Merge pull request #81152 from tedyu/const-pass-cmp

Constant time password comparison

pkg/kubeapiserver/options/authentication.go

@@ -259,6 +259,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 		fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
 			"If set, the file that will be used to admit requests to the secure port of the API server "+
 			"via http basic authentication.")
+		fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
 	}
 
 	if s.RequestHeader != nil {

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go

@@ -18,6 +18,7 @@ package passwordfile
 
 import (
 	"context"
+	"crypto/subtle"
 	"encoding/csv"
 	"fmt"
 	"io"
@@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna
 	if !ok {
 		return nil, false, nil
 	}
-	if user.password != password {
+	if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
 		return nil, false, nil
 	}
 	return &authenticator.Response{User: user.info}, true, nil