mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
Merge pull request #70310 from mikedanese/trev10
echo audiences in anonymous and insecure authenticators
This commit is contained in:
commit
952e7b07c6
@ -25,6 +25,7 @@ go_library(
|
|||||||
deps = [
|
deps = [
|
||||||
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
||||||
|
"//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -21,6 +21,7 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
"k8s.io/apiserver/pkg/endpoints/request"
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -31,11 +32,13 @@ const (
|
|||||||
|
|
||||||
func NewAuthenticator() authenticator.Request {
|
func NewAuthenticator() authenticator.Request {
|
||||||
return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
|
return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
|
||||||
|
auds, _ := request.AudiencesFrom(req.Context())
|
||||||
return &authenticator.Response{
|
return &authenticator.Response{
|
||||||
User: &user.DefaultInfo{
|
User: &user.DefaultInfo{
|
||||||
Name: anonymousUser,
|
Name: anonymousUser,
|
||||||
Groups: []string{unauthenticatedGroup},
|
Groups: []string{unauthenticatedGroup},
|
||||||
},
|
},
|
||||||
|
Audiences: auds,
|
||||||
}, true, nil
|
}, true, nil
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
@ -17,6 +17,7 @@ limitations under the License.
|
|||||||
package anonymous
|
package anonymous
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"net/http"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
@ -26,7 +27,7 @@ import (
|
|||||||
|
|
||||||
func TestAnonymous(t *testing.T) {
|
func TestAnonymous(t *testing.T) {
|
||||||
var a authenticator.Request = NewAuthenticator()
|
var a authenticator.Request = NewAuthenticator()
|
||||||
r, ok, err := a.AuthenticateRequest(nil)
|
r, ok, err := a.AuthenticateRequest(&http.Request{})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("Unexpected error %v", err)
|
t.Fatalf("Unexpected error %v", err)
|
||||||
}
|
}
|
||||||
|
@ -25,6 +25,7 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||||
"k8s.io/apiserver/pkg/authentication/user"
|
"k8s.io/apiserver/pkg/authentication/user"
|
||||||
|
"k8s.io/apiserver/pkg/endpoints/request"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -79,10 +80,12 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
|
|||||||
type InsecureSuperuser struct{}
|
type InsecureSuperuser struct{}
|
||||||
|
|
||||||
func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
|
func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
|
||||||
|
auds, _ := request.AudiencesFrom(req.Context())
|
||||||
return &authenticator.Response{
|
return &authenticator.Response{
|
||||||
User: &user.DefaultInfo{
|
User: &user.DefaultInfo{
|
||||||
Name: "system:unsecured",
|
Name: "system:unsecured",
|
||||||
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
|
Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
|
||||||
},
|
},
|
||||||
|
Audiences: auds,
|
||||||
}, true, nil
|
}, true, nil
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user