacy-script.sh
View File

@ -29,6 +29,7 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
# source "${KUBE_ROOT}/hack/lib/test.sh"
source "${KUBE_ROOT}/test/cmd/apply.sh"
source "${KUBE_ROOT}/test/cmd/apps.sh"
source "${KUBE_ROOT}/test/cmd/auth_whoami.sh"
source "${KUBE_ROOT}/test/cmd/authentication.sh"
source "${KUBE_ROOT}/test/cmd/authorization.sh"
source "${KUBE_ROOT}/test/cmd/batch.sh"
@ -98,6 +99,7 @@ replicasets="replicasets"
replicationcontrollers="replicationcontrollers"
roles="roles"
secrets="secrets"
selfsubjectreviews="selfsubjectreviews"
serviceaccounts="serviceaccounts"
services="services"
statefulsets="statefulsets"
@ -816,6 +818,10 @@ runTests() {
record_command run_exec_credentials_tests
record_command run_exec_credentials_interactive_tests
if kube::test::if_supports_resource "${selfsubjectreviews}" ; then
record_command run_kubectl_auth_whoami_tests
fi
########################
# authorization.k8s.io #
########################
@ -895,6 +901,8 @@ runTests() {
kubectl delete "${kube_flags[@]}" rolebindings,role,clusterroles,clusterrolebindings -n some-other-random -l test-cmd=auth
fi
#####################
# Retrieve multiple #
#####################

9
test/conformance/testdata/ineligible_endpoints.yaml vendored
View File

@ -246,13 +246,13 @@
link: https://github.com/kubernetes/kubernetes/issues/109379
- endpoint: deleteCoreV1CollectionNode
reason: Kubernetes distribution would reasonably not allow this action via the API
link: https://github.com/kubernetes/kubernetes/issues/109379
link: https://github.com/kubernetes/kubernetes/issues/109379
- endpoint: createCoreV1NamespacedBinding
reason: Endpoint was deprecated in 1.7
link: https://github.com/kubernetes/kubernetes/pull/47041
link: https://github.com/kubernetes/kubernetes/pull/47041
- endpoint: createAuthorizationV1SelfSubjectRulesReview
reason: Endpoint likely to be deprecated
link: https://github.com/kubernetes/kubernetes/issues/112657#issuecomment-1265441626
link: https://github.com/kubernetes/kubernetes/issues/112657#issuecomment-1265441626
- endpoint: connectCoreV1GetNamespacedPodPortforward
reason: Explicitly designed to be a debug feature
link: https://github.com/kubernetes/kubernetes/issues/112778#issuecomment-1427995711
@ -262,3 +262,6 @@
- endpoint: connectCoreV1PostNamespacedPodAttach
reason: Explicitly designed to be a debug feature
link: https://github.com/kubernetes/kubernetes/issues/112778#issuecomment-1427995711
- endpoint: createAuthenticationV1SelfSubjectReview
reason: Cluster providers are allowed to choose to not serve this API, and the whoami command handles unavailability gracefully.
link: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/3325-self-subject-attributes-review-api/README.md#ga

37
test/e2e/auth/selfsubjectreviews.go
View File

@ -22,8 +22,10 @@ import (
"github.com/onsi/ginkgo/v2"
"github.com/onsi/gomega"
authenticationv1 "k8s.io/api/authentication/v1"
authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1"
authenticationv1beta1 "k8s.io/api/authentication/v1beta1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
@ -31,19 +33,21 @@ import (
admissionapi "k8s.io/pod-security-admission/api"
)
var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
var _ = SIGDescribe("SelfSubjectReview", func() {
f := framework.NewDefaultFramework("selfsubjectreviews")
f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged
/*
Release: v1.27
Release: v1.28
Testname: SelfSubjectReview API
Description:
The authentication.k8s.io API group MUST exist in the /apis discovery document.
The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
The authentication.k8s.io/v1beta1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
The authentication.k8s.io/v1 API group/version MUST exist in the /apis/mode.k8s.io discovery document.
The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document.
The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1beta1 discovery document.
The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1 discovery document.
The selfsubjectreviews resource MUST support create.
*/
ginkgo.DescribeTable(
@ -105,6 +109,7 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
},
ginkgo.Entry("authentication/v1alpha1", "v1alpha1", authenticationv1alpha1.SchemeGroupVersion.String()),
ginkgo.Entry("authentication/v1beta1", "v1beta1", authenticationv1beta1.SchemeGroupVersion.String()),
ginkgo.Entry("authentication/v1", "v1", authenticationv1.SchemeGroupVersion.String()),
)
ginkgo.It("should support SelfSubjectReview API operations", func(ctx context.Context) {
@ -116,8 +121,11 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1alpha1().SelfSubjectReviews()
res, err := ssrClient.Create(ctx, &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{})
framework.ExpectNoError(err)
if apierrors.IsNotFound(err) {
return // Alpha API is disabled
}
framework.ExpectNoError(err)
gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))
@ -136,6 +144,29 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() {
ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1beta1().SelfSubjectReviews()
res, err := ssrClient.Create(ctx, &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{})
if apierrors.IsNotFound(err) {
return // Beta API is disabled
}
framework.ExpectNoError(err)
gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))
gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID))
gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups))
extra := make(map[string][]string, len(res.Status.UserInfo.Extra))
for k, v := range res.Status.UserInfo.Extra {
extra[k] = v
}
gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra))
}
ginkgo.By("creating SSR authentication/v1")
{
config := restConfig(f)
ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1().SelfSubjectReviews()
res, err := ssrClient.Create(ctx, &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
framework.ExpectNoError(err)
gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username))

1
test/integration/apiserver/admissionwebhook/admission_test.go
View File

@ -158,6 +158,7 @@ var (
gvr("authentication.k8s.io", "v1beta1", "tokenreviews"): `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`,
gvr("authentication.k8s.io", "v1alpha1", "selfsubjectreviews"): `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
gvr("authentication.k8s.io", "v1beta1", "selfsubjectreviews"): `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
gvr("authentication.k8s.io", "v1", "selfsubjectreviews"): `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`,
gvr("authorization.k8s.io", "v1", "localsubjectaccessreviews"): `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"uid": "token", "user": "user1","groups": ["group1","group2"],"resourceAttributes": {"name":"name1","namespace":"` + testNamespace + `"}}}`,
gvr("authorization.k8s.io", "v1", "subjectaccessreviews"): `{"metadata": {"name": "", "namespace":""}, "spec": {"user":"user1","resourceAttributes": {"name":"name1", "namespace":"` + testNamespace + `"}}}`,
gvr("authorization.k8s.io", "v1", "selfsubjectaccessreviews"): `{"metadata": {"name": "", "namespace":""}, "spec": {"resourceAttributes": {"name":"name1", "namespace":""}}}`,

45
test/integration/auth/selfsubjectreview_test.go
View File

@ -99,6 +99,7 @@ func TestGetsSelfAttributes(t *testing.T) {
ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
opts.Authorization.Modes = []string{"AlwaysAllow"}
},
ModifyServerConfig: func(config *controlplane.Config) {
@ -172,6 +173,33 @@ func TestGetsSelfAttributes(t *testing.T) {
if !reflect.DeepEqual(res2.Status.UserInfo.Extra, tc.expectedExtra) {
t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
}
res3, err := kubeClient.AuthenticationV1().
SelfSubjectReviews().
Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if res3 == nil {
t.Fatalf("empty response")
}
if res3.Status.UserInfo.Username != tc.expectedName {
t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username)
}
if res3.Status.UserInfo.UID != tc.expectedUID {
t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID)
}
if !reflect.DeepEqual(res3.Status.UserInfo.Groups, tc.expectedGroups) {
t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups)
}
if !reflect.DeepEqual(res3.Status.UserInfo.Extra, tc.expectedExtra) {
t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra)
}
})
}
@ -187,6 +215,7 @@ func TestGetsSelfAttributesError(t *testing.T) {
ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true")
opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true")
opts.Authorization.Modes = []string{"AlwaysAllow"}
},
ModifyServerConfig: func(config *controlplane.Config) {
@ -240,4 +269,20 @@ func TestGetsSelfAttributesError(t *testing.T) {
t.Fatalf("expected error: %v, got %v", expected, err)
}
}
{ // v1
toggle.Store(!toggle.Load().(bool))
_, err := kubeClient.AuthenticationV1().
SelfSubjectReviews().
Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{})
if err == nil {
t.Fatalf("expected error: %v, got nil", err)
}
toggle.Store(!toggle.Load().(bool))
if expected.Error() != err.Error() {
t.Fatalf("expected error: %v, got %v", expected, err)
}
}
}