github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-05 15:37:24 +00:00
Code Issues Projects Releases Wiki Activity

kube-apiserver: add a bootstrap token authenticator for TLS bootstrapping

Browse Source
This commit is contained in:
Eric Chiang
2017-02-16 14:40:55 -08:00
parent 7a06e41f93
commit a0df658b20
11 changed files with 526 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pkg/kubeapiserver/options/authentication.go
View File

@@ -33,6 +33,7 @@ import (
type BuiltInAuthenticationOptions struct {
Anonymous *AnonymousAuthenticationOptions
AnyToken *AnyTokenAuthenticationOptions
BootstrapToken *BootstrapTokenAuthenticationOptions
ClientCert *genericoptions.ClientCertAuthenticationOptions
Keystone *KeystoneAuthenticationOptions
OIDC *OIDCAuthenticationOptions
@@ -51,6 +52,10 @@ type AnonymousAuthenticationOptions struct {
Allow bool
}
type BootstrapTokenAuthenticationOptions struct {
Allow bool
}
type KeystoneAuthenticationOptions struct {
URL string
CAFile string
@@ -90,6 +95,7 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
return s.
WithAnyonymous().
WithAnyToken().
WithBootstrapToken().
WithClientCert().
WithKeystone().
WithOIDC().
@@ -110,6 +116,11 @@ func (s *BuiltInAuthenticationOptions) WithAnyToken() *BuiltInAuthenticationOpti
return s
}
func (s *BuiltInAuthenticationOptions) WithBootstrapToken() *BuiltInAuthenticationOptions {
s.BootstrapToken = &BootstrapTokenAuthenticationOptions{}
return s
}
func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
return s
@@ -172,6 +183,12 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
if s.BootstrapToken != nil {
fs.BoolVar(&s.BootstrapToken.Allow, "experimental-bootstrap-token-auth", s.BootstrapToken.Allow, ""+
"Enable to allow secrets of type 'bootstrap.kubernetes.io/token' in the 'kube-system' "+
"namespace to be used for TLS bootstrapping authentication.")
}
if s.ClientCert != nil {
s.ClientCert.AddFlags(fs)
}
@@ -255,6 +272,10 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
ret.AnyToken = s.AnyToken.Allow
}
if s.BootstrapToken != nil {
ret.BootstrapToken = s.BootstrapToken.Allow
}
if s.ClientCert != nil {
ret.ClientCAFile = s.ClientCert.ClientCA
}