diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json index 164229ff60a..584239c404f 100644 --- a/api/openapi-spec/swagger.json +++ b/api/openapi-spec/swagger.json @@ -1978,6 +1978,45 @@ }, "type": "object" }, + "io.k8s.api.authentication.v1.SelfSubjectReview": { + "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "status": { + "$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReviewStatus", + "description": "Status is filled in by the server with the user attributes." + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "authentication.k8s.io", + "kind": "SelfSubjectReview", + "version": "v1" + } + ] + }, + "io.k8s.api.authentication.v1.SelfSubjectReviewStatus": { + "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", + "properties": { + "userInfo": { + "$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo", + "description": "User attributes of the user making this request." + } + }, + "type": "object" + }, "io.k8s.api.authentication.v1.TokenRequest": { "description": "TokenRequest requests a token for a given service account.", "properties": { @@ -50768,6 +50807,95 @@ ] } }, + "/apis/authentication.k8s.io/v1/selfsubjectreviews": { + "parameters": [ + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "type": "string", + "uniqueItems": true + }, + { + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "in": "query", + "name": "fieldValidation", + "type": "string", + "uniqueItems": true + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "type": "string", + "uniqueItems": true + } + ], + "post": { + "consumes": [ + "*/*" + ], + "description": "create a SelfSubjectReview", + "operationId": "createAuthenticationV1SelfSubjectReview", + "parameters": [ + { + "in": "body", + "name": "body", + "required": true, + "schema": { + "$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview" + } + } + ], + "produces": [ + "application/json", + "application/yaml", + "application/vnd.kubernetes.protobuf" + ], + "responses": { + "200": { + "description": "OK", + "schema": { + "$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "201": { + "description": "Created", + "schema": { + "$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "202": { + "description": "Accepted", + "schema": { + "$ref": "#/definitions/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "401": { + "description": "Unauthorized" + } + }, + "schemes": [ + "https" + ], + "tags": [ + "authentication_v1" + ], + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "authentication.k8s.io", + "kind": "SelfSubjectReview", + "version": "v1" + } + } + }, "/apis/authentication.k8s.io/v1/tokenreviews": { "parameters": [ { diff --git a/api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json b/api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json index c21a71c51d5..1c2b051009c 100644 --- a/api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json +++ b/api/openapi-spec/v3/apis__authentication.k8s.io__v1_openapi.json @@ -1,6 +1,60 @@ { "components": { "schemas": { + "io.k8s.api.authentication.v1.SelfSubjectReview": { + "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta" + } + ], + "default": {}, + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "status": { + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReviewStatus" + } + ], + "default": {}, + "description": "Status is filled in by the server with the user attributes." + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "authentication.k8s.io", + "kind": "SelfSubjectReview", + "version": "v1" + } + ] + }, + "io.k8s.api.authentication.v1.SelfSubjectReviewStatus": { + "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", + "properties": { + "userInfo": { + "allOf": [ + { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.UserInfo" + } + ], + "default": {}, + "description": "User attributes of the user making this request." + } + }, + "type": "object" + }, "io.k8s.api.authentication.v1.TokenReview": { "description": "TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.", "properties": { @@ -495,6 +549,133 @@ ] } }, + "/apis/authentication.k8s.io/v1/selfsubjectreviews": { + "parameters": [ + { + "description": "When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed", + "in": "query", + "name": "dryRun", + "schema": { + "type": "string", + "uniqueItems": true + } + }, + { + "description": "fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.", + "in": "query", + "name": "fieldManager", + "schema": { + "type": "string", + "uniqueItems": true + } + }, + { + "description": "fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered.", + "in": "query", + "name": "fieldValidation", + "schema": { + "type": "string", + "uniqueItems": true + } + }, + { + "description": "If 'true', then the output is pretty printed.", + "in": "query", + "name": "pretty", + "schema": { + "type": "string", + "uniqueItems": true + } + } + ], + "post": { + "description": "create a SelfSubjectReview", + "operationId": "createAuthenticationV1SelfSubjectReview", + "requestBody": { + "content": { + "*/*": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + } + } + }, + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "application/vnd.kubernetes.protobuf": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "application/yaml": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + } + }, + "description": "OK" + }, + "201": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "application/vnd.kubernetes.protobuf": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "application/yaml": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + } + }, + "description": "Created" + }, + "202": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "application/vnd.kubernetes.protobuf": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + }, + "application/yaml": { + "schema": { + "$ref": "#/components/schemas/io.k8s.api.authentication.v1.SelfSubjectReview" + } + } + }, + "description": "Accepted" + }, + "401": { + "description": "Unauthorized" + } + }, + "tags": [ + "authentication_v1" + ], + "x-kubernetes-action": "post", + "x-kubernetes-group-version-kind": { + "group": "authentication.k8s.io", + "kind": "SelfSubjectReview", + "version": "v1" + } + } + }, "/apis/authentication.k8s.io/v1/tokenreviews": { "parameters": [ { diff --git a/pkg/apis/authentication/v1/zz_generated.conversion.go b/pkg/apis/authentication/v1/zz_generated.conversion.go index 24bbaa68818..60f345b8831 100644 --- a/pkg/apis/authentication/v1/zz_generated.conversion.go +++ b/pkg/apis/authentication/v1/zz_generated.conversion.go @@ -49,6 +49,26 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*v1.SelfSubjectReview)(nil), (*authentication.SelfSubjectReview)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(a.(*v1.SelfSubjectReview), b.(*authentication.SelfSubjectReview), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.SelfSubjectReview)(nil), (*v1.SelfSubjectReview)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(a.(*authentication.SelfSubjectReview), b.(*v1.SelfSubjectReview), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*v1.SelfSubjectReviewStatus)(nil), (*authentication.SelfSubjectReviewStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(a.(*v1.SelfSubjectReviewStatus), b.(*authentication.SelfSubjectReviewStatus), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*authentication.SelfSubjectReviewStatus)(nil), (*v1.SelfSubjectReviewStatus)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(a.(*authentication.SelfSubjectReviewStatus), b.(*v1.SelfSubjectReviewStatus), scope) + }); err != nil { + return err + } if err := s.AddGeneratedConversionFunc((*v1.TokenRequest)(nil), (*authentication.TokenRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1_TokenRequest_To_authentication_TokenRequest(a.(*v1.TokenRequest), b.(*authentication.TokenRequest), scope) }); err != nil { @@ -148,6 +168,56 @@ func Convert_authentication_BoundObjectReference_To_v1_BoundObjectReference(in * return autoConvert_authentication_BoundObjectReference_To_v1_BoundObjectReference(in, out, s) } +func autoConvert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(in *v1.SelfSubjectReview, out *authentication.SelfSubjectReview, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview is an autogenerated conversion function. +func Convert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(in *v1.SelfSubjectReview, out *authentication.SelfSubjectReview, s conversion.Scope) error { + return autoConvert_v1_SelfSubjectReview_To_authentication_SelfSubjectReview(in, out, s) +} + +func autoConvert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(in *authentication.SelfSubjectReview, out *v1.SelfSubjectReview, s conversion.Scope) error { + out.ObjectMeta = in.ObjectMeta + if err := Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(&in.Status, &out.Status, s); err != nil { + return err + } + return nil +} + +// Convert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview is an autogenerated conversion function. +func Convert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(in *authentication.SelfSubjectReview, out *v1.SelfSubjectReview, s conversion.Scope) error { + return autoConvert_authentication_SelfSubjectReview_To_v1_SelfSubjectReview(in, out, s) +} + +func autoConvert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in *v1.SelfSubjectReviewStatus, out *authentication.SelfSubjectReviewStatus, s conversion.Scope) error { + if err := Convert_v1_UserInfo_To_authentication_UserInfo(&in.UserInfo, &out.UserInfo, s); err != nil { + return err + } + return nil +} + +// Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus is an autogenerated conversion function. +func Convert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in *v1.SelfSubjectReviewStatus, out *authentication.SelfSubjectReviewStatus, s conversion.Scope) error { + return autoConvert_v1_SelfSubjectReviewStatus_To_authentication_SelfSubjectReviewStatus(in, out, s) +} + +func autoConvert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(in *authentication.SelfSubjectReviewStatus, out *v1.SelfSubjectReviewStatus, s conversion.Scope) error { + if err := Convert_authentication_UserInfo_To_v1_UserInfo(&in.UserInfo, &out.UserInfo, s); err != nil { + return err + } + return nil +} + +// Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus is an autogenerated conversion function. +func Convert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(in *authentication.SelfSubjectReviewStatus, out *v1.SelfSubjectReviewStatus, s conversion.Scope) error { + return autoConvert_authentication_SelfSubjectReviewStatus_To_v1_SelfSubjectReviewStatus(in, out, s) +} + func autoConvert_v1_TokenRequest_To_authentication_TokenRequest(in *v1.TokenRequest, out *authentication.TokenRequest, s conversion.Scope) error { out.ObjectMeta = in.ObjectMeta if err := Convert_v1_TokenRequestSpec_To_authentication_TokenRequestSpec(&in.Spec, &out.Spec, s); err != nil { diff --git a/pkg/controlplane/storageversionhashdata/data.go b/pkg/controlplane/storageversionhashdata/data.go index c25371c07ba..127a11a70f6 100644 --- a/pkg/controlplane/storageversionhashdata/data.go +++ b/pkg/controlplane/storageversionhashdata/data.go @@ -26,6 +26,7 @@ import ( var NoStorageVersionHash = sets.NewString( "v1/bindings", "v1/componentstatuses", + "authentication.k8s.io/v1/selfsubjectreviews", "authentication.k8s.io/v1/tokenreviews", "authorization.k8s.io/v1/localsubjectaccessreviews", "authorization.k8s.io/v1/selfsubjectaccessreviews", diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 484277f0c8b..53822723f2b 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -53,6 +53,7 @@ const ( // owner: @nabokihms // alpha: v1.26 // beta: v1.27 + // GA: v1.28 // // Enables API to get self subject attributes after authentication. APISelfSubjectReview featuregate.Feature = "APISelfSubjectReview" @@ -872,7 +873,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS AnyVolumeDataSource: {Default: true, PreRelease: featuregate.Beta}, // on by default in 1.24 - APISelfSubjectReview: {Default: true, PreRelease: featuregate.Beta}, // on by default in 1.27 + APISelfSubjectReview: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // GA in 1.28; remove in 1.30 AppArmor: {Default: true, PreRelease: featuregate.Beta}, diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 9b151decc41..af66344cce1 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -169,6 +169,8 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "k8s.io/api/apps/v1beta2.StatefulSetStatus": schema_k8sio_api_apps_v1beta2_StatefulSetStatus(ref), "k8s.io/api/apps/v1beta2.StatefulSetUpdateStrategy": schema_k8sio_api_apps_v1beta2_StatefulSetUpdateStrategy(ref), "k8s.io/api/authentication/v1.BoundObjectReference": schema_k8sio_api_authentication_v1_BoundObjectReference(ref), + "k8s.io/api/authentication/v1.SelfSubjectReview": schema_k8sio_api_authentication_v1_SelfSubjectReview(ref), + "k8s.io/api/authentication/v1.SelfSubjectReviewStatus": schema_k8sio_api_authentication_v1_SelfSubjectReviewStatus(ref), "k8s.io/api/authentication/v1.TokenRequest": schema_k8sio_api_authentication_v1_TokenRequest(ref), "k8s.io/api/authentication/v1.TokenRequestSpec": schema_k8sio_api_authentication_v1_TokenRequestSpec(ref), "k8s.io/api/authentication/v1.TokenRequestStatus": schema_k8sio_api_authentication_v1_TokenRequestStatus(ref), @@ -8437,6 +8439,71 @@ func schema_k8sio_api_authentication_v1_BoundObjectReference(ref common.Referenc } } +func schema_k8sio_api_authentication_v1_SelfSubjectReview(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "kind": { + SchemaProps: spec.SchemaProps{ + Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + Type: []string{"string"}, + Format: "", + }, + }, + "apiVersion": { + SchemaProps: spec.SchemaProps{ + Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + Type: []string{"string"}, + Format: "", + }, + }, + "metadata": { + SchemaProps: spec.SchemaProps{ + Description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"), + }, + }, + "status": { + SchemaProps: spec.SchemaProps{ + Description: "Status is filled in by the server with the user attributes.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/authentication/v1.SelfSubjectReviewStatus"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/api/authentication/v1.SelfSubjectReviewStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"}, + } +} + +func schema_k8sio_api_authentication_v1_SelfSubjectReviewStatus(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "userInfo": { + SchemaProps: spec.SchemaProps{ + Description: "User attributes of the user making this request.", + Default: map[string]interface{}{}, + Ref: ref("k8s.io/api/authentication/v1.UserInfo"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "k8s.io/api/authentication/v1.UserInfo"}, + } +} + func schema_k8sio_api_authentication_v1_TokenRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/pkg/registry/authentication/rest/storage_authentication.go b/pkg/registry/authentication/rest/storage_authentication.go index 41f91b666a1..f8ce43edb7b 100644 --- a/pkg/registry/authentication/rest/storage_authentication.go +++ b/pkg/registry/authentication/rest/storage_authentication.go @@ -25,11 +25,8 @@ import ( "k8s.io/apiserver/pkg/registry/rest" genericapiserver "k8s.io/apiserver/pkg/server" serverstorage "k8s.io/apiserver/pkg/server/storage" - utilfeature "k8s.io/apiserver/pkg/util/feature" - "k8s.io/klog/v2" "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/apis/authentication" - "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/registry/authentication/selfsubjectreview" "k8s.io/kubernetes/pkg/registry/authentication/tokenreview" ) @@ -72,6 +69,10 @@ func (p RESTStorageProvider) v1Storage(apiResourceConfigSource serverstorage.API tokenReviewStorage := tokenreview.NewREST(p.Authenticator, p.APIAudiences) storage[resource] = tokenReviewStorage } + if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1.SchemeGroupVersion.WithResource(resource)) { + selfSRStorage := selfsubjectreview.NewREST() + storage[resource] = selfSRStorage + } return storage } @@ -81,12 +82,8 @@ func (p RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource serverstora // selfsubjectreviews if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1alpha1.SchemeGroupVersion.WithResource(resource)) { - if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) { - selfSRStorage := selfsubjectreview.NewREST() - storage[resource] = selfSRStorage - } else { - klog.Warningln("SelfSubjectReview API is disabled because corresponding feature gate APISelfSubjectReview is not enabled.") - } + selfSRStorage := selfsubjectreview.NewREST() + storage[resource] = selfSRStorage } return storage } @@ -96,12 +93,8 @@ func (p RESTStorageProvider) v1beta1Storage(apiResourceConfigSource serverstorag // selfsubjectreviews if resource := "selfsubjectreviews"; apiResourceConfigSource.ResourceEnabled(authenticationv1beta1.SchemeGroupVersion.WithResource(resource)) { - if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) { - selfSRStorage := selfsubjectreview.NewREST() - storage[resource] = selfSRStorage - } else { - klog.Warningln("SelfSubjectReview API is disabled because corresponding feature gate APISelfSubjectReview is not enabled.") - } + selfSRStorage := selfsubjectreview.NewREST() + storage[resource] = selfSRStorage } return storage } diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 1c5a0731e17..2e49905210d 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -231,10 +231,7 @@ func ClusterRoles() []rbacv1.ClusterRole { basicUserRules := []rbacv1.PolicyRule{ rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews", "selfsubjectrulesreviews").RuleOrDie(), - } - - if utilfeature.DefaultFeatureGate.Enabled(features.APISelfSubjectReview) { - basicUserRules = append(basicUserRules, rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("selfsubjectreviews").RuleOrDie()) + rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("selfsubjectreviews").RuleOrDie(), } roles = append(roles, []rbacv1.ClusterRole{ diff --git a/staging/src/k8s.io/api/authentication/v1/generated.pb.go b/staging/src/k8s.io/api/authentication/v1/generated.pb.go index efbecf02c56..304bbd0744d 100644 --- a/staging/src/k8s.io/api/authentication/v1/generated.pb.go +++ b/staging/src/k8s.io/api/authentication/v1/generated.pb.go @@ -102,10 +102,66 @@ func (m *ExtraValue) XXX_DiscardUnknown() { var xxx_messageInfo_ExtraValue proto.InternalMessageInfo +func (m *SelfSubjectReview) Reset() { *m = SelfSubjectReview{} } +func (*SelfSubjectReview) ProtoMessage() {} +func (*SelfSubjectReview) Descriptor() ([]byte, []int) { + return fileDescriptor_2953ea822e7ffe1e, []int{2} +} +func (m *SelfSubjectReview) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SelfSubjectReview) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *SelfSubjectReview) XXX_Merge(src proto.Message) { + xxx_messageInfo_SelfSubjectReview.Merge(m, src) +} +func (m *SelfSubjectReview) XXX_Size() int { + return m.Size() +} +func (m *SelfSubjectReview) XXX_DiscardUnknown() { + xxx_messageInfo_SelfSubjectReview.DiscardUnknown(m) +} + +var xxx_messageInfo_SelfSubjectReview proto.InternalMessageInfo + +func (m *SelfSubjectReviewStatus) Reset() { *m = SelfSubjectReviewStatus{} } +func (*SelfSubjectReviewStatus) ProtoMessage() {} +func (*SelfSubjectReviewStatus) Descriptor() ([]byte, []int) { + return fileDescriptor_2953ea822e7ffe1e, []int{3} +} +func (m *SelfSubjectReviewStatus) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SelfSubjectReviewStatus) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil +} +func (m *SelfSubjectReviewStatus) XXX_Merge(src proto.Message) { + xxx_messageInfo_SelfSubjectReviewStatus.Merge(m, src) +} +func (m *SelfSubjectReviewStatus) XXX_Size() int { + return m.Size() +} +func (m *SelfSubjectReviewStatus) XXX_DiscardUnknown() { + xxx_messageInfo_SelfSubjectReviewStatus.DiscardUnknown(m) +} + +var xxx_messageInfo_SelfSubjectReviewStatus proto.InternalMessageInfo + func (m *TokenRequest) Reset() { *m = TokenRequest{} } func (*TokenRequest) ProtoMessage() {} func (*TokenRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_2953ea822e7ffe1e, []int{2} + return fileDescriptor_2953ea822e7ffe1e, []int{4} } func (m *TokenRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -133,7 +189,7 @@ var xxx_messageInfo_TokenRequest proto.InternalMessageInfo func (m *TokenRequestSpec) Reset() { *m = TokenRequestSpec{} } func (*TokenRequestSpec) ProtoMessage() {} func (*TokenRequestSpec) Descriptor() ([]byte, []int) { - return fileDescriptor_2953ea822e7ffe1e, []int{3} + return fileDescriptor_2953ea822e7ffe1e, []int{5} } func (m *TokenRequestSpec) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -161,7 +217,7 @@ var xxx_messageInfo_TokenRequestSpec proto.InternalMessageInfo func (m *TokenRequestStatus) Reset() { *m = TokenRequestStatus{} } func (*TokenRequestStatus) ProtoMessage() {} func (*TokenRequestStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_2953ea822e7ffe1e, []int{4} + return fileDescriptor_2953ea822e7ffe1e, []int{6} } func (m *TokenRequestStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -189,7 +245,7 @@ var xxx_messageInfo_TokenRequestStatus proto.InternalMessageInfo func (m *TokenReview) Reset() { *m = TokenReview{} } func (*TokenReview) ProtoMessage() {} func (*TokenReview) Descriptor() ([]byte, []int) { - return fileDescriptor_2953ea822e7ffe1e, []int{5} + return fileDescriptor_2953ea822e7ffe1e, []int{7} } func (m *TokenReview) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -217,7 +273,7 @@ var xxx_messageInfo_TokenReview proto.InternalMessageInfo func (m *TokenReviewSpec) Reset() { *m = TokenReviewSpec{} } func (*TokenReviewSpec) ProtoMessage() {} func (*TokenReviewSpec) Descriptor() ([]byte, []int) { - return fileDescriptor_2953ea822e7ffe1e, []int{6} + return fileDescriptor_2953ea822e7ffe1e, []int{8} } func (m *TokenReviewSpec) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -245,7 +301,7 @@ var xxx_messageInfo_TokenReviewSpec proto.InternalMessageInfo func (m *TokenReviewStatus) Reset() { *m = TokenReviewStatus{} } func (*TokenReviewStatus) ProtoMessage() {} func (*TokenReviewStatus) Descriptor() ([]byte, []int) { - return fileDescriptor_2953ea822e7ffe1e, []int{7} + return fileDescriptor_2953ea822e7ffe1e, []int{9} } func (m *TokenReviewStatus) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -273,7 +329,7 @@ var xxx_messageInfo_TokenReviewStatus proto.InternalMessageInfo func (m *UserInfo) Reset() { *m = UserInfo{} } func (*UserInfo) ProtoMessage() {} func (*UserInfo) Descriptor() ([]byte, []int) { - return fileDescriptor_2953ea822e7ffe1e, []int{8} + return fileDescriptor_2953ea822e7ffe1e, []int{10} } func (m *UserInfo) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -301,6 +357,8 @@ var xxx_messageInfo_UserInfo proto.InternalMessageInfo func init() { proto.RegisterType((*BoundObjectReference)(nil), "k8s.io.api.authentication.v1.BoundObjectReference") proto.RegisterType((*ExtraValue)(nil), "k8s.io.api.authentication.v1.ExtraValue") + proto.RegisterType((*SelfSubjectReview)(nil), "k8s.io.api.authentication.v1.SelfSubjectReview") + proto.RegisterType((*SelfSubjectReviewStatus)(nil), "k8s.io.api.authentication.v1.SelfSubjectReviewStatus") proto.RegisterType((*TokenRequest)(nil), "k8s.io.api.authentication.v1.TokenRequest") proto.RegisterType((*TokenRequestSpec)(nil), "k8s.io.api.authentication.v1.TokenRequestSpec") proto.RegisterType((*TokenRequestStatus)(nil), "k8s.io.api.authentication.v1.TokenRequestStatus") @@ -316,64 +374,67 @@ func init() { } var fileDescriptor_2953ea822e7ffe1e = []byte{ - // 907 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0xcf, 0x6f, 0xe3, 0x44, - 0x14, 0x8e, 0xf3, 0xa3, 0x4a, 0x26, 0xdb, 0xd2, 0xce, 0xb2, 0x52, 0x54, 0x96, 0xa4, 0x78, 0x25, - 0x54, 0x01, 0x6b, 0x6f, 0x23, 0x04, 0xab, 0x45, 0x42, 0xaa, 0x69, 0x04, 0x11, 0x82, 0x5d, 0xcd, - 0x6e, 0x0b, 0xe2, 0xc4, 0xc4, 0x7e, 0x4d, 0x87, 0xe0, 0xb1, 0xb1, 0xc7, 0x61, 0x73, 0xdb, 0x3f, - 0x81, 0x23, 0x48, 0x1c, 0xf8, 0x23, 0x90, 0xf8, 0x17, 0x7a, 0x5c, 0x71, 0xea, 0x01, 0x45, 0xd4, - 0x5c, 0x39, 0x72, 0xe2, 0x84, 0x66, 0x3c, 0xad, 0xe3, 0xa4, 0x4d, 0x73, 0xe2, 0x96, 0x79, 0xef, - 0x7b, 0xdf, 0xbc, 0xf7, 0xcd, 0xe7, 0x99, 0xa0, 0xde, 0xe8, 0x61, 0x6c, 0xb1, 0xc0, 0x1e, 0x25, - 0x03, 0x88, 0x38, 0x08, 0x88, 0xed, 0x31, 0x70, 0x2f, 0x88, 0x6c, 0x9d, 0xa0, 0x21, 0xb3, 0x69, - 0x22, 0x4e, 0x80, 0x0b, 0xe6, 0x52, 0xc1, 0x02, 0x6e, 0x8f, 0xf7, 0xec, 0x21, 0x70, 0x88, 0xa8, - 0x00, 0xcf, 0x0a, 0xa3, 0x40, 0x04, 0xf8, 0x6e, 0x86, 0xb6, 0x68, 0xc8, 0xac, 0x22, 0xda, 0x1a, - 0xef, 0x6d, 0xdf, 0x1f, 0x32, 0x71, 0x92, 0x0c, 0x2c, 0x37, 0xf0, 0xed, 0x61, 0x30, 0x0c, 0x6c, - 0x55, 0x34, 0x48, 0x8e, 0xd5, 0x4a, 0x2d, 0xd4, 0xaf, 0x8c, 0x6c, 0xfb, 0xdd, 0x7c, 0x6b, 0x9f, - 0xba, 0x27, 0x8c, 0x43, 0x34, 0xb1, 0xc3, 0xd1, 0x50, 0x06, 0x62, 0xdb, 0x07, 0x41, 0xaf, 0x68, - 0x61, 0xdb, 0xbe, 0xae, 0x2a, 0x4a, 0xb8, 0x60, 0x3e, 0x2c, 0x14, 0xbc, 0x77, 0x53, 0x41, 0xec, - 0x9e, 0x80, 0x4f, 0xe7, 0xeb, 0xcc, 0xdf, 0x0d, 0xf4, 0xaa, 0x13, 0x24, 0xdc, 0x7b, 0x3c, 0xf8, - 0x06, 0x5c, 0x41, 0xe0, 0x18, 0x22, 0xe0, 0x2e, 0xe0, 0x1d, 0x54, 0x1d, 0x31, 0xee, 0xb5, 0x8c, - 0x1d, 0x63, 0xb7, 0xe1, 0xdc, 0x3a, 0x9d, 0x76, 0x4a, 0xe9, 0xb4, 0x53, 0xfd, 0x94, 0x71, 0x8f, - 0xa8, 0x0c, 0xee, 0x22, 0x44, 0x43, 0x76, 0x04, 0x51, 0xcc, 0x02, 0xde, 0x2a, 0x2b, 0x1c, 0xd6, - 0x38, 0xb4, 0xff, 0xa4, 0xaf, 0x33, 0x64, 0x06, 0x25, 0x59, 0x39, 0xf5, 0xa1, 0x55, 0x29, 0xb2, - 0x7e, 0x4e, 0x7d, 0x20, 0x2a, 0x83, 0x1d, 0x54, 0x49, 0xfa, 0x07, 0xad, 0xaa, 0x02, 0x3c, 0xd0, - 0x80, 0xca, 0x61, 0xff, 0xe0, 0xdf, 0x69, 0xe7, 0x8d, 0xeb, 0x86, 0x14, 0x93, 0x10, 0x62, 0xeb, - 0xb0, 0x7f, 0x40, 0x64, 0xb1, 0xf9, 0x3e, 0x42, 0xbd, 0xe7, 0x22, 0xa2, 0x47, 0xf4, 0xdb, 0x04, - 0x70, 0x07, 0xd5, 0x98, 0x00, 0x3f, 0x6e, 0x19, 0x3b, 0x95, 0xdd, 0x86, 0xd3, 0x48, 0xa7, 0x9d, - 0x5a, 0x5f, 0x06, 0x48, 0x16, 0x7f, 0x54, 0xff, 0xf1, 0x97, 0x4e, 0xe9, 0xc5, 0x1f, 0x3b, 0x25, - 0xf3, 0xe7, 0x32, 0xba, 0xf5, 0x2c, 0x18, 0x01, 0x27, 0xf0, 0x5d, 0x02, 0xb1, 0xc0, 0x5f, 0xa3, - 0xba, 0x3c, 0x22, 0x8f, 0x0a, 0xaa, 0x94, 0x68, 0x76, 0x1f, 0x58, 0xb9, 0x3b, 0x2e, 0x9b, 0xb0, - 0xc2, 0xd1, 0x50, 0x06, 0x62, 0x4b, 0xa2, 0xad, 0xf1, 0x9e, 0x95, 0xc9, 0xf9, 0x19, 0x08, 0x9a, - 0x6b, 0x92, 0xc7, 0xc8, 0x25, 0x2b, 0x7e, 0x82, 0xaa, 0x71, 0x08, 0xae, 0xd2, 0xaf, 0xd9, 0xb5, - 0xac, 0x65, 0xde, 0xb3, 0x66, 0x7b, 0x7b, 0x1a, 0x82, 0x9b, 0x2b, 0x28, 0x57, 0x44, 0x31, 0xe1, - 0x2f, 0xd1, 0x5a, 0x2c, 0xa8, 0x48, 0x62, 0xa5, 0x72, 0xb1, 0xe3, 0x9b, 0x38, 0x55, 0x9d, 0xb3, - 0xa1, 0x59, 0xd7, 0xb2, 0x35, 0xd1, 0x7c, 0xe6, 0x3f, 0x06, 0xda, 0x9c, 0x6f, 0x01, 0xbf, 0x8d, - 0x1a, 0x34, 0xf1, 0x98, 0x34, 0xcd, 0x85, 0xc4, 0xeb, 0xe9, 0xb4, 0xd3, 0xd8, 0xbf, 0x08, 0x92, - 0x3c, 0x8f, 0x3f, 0x42, 0x5b, 0xf0, 0x3c, 0x64, 0x91, 0xda, 0xfd, 0x29, 0xb8, 0x01, 0xf7, 0x62, - 0x75, 0xd6, 0x15, 0xe7, 0x4e, 0x3a, 0xed, 0x6c, 0xf5, 0xe6, 0x93, 0x64, 0x11, 0x8f, 0x39, 0xda, - 0x18, 0x14, 0x2c, 0xab, 0x07, 0xed, 0x2e, 0x1f, 0xf4, 0x2a, 0x9b, 0x3b, 0x38, 0x9d, 0x76, 0x36, - 0x8a, 0x19, 0x32, 0xc7, 0x6e, 0xfe, 0x6a, 0x20, 0xbc, 0xa8, 0x12, 0xbe, 0x87, 0x6a, 0x42, 0x46, - 0xf5, 0x27, 0xb2, 0xae, 0x45, 0xab, 0x65, 0xd0, 0x2c, 0x87, 0x27, 0xe8, 0x76, 0x3e, 0xc0, 0x33, - 0xe6, 0x43, 0x2c, 0xa8, 0x1f, 0xea, 0xd3, 0x7e, 0x6b, 0x35, 0x2f, 0xc9, 0x32, 0xe7, 0x35, 0x4d, - 0x7f, 0xbb, 0xb7, 0x48, 0x47, 0xae, 0xda, 0xc3, 0xfc, 0xa9, 0x8c, 0x9a, 0xba, 0xed, 0x31, 0x83, - 0xef, 0xff, 0x07, 0x2f, 0x3f, 0x2e, 0x78, 0xf9, 0xfe, 0x4a, 0xbe, 0x93, 0xad, 0x5d, 0x6b, 0xe5, - 0x2f, 0xe6, 0xac, 0x6c, 0xaf, 0x4e, 0xb9, 0xdc, 0xc9, 0x2e, 0x7a, 0x65, 0x6e, 0xff, 0xd5, 0x8e, - 0xb3, 0x60, 0xf6, 0xf2, 0x72, 0xb3, 0x9b, 0x7f, 0x1b, 0x68, 0x6b, 0xa1, 0x25, 0xfc, 0x01, 0x5a, - 0x9f, 0xe9, 0x1c, 0xb2, 0x1b, 0xb6, 0xee, 0xdc, 0xd1, 0xfb, 0xad, 0xef, 0xcf, 0x26, 0x49, 0x11, - 0x8b, 0x3f, 0x41, 0xd5, 0x24, 0x86, 0x48, 0x2b, 0xfc, 0xe6, 0x72, 0x39, 0x0e, 0x63, 0x88, 0xfa, - 0xfc, 0x38, 0xc8, 0xa5, 0x95, 0x11, 0xa2, 0x18, 0x8a, 0x93, 0x54, 0x6f, 0xf8, 0x6c, 0xef, 0xa1, - 0x1a, 0x44, 0x51, 0x10, 0xe9, 0x7b, 0xfb, 0x52, 0x9b, 0x9e, 0x0c, 0x92, 0x2c, 0x67, 0xfe, 0x56, - 0x46, 0xf5, 0x8b, 0x2d, 0xf1, 0x3b, 0xa8, 0x2e, 0xb7, 0x51, 0x97, 0x7d, 0x26, 0xe8, 0xa6, 0x2e, - 0x52, 0x18, 0x19, 0x27, 0x97, 0x08, 0xfc, 0x3a, 0xaa, 0x24, 0xcc, 0xd3, 0x6f, 0x48, 0x73, 0xe6, - 0xd2, 0x27, 0x32, 0x8e, 0x4d, 0xb4, 0x36, 0x8c, 0x82, 0x24, 0x94, 0x36, 0x90, 0x8d, 0x22, 0x79, - 0xa2, 0x1f, 0xab, 0x08, 0xd1, 0x19, 0x7c, 0x84, 0x6a, 0x20, 0xef, 0x7c, 0x35, 0x4b, 0xb3, 0xbb, - 0xb7, 0x9a, 0x34, 0x96, 0x7a, 0x27, 0x7a, 0x5c, 0x44, 0x93, 0x99, 0xa9, 0x64, 0x8c, 0x64, 0x74, - 0xdb, 0x03, 0xfd, 0x96, 0x28, 0x0c, 0xde, 0x44, 0x95, 0x11, 0x4c, 0xb2, 0x89, 0x88, 0xfc, 0x89, - 0x3f, 0x44, 0xb5, 0xb1, 0x7c, 0x66, 0xf4, 0x91, 0xec, 0x2e, 0xdf, 0x37, 0x7f, 0x96, 0x48, 0x56, - 0xf6, 0xa8, 0xfc, 0xd0, 0x70, 0x9c, 0xd3, 0xf3, 0x76, 0xe9, 0xe5, 0x79, 0xbb, 0x74, 0x76, 0xde, - 0x2e, 0xbd, 0x48, 0xdb, 0xc6, 0x69, 0xda, 0x36, 0x5e, 0xa6, 0x6d, 0xe3, 0x2c, 0x6d, 0x1b, 0x7f, - 0xa6, 0x6d, 0xe3, 0x87, 0xbf, 0xda, 0xa5, 0xaf, 0xee, 0x2e, 0xfb, 0x13, 0xf3, 0x5f, 0x00, 0x00, - 0x00, 0xff, 0xff, 0x12, 0xb8, 0x31, 0x91, 0xfc, 0x08, 0x00, 0x00, + // 958 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4b, 0x6f, 0x23, 0x45, + 0x10, 0xf6, 0xf8, 0x11, 0xd9, 0xe5, 0x4d, 0x48, 0x7a, 0x59, 0x61, 0x85, 0xc5, 0x0e, 0xb3, 0x12, + 0x8a, 0x80, 0x9d, 0xd9, 0x58, 0x3c, 0x56, 0x8b, 0x84, 0x94, 0x21, 0x16, 0x58, 0x08, 0x76, 0xd5, + 0x4e, 0x02, 0x42, 0x42, 0xa2, 0x3d, 0xae, 0x38, 0x83, 0x77, 0x1e, 0xcc, 0xf4, 0x98, 0xf5, 0x6d, + 0x7f, 0x02, 0x47, 0x90, 0x38, 0xf0, 0x23, 0x90, 0xf8, 0x0b, 0x39, 0xae, 0x10, 0x87, 0x3d, 0x20, + 0x8b, 0x0c, 0x57, 0x8e, 0x9c, 0x38, 0xa1, 0xee, 0xe9, 0xf8, 0x99, 0x4c, 0x7c, 0xda, 0x9b, 0xa7, + 0x1e, 0x5f, 0x55, 0x7d, 0x55, 0x5d, 0x65, 0x68, 0x0d, 0xee, 0x47, 0x86, 0xe3, 0x9b, 0x83, 0xb8, + 0x8b, 0xa1, 0x87, 0x1c, 0x23, 0x73, 0x88, 0x5e, 0xcf, 0x0f, 0x4d, 0xa5, 0x60, 0x81, 0x63, 0xb2, + 0x98, 0x9f, 0xa2, 0xc7, 0x1d, 0x9b, 0x71, 0xc7, 0xf7, 0xcc, 0xe1, 0x9e, 0xd9, 0x47, 0x0f, 0x43, + 0xc6, 0xb1, 0x67, 0x04, 0xa1, 0xcf, 0x7d, 0x72, 0x3b, 0xb5, 0x36, 0x58, 0xe0, 0x18, 0xf3, 0xd6, + 0xc6, 0x70, 0x6f, 0xfb, 0x6e, 0xdf, 0xe1, 0xa7, 0x71, 0xd7, 0xb0, 0x7d, 0xd7, 0xec, 0xfb, 0x7d, + 0xdf, 0x94, 0x4e, 0xdd, 0xf8, 0x44, 0x7e, 0xc9, 0x0f, 0xf9, 0x2b, 0x05, 0xdb, 0x7e, 0x67, 0x1a, + 0xda, 0x65, 0xf6, 0xa9, 0xe3, 0x61, 0x38, 0x32, 0x83, 0x41, 0x5f, 0x08, 0x22, 0xd3, 0x45, 0xce, + 0x2e, 0x49, 0x61, 0xdb, 0xbc, 0xca, 0x2b, 0x8c, 0x3d, 0xee, 0xb8, 0xb8, 0xe4, 0xf0, 0xde, 0x75, + 0x0e, 0x91, 0x7d, 0x8a, 0x2e, 0x5b, 0xf4, 0xd3, 0x7f, 0xd7, 0xe0, 0x65, 0xcb, 0x8f, 0xbd, 0xde, + 0xc3, 0xee, 0xb7, 0x68, 0x73, 0x8a, 0x27, 0x18, 0xa2, 0x67, 0x23, 0xd9, 0x81, 0xe2, 0xc0, 0xf1, + 0x7a, 0x35, 0x6d, 0x47, 0xdb, 0xad, 0x58, 0x37, 0xce, 0xc6, 0x8d, 0x5c, 0x32, 0x6e, 0x14, 0x3f, + 0x75, 0xbc, 0x1e, 0x95, 0x1a, 0xd2, 0x04, 0x60, 0x81, 0x73, 0x8c, 0x61, 0xe4, 0xf8, 0x5e, 0x2d, + 0x2f, 0xed, 0x88, 0xb2, 0x83, 0xfd, 0x47, 0x6d, 0xa5, 0xa1, 0x33, 0x56, 0x02, 0xd5, 0x63, 0x2e, + 0xd6, 0x0a, 0xf3, 0xa8, 0x9f, 0x33, 0x17, 0xa9, 0xd4, 0x10, 0x0b, 0x0a, 0x71, 0xfb, 0xa0, 0x56, + 0x94, 0x06, 0xf7, 0x94, 0x41, 0xe1, 0xa8, 0x7d, 0xf0, 0xdf, 0xb8, 0xf1, 0xfa, 0x55, 0x45, 0xf2, + 0x51, 0x80, 0x91, 0x71, 0xd4, 0x3e, 0xa0, 0xc2, 0x59, 0x7f, 0x1f, 0xa0, 0xf5, 0x84, 0x87, 0xec, + 0x98, 0x3d, 0x8e, 0x91, 0x34, 0xa0, 0xe4, 0x70, 0x74, 0xa3, 0x9a, 0xb6, 0x53, 0xd8, 0xad, 0x58, + 0x95, 0x64, 0xdc, 0x28, 0xb5, 0x85, 0x80, 0xa6, 0xf2, 0x07, 0xe5, 0x1f, 0x7f, 0x69, 0xe4, 0x9e, + 0xfe, 0xb9, 0x93, 0xd3, 0xff, 0xd0, 0x60, 0xab, 0x83, 0x8f, 0x4f, 0x3a, 0xb1, 0x62, 0x63, 0xe8, + 0xe0, 0xf7, 0xe4, 0x1b, 0x28, 0x8b, 0x3e, 0xf5, 0x18, 0x67, 0x92, 0x8e, 0x6a, 0xf3, 0x9e, 0x31, + 0x1d, 0x91, 0x49, 0x26, 0x46, 0x30, 0xe8, 0x0b, 0x41, 0x64, 0x08, 0x6b, 0x63, 0xb8, 0x67, 0xa4, + 0x9c, 0x7e, 0x86, 0x9c, 0x4d, 0x89, 0x99, 0xca, 0xe8, 0x04, 0x95, 0x7c, 0x0d, 0x6b, 0x11, 0x67, + 0x3c, 0x8e, 0x24, 0x8d, 0xd5, 0xe6, 0xbb, 0x46, 0xd6, 0x08, 0x1a, 0x4b, 0x29, 0x76, 0xa4, 0xb3, + 0xb5, 0xa1, 0x82, 0xac, 0xa5, 0xdf, 0x54, 0x81, 0xea, 0x3e, 0xbc, 0x72, 0x85, 0x0b, 0x39, 0x84, + 0x72, 0x1c, 0x61, 0xd8, 0xf6, 0x4e, 0x7c, 0x55, 0xdb, 0x1b, 0xd9, 0xb1, 0x8f, 0x94, 0xb5, 0xb5, + 0xa9, 0x82, 0x95, 0x2f, 0x24, 0x74, 0x82, 0xa4, 0xff, 0x9c, 0x87, 0x1b, 0x87, 0xfe, 0x00, 0x3d, + 0x8a, 0xdf, 0xc5, 0x18, 0xf1, 0x17, 0x40, 0xe1, 0x23, 0x28, 0x46, 0x01, 0xda, 0x8a, 0x40, 0x23, + 0xbb, 0x88, 0xd9, 0xdc, 0x3a, 0x01, 0xda, 0xd3, 0x49, 0x14, 0x5f, 0x54, 0x22, 0x91, 0x2f, 0x27, + 0x4d, 0x29, 0x2c, 0x65, 0x7c, 0x1d, 0x66, 0x76, 0x3f, 0xfe, 0xd5, 0x60, 0x73, 0x31, 0x05, 0xf2, + 0x16, 0x54, 0x58, 0xdc, 0x73, 0xc4, 0xe3, 0xbb, 0x18, 0xd5, 0xf5, 0x64, 0xdc, 0xa8, 0xec, 0x5f, + 0x08, 0xe9, 0x54, 0x4f, 0x3e, 0x82, 0x2d, 0x7c, 0x12, 0x38, 0xa1, 0x8c, 0xde, 0x41, 0xdb, 0xf7, + 0x7a, 0x91, 0x7c, 0x33, 0x05, 0xeb, 0x56, 0x32, 0x6e, 0x6c, 0xb5, 0x16, 0x95, 0x74, 0xd9, 0x9e, + 0x78, 0xb0, 0xd1, 0x9d, 0x7b, 0xfa, 0xaa, 0xd0, 0x66, 0x76, 0xa1, 0x97, 0xad, 0x0b, 0x8b, 0x24, + 0xe3, 0xc6, 0xc6, 0xbc, 0x86, 0x2e, 0xa0, 0xeb, 0xbf, 0x6a, 0x40, 0x96, 0x59, 0x22, 0x77, 0xa0, + 0xc4, 0x85, 0x54, 0xad, 0x9a, 0x75, 0x45, 0x5a, 0x29, 0x35, 0x4d, 0x75, 0x64, 0x04, 0x37, 0xa7, + 0x05, 0x1c, 0x3a, 0x2e, 0x46, 0x9c, 0xb9, 0x81, 0xea, 0xf6, 0x9b, 0xab, 0xcd, 0x92, 0x70, 0xb3, + 0x5e, 0x55, 0xf0, 0x37, 0x5b, 0xcb, 0x70, 0xf4, 0xb2, 0x18, 0xfa, 0x4f, 0x79, 0xa8, 0xaa, 0xb4, + 0x5f, 0xd0, 0x3a, 0x78, 0x38, 0x37, 0xcb, 0x77, 0x57, 0x9a, 0x3b, 0xf9, 0xa6, 0xaf, 0x1a, 0xe5, + 0x2f, 0x16, 0x46, 0xd9, 0x5c, 0x1d, 0x32, 0x7b, 0x92, 0x6d, 0x78, 0x69, 0x21, 0xfe, 0x6a, 0xed, + 0x9c, 0x1b, 0xf6, 0x7c, 0xf6, 0xb0, 0xeb, 0xff, 0x68, 0xb0, 0xb5, 0x94, 0x12, 0xf9, 0x00, 0xd6, + 0x67, 0x32, 0xc7, 0xf4, 0x52, 0x95, 0xad, 0x5b, 0x2a, 0xde, 0xfa, 0xfe, 0xac, 0x92, 0xce, 0xdb, + 0x92, 0x4f, 0xa0, 0x28, 0x96, 0x95, 0x62, 0x78, 0xd5, 0x95, 0x37, 0xa1, 0x56, 0x48, 0xa8, 0x44, + 0x98, 0xaf, 0xa4, 0x78, 0xcd, 0xb3, 0xbd, 0x03, 0x25, 0x0c, 0x43, 0x3f, 0x54, 0xf7, 0x6f, 0xc2, + 0x4d, 0x4b, 0x08, 0x69, 0xaa, 0xd3, 0x7f, 0xcb, 0xc3, 0x64, 0xa7, 0x92, 0xb7, 0xd3, 0xfd, 0x2c, + 0x8f, 0x66, 0x4a, 0xe8, 0xdc, 0xde, 0x15, 0x72, 0x3a, 0xb1, 0x20, 0xaf, 0x41, 0x21, 0x76, 0x7a, + 0xea, 0x16, 0x57, 0x67, 0x8e, 0x27, 0x15, 0x72, 0xa2, 0xc3, 0x5a, 0x3f, 0xf4, 0xe3, 0x40, 0x8c, + 0x81, 0x48, 0x14, 0x44, 0x47, 0x3f, 0x96, 0x12, 0xaa, 0x34, 0xe4, 0x18, 0x4a, 0x28, 0x6e, 0xa7, + 0xac, 0xa5, 0xda, 0xdc, 0x5b, 0x8d, 0x1a, 0x43, 0xde, 0xdb, 0x96, 0xc7, 0xc3, 0xd1, 0x4c, 0x55, + 0x42, 0x46, 0x53, 0xb8, 0xed, 0xae, 0xba, 0xc9, 0xd2, 0x86, 0x6c, 0x42, 0x61, 0x80, 0xa3, 0xb4, + 0x22, 0x2a, 0x7e, 0x92, 0x0f, 0xa1, 0x34, 0x14, 0xe7, 0x5a, 0xb5, 0x64, 0x37, 0x3b, 0xee, 0xf4, + 0xbc, 0xd3, 0xd4, 0xed, 0x41, 0xfe, 0xbe, 0x66, 0x59, 0x67, 0xe7, 0xf5, 0xdc, 0xb3, 0xf3, 0x7a, + 0xee, 0xf9, 0x79, 0x3d, 0xf7, 0x34, 0xa9, 0x6b, 0x67, 0x49, 0x5d, 0x7b, 0x96, 0xd4, 0xb5, 0xe7, + 0x49, 0x5d, 0xfb, 0x2b, 0xa9, 0x6b, 0x3f, 0xfc, 0x5d, 0xcf, 0x7d, 0x75, 0x3b, 0xeb, 0xcf, 0xe0, + 0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0x0d, 0x9a, 0x38, 0x17, 0x44, 0x0a, 0x00, 0x00, } func (m *BoundObjectReference) Marshal() (dAtA []byte, err error) { @@ -451,6 +512,82 @@ func (m ExtraValue) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *SelfSubjectReview) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SelfSubjectReview) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SelfSubjectReview) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + { + size, err := m.Status.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + { + size, err := m.ObjectMeta.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + +func (m *SelfSubjectReviewStatus) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SelfSubjectReviewStatus) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SelfSubjectReviewStatus) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + { + size, err := m.UserInfo.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintGenerated(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0xa + return len(dAtA) - i, nil +} + func (m *TokenRequest) Marshal() (dAtA []byte, err error) { size := m.Size() dAtA = make([]byte, size) @@ -850,6 +987,30 @@ func (m ExtraValue) Size() (n int) { return n } +func (m *SelfSubjectReview) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.ObjectMeta.Size() + n += 1 + l + sovGenerated(uint64(l)) + l = m.Status.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + +func (m *SelfSubjectReviewStatus) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = m.UserInfo.Size() + n += 1 + l + sovGenerated(uint64(l)) + return n +} + func (m *TokenRequest) Size() (n int) { if m == nil { return 0 @@ -999,6 +1160,27 @@ func (this *BoundObjectReference) String() string { }, "") return s } +func (this *SelfSubjectReview) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SelfSubjectReview{`, + `ObjectMeta:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.ObjectMeta), "ObjectMeta", "v1.ObjectMeta", 1), `&`, ``, 1) + `,`, + `Status:` + strings.Replace(strings.Replace(this.Status.String(), "SelfSubjectReviewStatus", "SelfSubjectReviewStatus", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} +func (this *SelfSubjectReviewStatus) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SelfSubjectReviewStatus{`, + `UserInfo:` + strings.Replace(strings.Replace(this.UserInfo.String(), "UserInfo", "UserInfo", 1), `&`, ``, 1) + `,`, + `}`, + }, "") + return s +} func (this *TokenRequest) String() string { if this == nil { return "nil" @@ -1361,6 +1543,205 @@ func (m *ExtraValue) Unmarshal(dAtA []byte) error { } return nil } +func (m *SelfSubjectReview) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SelfSubjectReview: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SelfSubjectReview: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field ObjectMeta", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.ObjectMeta.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + case 2: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Status", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.Status.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} +func (m *SelfSubjectReviewStatus) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SelfSubjectReviewStatus: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SelfSubjectReviewStatus: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field UserInfo", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowGenerated + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthGenerated + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthGenerated + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if err := m.UserInfo.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { + return err + } + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipGenerated(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthGenerated + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func (m *TokenRequest) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 diff --git a/staging/src/k8s.io/api/authentication/v1/generated.proto b/staging/src/k8s.io/api/authentication/v1/generated.proto index f4806a3c636..1632070c872 100644 --- a/staging/src/k8s.io/api/authentication/v1/generated.proto +++ b/staging/src/k8s.io/api/authentication/v1/generated.proto @@ -56,6 +56,26 @@ message ExtraValue { repeated string items = 1; } +// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. +// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or +// request header authentication is used, any extra keys will have their case ignored and returned as lowercase. +message SelfSubjectReview { + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; + + // Status is filled in by the server with the user attributes. + optional SelfSubjectReviewStatus status = 2; +} + +// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. +message SelfSubjectReviewStatus { + // User attributes of the user making this request. + // +optional + optional UserInfo userInfo = 1; +} + // TokenRequest requests a token for a given service account. message TokenRequest { // Standard object's metadata. diff --git a/staging/src/k8s.io/api/authentication/v1/register.go b/staging/src/k8s.io/api/authentication/v1/register.go index c522e4a46d7..6a32b5926b3 100644 --- a/staging/src/k8s.io/api/authentication/v1/register.go +++ b/staging/src/k8s.io/api/authentication/v1/register.go @@ -46,6 +46,7 @@ func addKnownTypes(scheme *runtime.Scheme) error { scheme.AddKnownTypes(SchemeGroupVersion, &TokenReview{}, &TokenRequest{}, + &SelfSubjectReview{}, ) metav1.AddToGroupVersion(scheme, SchemeGroupVersion) return nil diff --git a/staging/src/k8s.io/api/authentication/v1/types.go b/staging/src/k8s.io/api/authentication/v1/types.go index 4e221e58c7d..b498007c000 100644 --- a/staging/src/k8s.io/api/authentication/v1/types.go +++ b/staging/src/k8s.io/api/authentication/v1/types.go @@ -197,3 +197,28 @@ type BoundObjectReference struct { // +optional UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uID,casttype=k8s.io/apimachinery/pkg/types.UID"` } + +// +genclient +// +genclient:nonNamespaced +// +genclient:onlyVerbs=create +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. +// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or +// request header authentication is used, any extra keys will have their case ignored and returned as lowercase. +type SelfSubjectReview struct { + metav1.TypeMeta `json:",inline"` + // Standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + // Status is filled in by the server with the user attributes. + Status SelfSubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` +} + +// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. +type SelfSubjectReviewStatus struct { + // User attributes of the user making this request. + // +optional + UserInfo UserInfo `json:"userInfo,omitempty" protobuf:"bytes,1,opt,name=userInfo"` +} diff --git a/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go index b1a730b816e..ebfd4852c05 100644 --- a/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go @@ -39,6 +39,25 @@ func (BoundObjectReference) SwaggerDoc() map[string]string { return map_BoundObjectReference } +var map_SelfSubjectReview = map[string]string{ + "": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + "metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "status": "Status is filled in by the server with the user attributes.", +} + +func (SelfSubjectReview) SwaggerDoc() map[string]string { + return map_SelfSubjectReview +} + +var map_SelfSubjectReviewStatus = map[string]string{ + "": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", + "userInfo": "User attributes of the user making this request.", +} + +func (SelfSubjectReviewStatus) SwaggerDoc() map[string]string { + return map_SelfSubjectReviewStatus +} + var map_TokenRequest = map[string]string{ "": "TokenRequest requests a token for a given service account.", "metadata": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", diff --git a/staging/src/k8s.io/api/authentication/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/api/authentication/v1/zz_generated.deepcopy.go index 2af533191ba..369c89b8631 100644 --- a/staging/src/k8s.io/api/authentication/v1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/api/authentication/v1/zz_generated.deepcopy.go @@ -61,6 +61,50 @@ func (in ExtraValue) DeepCopy() ExtraValue { return *out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectReview) DeepCopyInto(out *SelfSubjectReview) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReview. +func (in *SelfSubjectReview) DeepCopy() *SelfSubjectReview { + if in == nil { + return nil + } + out := new(SelfSubjectReview) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SelfSubjectReview) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SelfSubjectReviewStatus) DeepCopyInto(out *SelfSubjectReviewStatus) { + *out = *in + in.UserInfo.DeepCopyInto(&out.UserInfo) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfSubjectReviewStatus. +func (in *SelfSubjectReviewStatus) DeepCopy() *SelfSubjectReviewStatus { + if in == nil { + return nil + } + out := new(SelfSubjectReviewStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TokenRequest) DeepCopyInto(out *TokenRequest) { *out = *in diff --git a/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.json b/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.json new file mode 100644 index 00000000000..47162943843 --- /dev/null +++ b/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.json @@ -0,0 +1,60 @@ +{ + "kind": "SelfSubjectReview", + "apiVersion": "authentication.k8s.io/v1", + "metadata": { + "name": "nameValue", + "generateName": "generateNameValue", + "namespace": "namespaceValue", + "selfLink": "selfLinkValue", + "uid": "uidValue", + "resourceVersion": "resourceVersionValue", + "generation": 7, + "creationTimestamp": "2008-01-01T01:01:01Z", + "deletionTimestamp": "2009-01-01T01:01:01Z", + "deletionGracePeriodSeconds": 10, + "labels": { + "labelsKey": "labelsValue" + }, + "annotations": { + "annotationsKey": "annotationsValue" + }, + "ownerReferences": [ + { + "apiVersion": "apiVersionValue", + "kind": "kindValue", + "name": "nameValue", + "uid": "uidValue", + "controller": true, + "blockOwnerDeletion": true + } + ], + "finalizers": [ + "finalizersValue" + ], + "managedFields": [ + { + "manager": "managerValue", + "operation": "operationValue", + "apiVersion": "apiVersionValue", + "time": "2004-01-01T01:01:01Z", + "fieldsType": "fieldsTypeValue", + "fieldsV1": {}, + "subresource": "subresourceValue" + } + ] + }, + "status": { + "userInfo": { + "username": "usernameValue", + "uid": "uidValue", + "groups": [ + "groupsValue" + ], + "extra": { + "extraKey": [ + "extraValue" + ] + } + } + } +} \ No newline at end of file diff --git a/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.pb b/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.pb new file mode 100644 index 00000000000..fc4df485686 Binary files /dev/null and b/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.pb differ diff --git a/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.yaml b/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.yaml new file mode 100644 index 00000000000..4468f4062b3 --- /dev/null +++ b/staging/src/k8s.io/api/testdata/HEAD/authentication.k8s.io.v1.SelfSubjectReview.yaml @@ -0,0 +1,43 @@ +apiVersion: authentication.k8s.io/v1 +kind: SelfSubjectReview +metadata: + annotations: + annotationsKey: annotationsValue + creationTimestamp: "2008-01-01T01:01:01Z" + deletionGracePeriodSeconds: 10 + deletionTimestamp: "2009-01-01T01:01:01Z" + finalizers: + - finalizersValue + generateName: generateNameValue + generation: 7 + labels: + labelsKey: labelsValue + managedFields: + - apiVersion: apiVersionValue + fieldsType: fieldsTypeValue + fieldsV1: {} + manager: managerValue + operation: operationValue + subresource: subresourceValue + time: "2004-01-01T01:01:01Z" + name: nameValue + namespace: namespaceValue + ownerReferences: + - apiVersion: apiVersionValue + blockOwnerDeletion: true + controller: true + kind: kindValue + name: nameValue + uid: uidValue + resourceVersion: resourceVersionValue + selfLink: selfLinkValue + uid: uidValue +status: + userInfo: + extra: + extraKey: + - extraValue + groups: + - groupsValue + uid: uidValue + username: usernameValue diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go index aea9d0e133e..81be8b2e046 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/authentication_client.go @@ -28,6 +28,7 @@ import ( type AuthenticationV1Interface interface { RESTClient() rest.Interface + SelfSubjectReviewsGetter TokenReviewsGetter } @@ -36,6 +37,10 @@ type AuthenticationV1Client struct { restClient rest.Interface } +func (c *AuthenticationV1Client) SelfSubjectReviews() SelfSubjectReviewInterface { + return newSelfSubjectReviews(c) +} + func (c *AuthenticationV1Client) TokenReviews() TokenReviewInterface { return newTokenReviews(c) } diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_authentication_client.go b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_authentication_client.go index ee06a6cdd6c..865239ff645 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_authentication_client.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_authentication_client.go @@ -28,6 +28,10 @@ type FakeAuthenticationV1 struct { *testing.Fake } +func (c *FakeAuthenticationV1) SelfSubjectReviews() v1.SelfSubjectReviewInterface { + return &FakeSelfSubjectReviews{c} +} + func (c *FakeAuthenticationV1) TokenReviews() v1.TokenReviewInterface { return &FakeTokenReviews{c} } diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_selfsubjectreview.go b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_selfsubjectreview.go new file mode 100644 index 00000000000..e683b3eaaa0 --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/fake/fake_selfsubjectreview.go @@ -0,0 +1,46 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package fake + +import ( + "context" + + v1 "k8s.io/api/authentication/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + testing "k8s.io/client-go/testing" +) + +// FakeSelfSubjectReviews implements SelfSubjectReviewInterface +type FakeSelfSubjectReviews struct { + Fake *FakeAuthenticationV1 +} + +var selfsubjectreviewsResource = v1.SchemeGroupVersion.WithResource("selfsubjectreviews") + +var selfsubjectreviewsKind = v1.SchemeGroupVersion.WithKind("SelfSubjectReview") + +// Create takes the representation of a selfSubjectReview and creates it. Returns the server's representation of the selfSubjectReview, and an error, if there is any. +func (c *FakeSelfSubjectReviews) Create(ctx context.Context, selfSubjectReview *v1.SelfSubjectReview, opts metav1.CreateOptions) (result *v1.SelfSubjectReview, err error) { + obj, err := c.Fake. + Invokes(testing.NewRootCreateAction(selfsubjectreviewsResource, selfSubjectReview), &v1.SelfSubjectReview{}) + if obj == nil { + return nil, err + } + return obj.(*v1.SelfSubjectReview), err +} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go index 0413fb2b665..35f2c22b4f1 100644 --- a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/generated_expansion.go @@ -18,4 +18,6 @@ limitations under the License. package v1 +type SelfSubjectReviewExpansion interface{} + type TokenReviewExpansion interface{} diff --git a/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/selfsubjectreview.go b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/selfsubjectreview.go new file mode 100644 index 00000000000..bfb9603d672 --- /dev/null +++ b/staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1/selfsubjectreview.go @@ -0,0 +1,64 @@ +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by client-gen. DO NOT EDIT. + +package v1 + +import ( + "context" + + v1 "k8s.io/api/authentication/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + scheme "k8s.io/client-go/kubernetes/scheme" + rest "k8s.io/client-go/rest" +) + +// SelfSubjectReviewsGetter has a method to return a SelfSubjectReviewInterface. +// A group's client should implement this interface. +type SelfSubjectReviewsGetter interface { + SelfSubjectReviews() SelfSubjectReviewInterface +} + +// SelfSubjectReviewInterface has methods to work with SelfSubjectReview resources. +type SelfSubjectReviewInterface interface { + Create(ctx context.Context, selfSubjectReview *v1.SelfSubjectReview, opts metav1.CreateOptions) (*v1.SelfSubjectReview, error) + SelfSubjectReviewExpansion +} + +// selfSubjectReviews implements SelfSubjectReviewInterface +type selfSubjectReviews struct { + client rest.Interface +} + +// newSelfSubjectReviews returns a SelfSubjectReviews +func newSelfSubjectReviews(c *AuthenticationV1Client) *selfSubjectReviews { + return &selfSubjectReviews{ + client: c.RESTClient(), + } +} + +// Create takes the representation of a selfSubjectReview and creates it. Returns the server's representation of the selfSubjectReview, and an error, if there is any. +func (c *selfSubjectReviews) Create(ctx context.Context, selfSubjectReview *v1.SelfSubjectReview, opts metav1.CreateOptions) (result *v1.SelfSubjectReview, err error) { + result = &v1.SelfSubjectReview{} + err = c.client.Post(). + Resource("selfsubjectreviews"). + VersionedParams(&opts, scheme.ParameterCodec). + Body(selfSubjectReview). + Do(ctx). + Into(result) + return +} diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go b/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go index 76f27ae6c91..55e4a5c62d9 100644 --- a/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go +++ b/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go @@ -32,6 +32,7 @@ import ( "k8s.io/cli-runtime/pkg/genericclioptions" "k8s.io/cli-runtime/pkg/genericiooptions" "k8s.io/cli-runtime/pkg/printers" + authenticationv1client "k8s.io/client-go/kubernetes/typed/authentication/v1" authenticationv1alpha1client "k8s.io/client-go/kubernetes/typed/authentication/v1alpha1" authenticationv1beta1client "k8s.io/client-go/kubernetes/typed/authentication/v1beta1" cmdutil "k8s.io/kubectl/pkg/cmd/util" @@ -85,6 +86,11 @@ func (flags *WhoAmIFlags) ToOptions(ctx context.Context, args []string) (*WhoAmI return nil, err } + w.authV1Client, err = authenticationv1client.NewForConfig(clientConfig) + if err != nil { + return nil, err + } + if !flags.PrintFlags.OutputFlagSpecified() { w.resourcePrinterFunc = printTableSelfSubjectAccessReview } else { @@ -103,6 +109,7 @@ func (flags *WhoAmIFlags) ToOptions(ctx context.Context, args []string) (*WhoAmI type WhoAmIOptions struct { authV1alpha1Client authenticationv1alpha1client.AuthenticationV1alpha1Interface authV1beta1Client authenticationv1beta1client.AuthenticationV1beta1Interface + authV1Client authenticationv1client.AuthenticationV1Interface ctx context.Context @@ -166,14 +173,20 @@ func (o WhoAmIOptions) Run() error { err error ) - res, err = o.authV1beta1Client. + res, err = o.authV1Client. SelfSubjectReviews(). - Create(context.TODO(), &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{}) + Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{}) if err != nil && errors.IsNotFound(err) { - // Fallback to Alpha API if Beta is not enabled - res, err = o.authV1alpha1Client. + // Fallback to Beta API if Beta is not enabled + res, err = o.authV1beta1Client. SelfSubjectReviews(). - Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{}) + Create(context.TODO(), &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{}) + if err != nil && errors.IsNotFound(err) { + // Fallback to Alpha API if Beta is not enabled + res, err = o.authV1alpha1Client. + SelfSubjectReviews(). + Create(context.TODO(), &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{}) + } } if err != nil { switch { @@ -194,6 +207,8 @@ func getUserInfo(obj runtime.Object) (authenticationv1.UserInfo, error) { return obj.(*authenticationv1alpha1.SelfSubjectReview).Status.UserInfo, nil case *authenticationv1beta1.SelfSubjectReview: return obj.(*authenticationv1beta1.SelfSubjectReview).Status.UserInfo, nil + case *authenticationv1.SelfSubjectReview: + return obj.(*authenticationv1.SelfSubjectReview).Status.UserInfo, nil default: return authenticationv1.UserInfo{}, fmt.Errorf("unexpected response type %T, expected SelfSubjectReview", obj) } diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami_test.go index 4bec703d90b..895fd903a71 100644 --- a/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami_test.go +++ b/staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami_test.go @@ -38,12 +38,13 @@ import ( func TestWhoAmIRun(t *testing.T) { tests := []struct { - name string - o *WhoAmIOptions - args []string - serverErr error - alphaDisabled bool - betaDisabled bool + name string + o *WhoAmIOptions + args []string + serverErr error + alphaDisabled bool + betaDisabled bool + stableDisabled bool expectedError error expectedBodyStrings []string @@ -73,7 +74,7 @@ func TestWhoAmIRun(t *testing.T) { expectedBodyStrings: []string{ `{ "kind": "SelfSubjectReview", - "apiVersion": "authentication.k8s.io/v1beta1", + "apiVersion": "authentication.k8s.io/v1", "metadata": { "creationTimestamp": null }, @@ -119,12 +120,13 @@ func TestWhoAmIRun(t *testing.T) { }, }, { - name: "JSON test no alpha", + name: "JSON test no alpha and stable", o: &WhoAmIOptions{ resourcePrinterFunc: printers.NewTypeSetter(scheme.Scheme).ToPrinter(&printers.JSONPrinter{}).PrintObj, }, - args: []string{}, - alphaDisabled: true, + args: []string{}, + alphaDisabled: true, + stableDisabled: true, expectedBodyStrings: []string{ `{ "kind": "SelfSubjectReview", @@ -183,7 +185,7 @@ func TestWhoAmIRun(t *testing.T) { expectedBodyStrings: []string{ `{ "kind": "SelfSubjectReview", - "apiVersion": "authentication.k8s.io/v1alpha1", + "apiVersion": "authentication.k8s.io/v1", "metadata": { "creationTimestamp": null }, @@ -212,14 +214,15 @@ func TestWhoAmIRun(t *testing.T) { }, }, { - name: "both API disabled", + name: "all API disabled", o: &WhoAmIOptions{ resourcePrinterFunc: printTableSelfSubjectAccessReview, }, - args: []string{}, - betaDisabled: true, - alphaDisabled: true, - expectedError: notEnabledErr, + args: []string{}, + betaDisabled: true, + alphaDisabled: true, + stableDisabled: true, + expectedError: notEnabledErr, }, { name: "Forbidden error", @@ -304,12 +307,23 @@ func TestWhoAmIRun(t *testing.T) { }, } return true, res, nil + case "authentication.k8s.io/v1": + if test.stableDisabled { + return true, nil, errors.NewNotFound(corev1.Resource("selfsubjectreviews"), "foo") + } + res := &authenticationv1.SelfSubjectReview{ + Status: authenticationv1.SelfSubjectReviewStatus{ + UserInfo: ui, + }, + } + return true, res, nil default: return false, nil, fmt.Errorf("unknown API") } }) test.o.authV1beta1Client = fakeAuthClientSet.AuthenticationV1beta1() test.o.authV1alpha1Client = fakeAuthClientSet.AuthenticationV1alpha1() + test.o.authV1Client = fakeAuthClientSet.AuthenticationV1() err := test.o.Run() switch { diff --git a/test/cmd/auth_whoami.sh b/test/cmd/auth_whoami.sh new file mode 100755 index 00000000000..92006c89a77 --- /dev/null +++ b/test/cmd/auth_whoami.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +run_kubectl_auth_whoami_tests() { + set -o nounset + set -o errexit + + kube::log::status "Testing kubectl auth whoami" + + # Command + output_message=$(kubectl auth whoami -o json 2>&1) + + # Post-condition: should return user attributes. + kube::test::if_has_string "${output_message}" '"kind": "SelfSubjectReview"' + + set +o nounset + set +o errexit +} diff --git a/test/cmd/legacy-script.sh b/test/cmd/legacy-script.sh index 38d6e0a4c40..f538037b3f9 100755 --- a/test/cmd/legacy-script.sh +++ b/test/cmd/legacy-script.sh @@ -29,6 +29,7 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../.. # source "${KUBE_ROOT}/hack/lib/test.sh" source "${KUBE_ROOT}/test/cmd/apply.sh" source "${KUBE_ROOT}/test/cmd/apps.sh" +source "${KUBE_ROOT}/test/cmd/auth_whoami.sh" source "${KUBE_ROOT}/test/cmd/authentication.sh" source "${KUBE_ROOT}/test/cmd/authorization.sh" source "${KUBE_ROOT}/test/cmd/batch.sh" @@ -98,6 +99,7 @@ replicasets="replicasets" replicationcontrollers="replicationcontrollers" roles="roles" secrets="secrets" +selfsubjectreviews="selfsubjectreviews" serviceaccounts="serviceaccounts" services="services" statefulsets="statefulsets" @@ -816,6 +818,10 @@ runTests() { record_command run_exec_credentials_tests record_command run_exec_credentials_interactive_tests + if kube::test::if_supports_resource "${selfsubjectreviews}" ; then + record_command run_kubectl_auth_whoami_tests + fi + ######################## # authorization.k8s.io # ######################## @@ -895,6 +901,8 @@ runTests() { kubectl delete "${kube_flags[@]}" rolebindings,role,clusterroles,clusterrolebindings -n some-other-random -l test-cmd=auth fi + + ##################### # Retrieve multiple # ##################### diff --git a/test/conformance/testdata/ineligible_endpoints.yaml b/test/conformance/testdata/ineligible_endpoints.yaml index 1bbf3c2256d..d35bfbe50b6 100644 --- a/test/conformance/testdata/ineligible_endpoints.yaml +++ b/test/conformance/testdata/ineligible_endpoints.yaml @@ -246,13 +246,13 @@ link: https://github.com/kubernetes/kubernetes/issues/109379 - endpoint: deleteCoreV1CollectionNode reason: Kubernetes distribution would reasonably not allow this action via the API - link: https://github.com/kubernetes/kubernetes/issues/109379 + link: https://github.com/kubernetes/kubernetes/issues/109379 - endpoint: createCoreV1NamespacedBinding reason: Endpoint was deprecated in 1.7 - link: https://github.com/kubernetes/kubernetes/pull/47041 + link: https://github.com/kubernetes/kubernetes/pull/47041 - endpoint: createAuthorizationV1SelfSubjectRulesReview reason: Endpoint likely to be deprecated - link: https://github.com/kubernetes/kubernetes/issues/112657#issuecomment-1265441626 + link: https://github.com/kubernetes/kubernetes/issues/112657#issuecomment-1265441626 - endpoint: connectCoreV1GetNamespacedPodPortforward reason: Explicitly designed to be a debug feature link: https://github.com/kubernetes/kubernetes/issues/112778#issuecomment-1427995711 @@ -262,3 +262,6 @@ - endpoint: connectCoreV1PostNamespacedPodAttach reason: Explicitly designed to be a debug feature link: https://github.com/kubernetes/kubernetes/issues/112778#issuecomment-1427995711 +- endpoint: createAuthenticationV1SelfSubjectReview + reason: Cluster providers are allowed to choose to not serve this API, and the whoami command handles unavailability gracefully. + link: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/3325-self-subject-attributes-review-api/README.md#ga diff --git a/test/e2e/auth/selfsubjectreviews.go b/test/e2e/auth/selfsubjectreviews.go index 1866e80257a..993e7304406 100644 --- a/test/e2e/auth/selfsubjectreviews.go +++ b/test/e2e/auth/selfsubjectreviews.go @@ -22,8 +22,10 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/onsi/gomega" + authenticationv1 "k8s.io/api/authentication/v1" authenticationv1alpha1 "k8s.io/api/authentication/v1alpha1" authenticationv1beta1 "k8s.io/api/authentication/v1beta1" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" @@ -31,19 +33,21 @@ import ( admissionapi "k8s.io/pod-security-admission/api" ) -var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() { +var _ = SIGDescribe("SelfSubjectReview", func() { f := framework.NewDefaultFramework("selfsubjectreviews") f.NamespacePodSecurityEnforceLevel = admissionapi.LevelPrivileged /* - Release: v1.27 + Release: v1.28 Testname: SelfSubjectReview API Description: The authentication.k8s.io API group MUST exist in the /apis discovery document. The authentication.k8s.io/v1alpha1 API group/version MUST exist in the /apis/mode.k8s.io discovery document. The authentication.k8s.io/v1beta1 API group/version MUST exist in the /apis/mode.k8s.io discovery document. + The authentication.k8s.io/v1 API group/version MUST exist in the /apis/mode.k8s.io discovery document. The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1alpha1 discovery document. The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1beta1 discovery document. + The selfsubjectreviews resource MUST exist in the /apis/authentication.k8s.io/v1 discovery document. The selfsubjectreviews resource MUST support create. */ ginkgo.DescribeTable( @@ -105,6 +109,7 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() { }, ginkgo.Entry("authentication/v1alpha1", "v1alpha1", authenticationv1alpha1.SchemeGroupVersion.String()), ginkgo.Entry("authentication/v1beta1", "v1beta1", authenticationv1beta1.SchemeGroupVersion.String()), + ginkgo.Entry("authentication/v1", "v1", authenticationv1.SchemeGroupVersion.String()), ) ginkgo.It("should support SelfSubjectReview API operations", func(ctx context.Context) { @@ -116,8 +121,11 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() { ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1alpha1().SelfSubjectReviews() res, err := ssrClient.Create(ctx, &authenticationv1alpha1.SelfSubjectReview{}, metav1.CreateOptions{}) - framework.ExpectNoError(err) + if apierrors.IsNotFound(err) { + return // Alpha API is disabled + } + framework.ExpectNoError(err) gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username)) gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID)) gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups)) @@ -136,6 +144,29 @@ var _ = SIGDescribe("SelfSubjectReview [Feature:APISelfSubjectReview]", func() { ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1beta1().SelfSubjectReviews() res, err := ssrClient.Create(ctx, &authenticationv1beta1.SelfSubjectReview{}, metav1.CreateOptions{}) + if apierrors.IsNotFound(err) { + return // Beta API is disabled + } + + framework.ExpectNoError(err) + gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username)) + gomega.Expect(config.Impersonate.UID).To(gomega.Equal(res.Status.UserInfo.UID)) + gomega.Expect(config.Impersonate.Groups).To(gomega.Equal(res.Status.UserInfo.Groups)) + + extra := make(map[string][]string, len(res.Status.UserInfo.Extra)) + for k, v := range res.Status.UserInfo.Extra { + extra[k] = v + } + + gomega.Expect(config.Impersonate.Extra).To(gomega.Equal(extra)) + } + + ginkgo.By("creating SSR authentication/v1") + { + config := restConfig(f) + + ssrClient := kubernetes.NewForConfigOrDie(config).AuthenticationV1().SelfSubjectReviews() + res, err := ssrClient.Create(ctx, &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{}) framework.ExpectNoError(err) gomega.Expect(config.Impersonate.UserName).To(gomega.Equal(res.Status.UserInfo.Username)) diff --git a/test/integration/apiserver/admissionwebhook/admission_test.go b/test/integration/apiserver/admissionwebhook/admission_test.go index bbf5445c3e9..3a2768a65bd 100644 --- a/test/integration/apiserver/admissionwebhook/admission_test.go +++ b/test/integration/apiserver/admissionwebhook/admission_test.go @@ -158,6 +158,7 @@ var ( gvr("authentication.k8s.io", "v1beta1", "tokenreviews"): `{"metadata": {"name": "tokenreview"}, "spec": {"token": "token", "audience": ["audience1","audience2"]}}`, gvr("authentication.k8s.io", "v1alpha1", "selfsubjectreviews"): `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`, gvr("authentication.k8s.io", "v1beta1", "selfsubjectreviews"): `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`, + gvr("authentication.k8s.io", "v1", "selfsubjectreviews"): `{"metadata": {"name": "SelfSubjectReview"},"status":{"userInfo":{}}}`, gvr("authorization.k8s.io", "v1", "localsubjectaccessreviews"): `{"metadata": {"name": "", "namespace":"` + testNamespace + `"}, "spec": {"uid": "token", "user": "user1","groups": ["group1","group2"],"resourceAttributes": {"name":"name1","namespace":"` + testNamespace + `"}}}`, gvr("authorization.k8s.io", "v1", "subjectaccessreviews"): `{"metadata": {"name": "", "namespace":""}, "spec": {"user":"user1","resourceAttributes": {"name":"name1", "namespace":"` + testNamespace + `"}}}`, gvr("authorization.k8s.io", "v1", "selfsubjectaccessreviews"): `{"metadata": {"name": "", "namespace":""}, "spec": {"resourceAttributes": {"name":"name1", "namespace":""}}}`, diff --git a/test/integration/auth/selfsubjectreview_test.go b/test/integration/auth/selfsubjectreview_test.go index 8a16780fbba..5d81ba80347 100644 --- a/test/integration/auth/selfsubjectreview_test.go +++ b/test/integration/auth/selfsubjectreview_test.go @@ -99,6 +99,7 @@ func TestGetsSelfAttributes(t *testing.T) { ModifyServerRunOptions: func(opts *options.ServerRunOptions) { opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true") opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true") + opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true") opts.Authorization.Modes = []string{"AlwaysAllow"} }, ModifyServerConfig: func(config *controlplane.Config) { @@ -172,6 +173,33 @@ func TestGetsSelfAttributes(t *testing.T) { if !reflect.DeepEqual(res2.Status.UserInfo.Extra, tc.expectedExtra) { t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra) } + + res3, err := kubeClient.AuthenticationV1(). + SelfSubjectReviews(). + Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{}) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + + if res3 == nil { + t.Fatalf("empty response") + } + + if res3.Status.UserInfo.Username != tc.expectedName { + t.Fatalf("unexpected username: wanted %s, got %s", tc.expectedName, res.Status.UserInfo.Username) + } + + if res3.Status.UserInfo.UID != tc.expectedUID { + t.Fatalf("unexpected uid: wanted %s, got %s", tc.expectedUID, res.Status.UserInfo.UID) + } + + if !reflect.DeepEqual(res3.Status.UserInfo.Groups, tc.expectedGroups) { + t.Fatalf("unexpected groups: wanted %v, got %v", tc.expectedGroups, res.Status.UserInfo.Groups) + } + + if !reflect.DeepEqual(res3.Status.UserInfo.Extra, tc.expectedExtra) { + t.Fatalf("unexpected extra: wanted %v, got %v", tc.expectedExtra, res.Status.UserInfo.Extra) + } }) } @@ -187,6 +215,7 @@ func TestGetsSelfAttributesError(t *testing.T) { ModifyServerRunOptions: func(opts *options.ServerRunOptions) { opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1alpha1=true") opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1beta1=true") + opts.APIEnablement.RuntimeConfig.Set("authentication.k8s.io/v1=true") opts.Authorization.Modes = []string{"AlwaysAllow"} }, ModifyServerConfig: func(config *controlplane.Config) { @@ -240,4 +269,20 @@ func TestGetsSelfAttributesError(t *testing.T) { t.Fatalf("expected error: %v, got %v", expected, err) } } + + { // v1 + toggle.Store(!toggle.Load().(bool)) + + _, err := kubeClient.AuthenticationV1(). + SelfSubjectReviews(). + Create(context.TODO(), &authenticationv1.SelfSubjectReview{}, metav1.CreateOptions{}) + if err == nil { + t.Fatalf("expected error: %v, got nil", err) + } + + toggle.Store(!toggle.Load().(bool)) + if expected.Error() != err.Error() { + t.Fatalf("expected error: %v, got %v", expected, err) + } + } }