Merge pull request #61858 from mikedanese/svcacctpod

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

svcacct: pass pod information in user.Info.Extra() when available

For https://github.com/kubernetes/kubernetes/issues/59670 but won't fix until we move to the new token volume source.

ref #58790

```release-note
UserInfo derived from service account tokens created from the TokenRequest API now include the pod name and UID in the Extra field.
```
This commit is contained in:
Kubernetes Submit Queue 2018-08-31 17:56:12 -07:00 committed by GitHub
commit f685eb5d64
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 96 additions and 40 deletions

View File

@ -94,11 +94,11 @@ type validator struct {
var _ = Validator(&validator{})
func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) {
private, ok := privateObj.(*privateClaims)
if !ok {
glog.Errorf("jwt validator expected private claim of type *privateClaims but got: %T", privateObj)
return "", "", "", errors.New("Token could not be validated.")
return nil, errors.New("Token could not be validated.")
}
err := public.Validate(jwt.Expected{
Time: now(),
@ -106,10 +106,10 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
switch {
case err == nil:
case err == jwt.ErrExpired:
return "", "", "", errors.New("Token has expired.")
return nil, errors.New("Token has expired.")
default:
glog.Errorf("unexpected validation error: %T", err)
return "", "", "", errors.New("Token could not be validated.")
return nil, errors.New("Token could not be validated.")
}
var audValid bool
@ -122,7 +122,7 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
}
if !audValid {
return "", "", "", errors.New("Token is invalid for this audience.")
return nil, errors.New("Token is invalid for this audience.")
}
namespace := private.Kubernetes.Namespace
@ -133,15 +133,15 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
serviceAccount, err := v.getter.GetServiceAccount(namespace, saref.Name)
if err != nil {
glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, saref.Name, err)
return "", "", "", err
return nil, err
}
if serviceAccount.DeletionTimestamp != nil {
glog.V(4).Infof("Service account has been deleted %s/%s", namespace, saref.Name)
return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, saref.Name)
return nil, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, saref.Name)
}
if string(serviceAccount.UID) != saref.UID {
glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, saref.Name, string(serviceAccount.UID), saref.UID)
return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, saref.UID)
return nil, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, saref.UID)
}
if secref != nil {
@ -149,36 +149,45 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
secret, err := v.getter.GetSecret(namespace, secref.Name)
if err != nil {
glog.V(4).Infof("Could not retrieve bound secret %s/%s for service account %s/%s: %v", namespace, secref.Name, namespace, saref.Name, err)
return "", "", "", errors.New("Token has been invalidated")
return nil, errors.New("Token has been invalidated")
}
if secret.DeletionTimestamp != nil {
glog.V(4).Infof("Bound secret is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secref.Name, namespace, saref.Name)
return "", "", "", errors.New("Token has been invalidated")
return nil, errors.New("Token has been invalidated")
}
if secref.UID != string(secret.UID) {
glog.V(4).Infof("Secret UID no longer matches %s/%s: %q != %q", namespace, secref.Name, string(secret.UID), secref.UID)
return "", "", "", fmt.Errorf("Secret UID (%s) does not match claim (%s)", secret.UID, secref.UID)
return nil, fmt.Errorf("Secret UID (%s) does not match claim (%s)", secret.UID, secref.UID)
}
}
var podName, podUID string
if podref != nil {
// Make sure token hasn't been invalidated by deletion of the pod
pod, err := v.getter.GetPod(namespace, podref.Name)
if err != nil {
glog.V(4).Infof("Could not retrieve bound pod %s/%s for service account %s/%s: %v", namespace, podref.Name, namespace, saref.Name, err)
return "", "", "", errors.New("Token has been invalidated")
return nil, errors.New("Token has been invalidated")
}
if pod.DeletionTimestamp != nil {
glog.V(4).Infof("Bound pod is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, podref.Name, namespace, saref.Name)
return "", "", "", errors.New("Token has been invalidated")
return nil, errors.New("Token has been invalidated")
}
if podref.UID != string(pod.UID) {
glog.V(4).Infof("Pod UID no longer matches %s/%s: %q != %q", namespace, podref.Name, string(pod.UID), podref.UID)
return "", "", "", fmt.Errorf("Pod UID (%s) does not match claim (%s)", pod.UID, podref.UID)
return nil, fmt.Errorf("Pod UID (%s) does not match claim (%s)", pod.UID, podref.UID)
}
podName = podref.Name
podUID = podref.UID
}
return private.Kubernetes.Namespace, private.Kubernetes.Svcacct.Name, private.Kubernetes.Svcacct.UID, nil
return &ServiceAccountInfo{
Namespace: private.Kubernetes.Namespace,
Name: private.Kubernetes.Svcacct.Name,
UID: private.Kubernetes.Svcacct.UID,
PodName: podName,
PodUID: podUID,
}, nil
}
func (v *validator) NewPrivateClaims() interface{} {

View File

@ -131,7 +131,7 @@ type Validator interface {
// Validate validates a token and returns user information or an error.
// Validator can assume that the issuer and signature of a token are already
// verified when this function is called.
Validate(tokenData string, public *jwt.Claims, private interface{}) (namespace, name, uid string, err error)
Validate(tokenData string, public *jwt.Claims, private interface{}) (*ServiceAccountInfo, error)
// NewPrivateClaims returns a struct that the authenticator should
// deserialize the JWT payload into. The authenticator may then pass this
// struct back to the Validator as the 'private' argument to a Validate()
@ -172,12 +172,12 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,
// If we get here, we have a token with a recognized signature and
// issuer string.
ns, name, uid, err := j.validator.Validate(tokenData, public, private)
sa, err := j.validator.Validate(tokenData, public, private)
if err != nil {
return nil, false, err
}
return UserInfo(ns, name, uid), true, nil
return sa.UserInfo(), true, nil
}
// hasCorrectIssuer returns true if tokenData is a valid JWT in compact

View File

@ -62,37 +62,37 @@ type legacyValidator struct {
var _ = Validator(&legacyValidator{})
func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) {
private, ok := privateObj.(*legacyPrivateClaims)
if !ok {
glog.Errorf("jwt validator expected private claim of type *legacyPrivateClaims but got: %T", privateObj)
return "", "", "", errors.New("Token could not be validated.")
return nil, errors.New("Token could not be validated.")
}
// Make sure the claims we need exist
if len(public.Subject) == 0 {
return "", "", "", errors.New("sub claim is missing")
return nil, errors.New("sub claim is missing")
}
namespace := private.Namespace
if len(namespace) == 0 {
return "", "", "", errors.New("namespace claim is missing")
return nil, errors.New("namespace claim is missing")
}
secretName := private.SecretName
if len(secretName) == 0 {
return "", "", "", errors.New("secretName claim is missing")
return nil, errors.New("secretName claim is missing")
}
serviceAccountName := private.ServiceAccountName
if len(serviceAccountName) == 0 {
return "", "", "", errors.New("serviceAccountName claim is missing")
return nil, errors.New("serviceAccountName claim is missing")
}
serviceAccountUID := private.ServiceAccountUID
if len(serviceAccountUID) == 0 {
return "", "", "", errors.New("serviceAccountUID claim is missing")
return nil, errors.New("serviceAccountUID claim is missing")
}
subjectNamespace, subjectName, err := apiserverserviceaccount.SplitUsername(public.Subject)
if err != nil || subjectNamespace != namespace || subjectName != serviceAccountName {
return "", "", "", errors.New("sub claim is invalid")
return nil, errors.New("sub claim is invalid")
}
if v.lookup {
@ -100,34 +100,38 @@ func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, private
secret, err := v.getter.GetSecret(namespace, secretName)
if err != nil {
glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
return "", "", "", errors.New("Token has been invalidated")
return nil, errors.New("Token has been invalidated")
}
if secret.DeletionTimestamp != nil {
glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
return "", "", "", errors.New("Token has been invalidated")
return nil, errors.New("Token has been invalidated")
}
if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) != 0 {
glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
return "", "", "", errors.New("Token does not match server's copy")
return nil, errors.New("Token does not match server's copy")
}
// Make sure service account still exists (name and UID)
serviceAccount, err := v.getter.GetServiceAccount(namespace, serviceAccountName)
if err != nil {
glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
return "", "", "", err
return nil, err
}
if serviceAccount.DeletionTimestamp != nil {
glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
return nil, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
}
if string(serviceAccount.UID) != serviceAccountUID {
glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
return nil, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
}
}
return private.Namespace, private.ServiceAccountName, private.ServiceAccountUID, nil
return &ServiceAccountInfo{
Namespace: private.Namespace,
Name: private.ServiceAccountName,
UID: private.ServiceAccountUID,
}, nil
}
func (v *legacyValidator) NewPrivateClaims() interface{} {

View File

@ -22,13 +22,42 @@ import (
"k8s.io/apiserver/pkg/authentication/user"
)
const (
// PodNameKey is the key used in a user's "extra" to specify the pod name of
// the authenticating request.
PodNameKey = "authentication.kubernetes.io/pod-name"
// PodUIDKey is the key used in a user's "extra" to specify the pod UID of
// the authenticating request.
PodUIDKey = "authentication.kubernetes.io/pod-uid"
)
// UserInfo returns a user.Info interface for the given namespace, service account name and UID
func UserInfo(namespace, name, uid string) user.Info {
return &user.DefaultInfo{
Name: apiserverserviceaccount.MakeUsername(namespace, name),
UID: uid,
Groups: apiserverserviceaccount.MakeGroupNames(namespace),
return (&ServiceAccountInfo{
Name: name,
Namespace: namespace,
UID: uid,
}).UserInfo()
}
type ServiceAccountInfo struct {
Name, Namespace, UID string
PodName, PodUID string
}
func (sa *ServiceAccountInfo) UserInfo() user.Info {
info := &user.DefaultInfo{
Name: apiserverserviceaccount.MakeUsername(sa.Namespace, sa.Name),
UID: sa.UID,
Groups: apiserverserviceaccount.MakeGroupNames(sa.Namespace),
}
if sa.PodName != "" && sa.PodUID != "" {
info.Extra = map[string][]string{
PodNameKey: {sa.PodName},
PodUIDKey: {sa.PodUID},
}
}
return info
}
// IsServiceAccountToken returns true if the secret is a valid api token for the service account

View File

@ -21,6 +21,7 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
"reflect"
"strings"
"testing"
"time"
@ -161,7 +162,10 @@ func TestServiceAccountTokenCreate(t *testing.T) {
checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
doTokenReview(t, cs, treq, false)
info := doTokenReview(t, cs, treq, false)
if info.Extra != nil {
t.Fatalf("expected Extra to be nil but got: %#v", info.Extra)
}
delSvcAcct()
doTokenReview(t, cs, treq, true)
})
@ -214,7 +218,16 @@ func TestServiceAccountTokenCreate(t *testing.T) {
checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")
doTokenReview(t, cs, treq, false)
info := doTokenReview(t, cs, treq, false)
if len(info.Extra) != 2 {
t.Fatalf("expected Extra have length of 2 but was length %d: %#v", len(info.Extra), info.Extra)
}
if expected := map[string]authenticationv1.ExtraValue{
"authentication.kubernetes.io/pod-name": {pod.ObjectMeta.Name},
"authentication.kubernetes.io/pod-uid": {string(pod.ObjectMeta.UID)},
}; !reflect.DeepEqual(info.Extra, expected) {
t.Fatalf("unexpected Extra:\ngot:\t%#v\nwant:\t%#v", info.Extra, expected)
}
delPod()
doTokenReview(t, cs, treq, true)
})
@ -539,7 +552,7 @@ func TestServiceAccountTokenCreate(t *testing.T) {
})
}
func doTokenReview(t *testing.T, cs clientset.Interface, treq *authenticationv1.TokenRequest, expectErr bool) {
func doTokenReview(t *testing.T, cs clientset.Interface, treq *authenticationv1.TokenRequest, expectErr bool) authenticationv1.UserInfo {
t.Helper()
trev, err := cs.AuthenticationV1().TokenReviews().Create(&authenticationv1.TokenReview{
Spec: authenticationv1.TokenReviewSpec{
@ -559,6 +572,7 @@ func doTokenReview(t *testing.T, cs clientset.Interface, treq *authenticationv1.
if !trev.Status.Authenticated && !expectErr {
t.Fatal("expected token to be authenticated but it wasn't")
}
return trev.Status.User
}
func checkPayload(t *testing.T, tok string, want string, parts ...string) {