From 94f2d3516446d84e893d2faa8e435798aec00518 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Fri, 17 Mar 2023 11:06:30 -0400 Subject: [PATCH] Wire bootstrap token authn secret lister only when it is enabled Signed-off-by: Monis Khan --- pkg/kubeapiserver/authenticator/config.go | 9 ++++----- pkg/kubeapiserver/options/authentication.go | 8 +++++--- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go index a08d0ee38ca..4e36040be8e 100644 --- a/pkg/kubeapiserver/authenticator/config.go +++ b/pkg/kubeapiserver/authenticator/config.go @@ -142,12 +142,11 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er } tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth) } - if config.BootstrapToken { - if config.BootstrapTokenAuthenticator != nil { - // TODO: This can sometimes be nil because of - tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, config.BootstrapTokenAuthenticator)) - } + + if config.BootstrapToken && config.BootstrapTokenAuthenticator != nil { + tokenAuthenticators = append(tokenAuthenticators, authenticator.WrapAudienceAgnosticToken(config.APIAudiences, config.BootstrapTokenAuthenticator)) } + // NOTE(ericchiang): Keep the OpenID Connect after Service Accounts. // // Because both plugins verify JWTs whichever comes first in the union experiences diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index cb5b586ce5e..ed272775503 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -485,9 +485,11 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(authInfo *genericapiserver.Authen ) authenticatorConfig.SecretsWriter = extclient.CoreV1() - authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator( - versionedInformer.Core().V1().Secrets().Lister().Secrets(metav1.NamespaceSystem), - ) + if authenticatorConfig.BootstrapToken { + authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator( + versionedInformer.Core().V1().Secrets().Lister().Secrets(metav1.NamespaceSystem), + ) + } if egressSelector != nil { egressDialer, err := egressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())