From f94bc6193e1e299b1cb258b59504fab81cf8da1c Mon Sep 17 00:00:00 2001 From: Mike Danese Date: Fri, 26 Oct 2018 15:29:55 -0700 Subject: [PATCH] echo audiences in anonymous and insecure authenticators part of https://github.com/kubernetes/kubernetes/issues/69893 --- .../apiserver/pkg/authentication/request/anonymous/BUILD | 1 + .../pkg/authentication/request/anonymous/anonymous.go | 3 +++ .../pkg/authentication/request/anonymous/anonymous_test.go | 3 ++- .../k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go | 3 +++ 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD index 329b92ecc52..b78435554cb 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD @@ -25,6 +25,7 @@ go_library( deps = [ "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library", ], ) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go index 651832fd3f7..76ff130227a 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go @@ -21,6 +21,7 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/apiserver/pkg/endpoints/request" ) const ( @@ -31,11 +32,13 @@ const ( func NewAuthenticator() authenticator.Request { return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) { + auds, _ := request.AudiencesFrom(req.Context()) return &authenticator.Response{ User: &user.DefaultInfo{ Name: anonymousUser, Groups: []string{unauthenticatedGroup}, }, + Audiences: auds, }, true, nil }) } diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go index 7b27ff20e1b..494ab60974c 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go @@ -17,6 +17,7 @@ limitations under the License. package anonymous import ( + "net/http" "testing" "k8s.io/apimachinery/pkg/util/sets" @@ -26,7 +27,7 @@ import ( func TestAnonymous(t *testing.T) { var a authenticator.Request = NewAuthenticator() - r, ok, err := a.AuthenticateRequest(nil) + r, ok, err := a.AuthenticateRequest(&http.Request{}) if err != nil { t.Fatalf("Unexpected error %v", err) } diff --git a/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go index 43fff06ec03..cf84988a7e0 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go @@ -25,6 +25,7 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/client-go/rest" ) @@ -79,10 +80,12 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, type InsecureSuperuser struct{} func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { + auds, _ := request.AudiencesFrom(req.Context()) return &authenticator.Response{ User: &user.DefaultInfo{ Name: "system:unsecured", Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated}, }, + Audiences: auds, }, true, nil }