diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 8eec41ba560..f7879f29a0f 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -524,7 +524,7 @@ func buildGenericConfig( } serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost) - genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, sharedInformers) + genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, clientgoExternalClient, versionedInformers) if err != nil { lastErr = fmt.Errorf("invalid authentication config: %v", err) return @@ -625,13 +625,13 @@ func BuildAdmissionPluginInitializers( } // BuildAuthenticator constructs the authenticator -func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) { +func BuildAuthenticator(s *options.ServerRunOptions, extclient clientgoclientset.Interface, versionedInformer clientgoinformers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) { authenticatorConfig := s.Authentication.ToAuthenticationConfig() if s.Authentication.ServiceAccounts.Lookup { authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient) } authenticatorConfig.BootstrapTokenAuthenticator = bootstrap.NewTokenAuthenticator( - sharedInformers.Core().InternalVersion().Secrets().Lister().Secrets(v1.NamespaceSystem), + versionedInformer.Core().V1().Secrets().Lister().Secrets(v1.NamespaceSystem), ) return authenticatorConfig.New() diff --git a/plugin/pkg/auth/authenticator/token/bootstrap/BUILD b/plugin/pkg/auth/authenticator/token/bootstrap/BUILD index 5ef48a9f56b..15f6da57969 100644 --- a/plugin/pkg/auth/authenticator/token/bootstrap/BUILD +++ b/plugin/pkg/auth/authenticator/token/bootstrap/BUILD @@ -11,7 +11,7 @@ go_test( srcs = ["bootstrap_test.go"], embed = [":go_default_library"], deps = [ - "//pkg/apis/core:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library", @@ -26,12 +26,12 @@ go_library( srcs = ["bootstrap.go"], importpath = "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap", deps = [ - "//pkg/apis/core:go_default_library", - "//pkg/client/listers/core/internalversion:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", + "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library", "//staging/src/k8s.io/cluster-bootstrap/token/api:go_default_library", "//staging/src/k8s.io/cluster-bootstrap/token/util:go_default_library", "//vendor/github.com/golang/glog:go_default_library", diff --git a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go index 163d758c452..93b4e1cddd8 100644 --- a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go +++ b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go @@ -29,14 +29,14 @@ import ( "github.com/golang/glog" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" + corev1listers "k8s.io/client-go/listers/core/v1" bootstrapapi "k8s.io/cluster-bootstrap/token/api" bootstraputil "k8s.io/cluster-bootstrap/token/util" - api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/client/listers/core/internalversion" ) // TODO: A few methods in this package is copied from other sources. Either @@ -46,13 +46,13 @@ import ( // NewTokenAuthenticator initializes a bootstrap token authenticator. // // Lister is expected to be for the "kube-system" namespace. -func NewTokenAuthenticator(lister internalversion.SecretNamespaceLister) *TokenAuthenticator { +func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator { return &TokenAuthenticator{lister} } // TokenAuthenticator authenticates bootstrap tokens from secrets in the API server. type TokenAuthenticator struct { - lister internalversion.SecretNamespaceLister + lister corev1listers.SecretNamespaceLister } // tokenErrorf prints a error message for a secret that has matched a bearer @@ -60,7 +60,7 @@ type TokenAuthenticator struct { // // tokenErrorf(secret, "has invalid value for key %s", key) // -func tokenErrorf(s *api.Secret, format string, i ...interface{}) { +func tokenErrorf(s *corev1.Secret, format string, i ...interface{}) { format = fmt.Sprintf("Bootstrap secret %s/%s matching bearer token ", s.Namespace, s.Name) + format glog.V(3).Infof(format, i...) } @@ -155,7 +155,7 @@ func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string } // Copied from k8s.io/cluster-bootstrap/token/api -func getSecretString(secret *api.Secret, key string) string { +func getSecretString(secret *corev1.Secret, key string) string { data, ok := secret.Data[key] if !ok { return "" @@ -165,7 +165,7 @@ func getSecretString(secret *api.Secret, key string) string { } // Copied from k8s.io/cluster-bootstrap/token/api -func isSecretExpired(secret *api.Secret) bool { +func isSecretExpired(secret *corev1.Secret) bool { expiration := getSecretString(secret, bootstrapapi.BootstrapTokenExpirationKey) if len(expiration) > 0 { expTime, err2 := time.Parse(time.RFC3339, expiration) @@ -205,7 +205,7 @@ func parseToken(s string) (string, string, error) { // getGroups loads and validates the bootstrapapi.BootstrapTokenExtraGroupsKey // key from the bootstrap token secret, returning a list of group names or an // error if any of the group names are invalid. -func getGroups(secret *api.Secret) ([]string, error) { +func getGroups(secret *corev1.Secret) ([]string, error) { // always include the default group groups := sets.NewString(bootstrapapi.BootstrapDefaultGroup) diff --git a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go index ae408e8a9de..0613e1587a4 100644 --- a/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go +++ b/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go @@ -21,24 +21,24 @@ import ( "reflect" "testing" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apiserver/pkg/authentication/user" bootstrapapi "k8s.io/cluster-bootstrap/token/api" - api "k8s.io/kubernetes/pkg/apis/core" ) type lister struct { - secrets []*api.Secret + secrets []*corev1.Secret } -func (l *lister) List(selector labels.Selector) (ret []*api.Secret, err error) { +func (l *lister) List(selector labels.Selector) (ret []*corev1.Secret, err error) { return l.secrets, nil } -func (l *lister) Get(name string) (*api.Secret, error) { +func (l *lister) Get(name string) (*corev1.Secret, error) { for _, s := range l.secrets { if s.Name == name { return s, nil @@ -58,7 +58,7 @@ func TestTokenAuthenticator(t *testing.T) { tests := []struct { name string - secrets []*api.Secret + secrets []*corev1.Secret token string wantNotFound bool @@ -66,7 +66,7 @@ func TestTokenAuthenticator(t *testing.T) { }{ { name: "valid token", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -87,7 +87,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "valid token with extra group", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -109,7 +109,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "invalid group", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -128,7 +128,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "invalid secret name", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: "bad-name", @@ -146,7 +146,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "no usage", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -163,7 +163,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "wrong token", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -181,7 +181,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "deleted token", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -200,7 +200,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "expired token", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -219,7 +219,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "not expired token", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + tokenID, @@ -241,7 +241,7 @@ func TestTokenAuthenticator(t *testing.T) { }, { name: "token id wrong length", - secrets: []*api.Secret{ + secrets: []*corev1.Secret{ { ObjectMeta: metav1.ObjectMeta{ Name: bootstrapapi.BootstrapTokenSecretPrefix + "foo", @@ -292,13 +292,13 @@ func TestTokenAuthenticator(t *testing.T) { func TestGetGroups(t *testing.T) { tests := []struct { name string - secret *api.Secret + secret *corev1.Secret expectResult []string expectError bool }{ { name: "not set", - secret: &api.Secret{ + secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Name: "test"}, Data: map[string][]byte{}, }, @@ -306,7 +306,7 @@ func TestGetGroups(t *testing.T) { }, { name: "set to empty value", - secret: &api.Secret{ + secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Name: "test"}, Data: map[string][]byte{ bootstrapapi.BootstrapTokenExtraGroupsKey: []byte(""), @@ -316,7 +316,7 @@ func TestGetGroups(t *testing.T) { }, { name: "invalid prefix", - secret: &api.Secret{ + secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Name: "test"}, Data: map[string][]byte{ bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("foo"), @@ -326,7 +326,7 @@ func TestGetGroups(t *testing.T) { }, { name: "valid", - secret: &api.Secret{ + secret: &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{Name: "test"}, Data: map[string][]byte{ bootstrapapi.BootstrapTokenExtraGroupsKey: []byte("system:bootstrappers:foo,system:bootstrappers:bar,system:bootstrappers:bar"), diff --git a/staging/src/k8s.io/api/core/v1/types.go b/staging/src/k8s.io/api/core/v1/types.go index 475e9d0137b..298af757dac 100644 --- a/staging/src/k8s.io/api/core/v1/types.go +++ b/staging/src/k8s.io/api/core/v1/types.go @@ -4996,6 +4996,10 @@ const ( TLSCertKey = "tls.crt" // TLSPrivateKeyKey is the key for the private key field in a TLS secret. TLSPrivateKeyKey = "tls.key" + // SecretTypeBootstrapToken is used during the automated bootstrap process (first + // implemented by kubeadm). It stores tokens that are used to sign well known + // ConfigMaps. They are used for authn. + SecretTypeBootstrapToken SecretType = "bootstrap.kubernetes.io/token" ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/test/integration/auth/bootstraptoken_test.go b/test/integration/auth/bootstraptoken_test.go index aeeb72bd81d..89f2a9d46d6 100644 --- a/test/integration/auth/bootstraptoken_test.go +++ b/test/integration/auth/bootstraptoken_test.go @@ -24,24 +24,24 @@ import ( "testing" "time" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apiserver/pkg/authentication/request/bearertoken" bootstrapapi "k8s.io/cluster-bootstrap/token/api" - api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap" bootstraputil "k8s.io/kubernetes/test/e2e/lifecycle/bootstrap" "k8s.io/kubernetes/test/integration" "k8s.io/kubernetes/test/integration/framework" ) -type bootstrapSecrets []*api.Secret +type bootstrapSecrets []*corev1.Secret -func (b bootstrapSecrets) List(selector labels.Selector) (ret []*api.Secret, err error) { +func (b bootstrapSecrets) List(selector labels.Selector) (ret []*corev1.Secret, err error) { return b, nil } -func (b bootstrapSecrets) Get(name string) (*api.Secret, error) { +func (b bootstrapSecrets) Get(name string) (*corev1.Secret, error) { return b[0], nil } @@ -55,36 +55,36 @@ func TestBootstrapTokenAuth(t *testing.T) { if err != nil { t.Fatalf("unexpected error: %v", err) } - var bootstrapSecretValid = &api.Secret{ + var bootstrapSecretValid = &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: metav1.NamespaceSystem, Name: bootstrapapi.BootstrapTokenSecretPrefix, }, - Type: api.SecretTypeBootstrapToken, + Type: corev1.SecretTypeBootstrapToken, Data: map[string][]byte{ bootstrapapi.BootstrapTokenIDKey: []byte(tokenId), bootstrapapi.BootstrapTokenSecretKey: []byte(secret), bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"), }, } - var bootstrapSecretInvalid = &api.Secret{ + var bootstrapSecretInvalid = &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: metav1.NamespaceSystem, Name: bootstrapapi.BootstrapTokenSecretPrefix, }, - Type: api.SecretTypeBootstrapToken, + Type: corev1.SecretTypeBootstrapToken, Data: map[string][]byte{ bootstrapapi.BootstrapTokenIDKey: []byte(tokenId), bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"), bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"), }, } - var expiredBootstrapToken = &api.Secret{ + var expiredBootstrapToken = &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: metav1.NamespaceSystem, Name: bootstrapapi.BootstrapTokenSecretPrefix, }, - Type: api.SecretTypeBootstrapToken, + Type: corev1.SecretTypeBootstrapToken, Data: map[string][]byte{ bootstrapapi.BootstrapTokenIDKey: []byte(tokenId), bootstrapapi.BootstrapTokenSecretKey: []byte("invalid"), @@ -101,7 +101,7 @@ func TestBootstrapTokenAuth(t *testing.T) { tests := []struct { name string request request - secret *api.Secret + secret *corev1.Secret }{ { name: "valid token",