Merge pull request #61858 from mikedanese/svcacctpod

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. svcacct: pass pod information in user.Info.Extra() when available For https://github.com/kubernetes/kubernetes/issues/59670 but won't fix until we move to the new token volume source. ref #58790 ```release-note UserInfo derived from service account tokens created from the TokenRequest API now include the pod name and UID in the Extra field. ```
2025-07-23 11:50:44 +00:00 · 2018-08-31 17:56:12 -07:00 · 2018-08-31 17:56:12 -07:00 · f685eb5d64
commit f685eb5d64
parent 2d7b92ee74 43eaeb8c6c
5 changed files with 96 additions and 40 deletions
--- a/pkg/serviceaccount/claims.go
+++ b/pkg/serviceaccount/claims.go
@ -94,11 +94,11 @@ type validator struct {

 var _ = Validator(&validator{})

-func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
+func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) {
 	private, ok := privateObj.(*privateClaims)
 	if !ok {
 		glog.Errorf("jwt validator expected private claim of type *privateClaims but got: %T", privateObj)
-		return "", "", "", errors.New("Token could not be validated.")
+		return nil, errors.New("Token could not be validated.")
 	}
 	err := public.Validate(jwt.Expected{
 		Time: now(),
@ -106,10 +106,10 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 	switch {
 	case err == nil:
 	case err == jwt.ErrExpired:
-		return "", "", "", errors.New("Token has expired.")
+		return nil, errors.New("Token has expired.")
 	default:
 		glog.Errorf("unexpected validation error: %T", err)
-		return "", "", "", errors.New("Token could not be validated.")
+		return nil, errors.New("Token could not be validated.")
 	}

 	var audValid bool
@ -122,7 +122,7 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 	}

 	if !audValid {
-		return "", "", "", errors.New("Token is invalid for this audience.")
+		return nil, errors.New("Token is invalid for this audience.")
 	}

 	namespace := private.Kubernetes.Namespace
@ -133,15 +133,15 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 	serviceAccount, err := v.getter.GetServiceAccount(namespace, saref.Name)
 	if err != nil {
 		glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, saref.Name, err)
-		return "", "", "", err
+		return nil, err
 	}
 	if serviceAccount.DeletionTimestamp != nil {
 		glog.V(4).Infof("Service account has been deleted %s/%s", namespace, saref.Name)
-		return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, saref.Name)
+		return nil, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, saref.Name)
 	}
 	if string(serviceAccount.UID) != saref.UID {
 		glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, saref.Name, string(serviceAccount.UID), saref.UID)
-		return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, saref.UID)
+		return nil, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, saref.UID)
 	}

 	if secref != nil {
@ -149,36 +149,45 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 		secret, err := v.getter.GetSecret(namespace, secref.Name)
 		if err != nil {
 			glog.V(4).Infof("Could not retrieve bound secret %s/%s for service account %s/%s: %v", namespace, secref.Name, namespace, saref.Name, err)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if secret.DeletionTimestamp != nil {
 			glog.V(4).Infof("Bound secret is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secref.Name, namespace, saref.Name)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if secref.UID != string(secret.UID) {
 			glog.V(4).Infof("Secret UID no longer matches %s/%s: %q != %q", namespace, secref.Name, string(secret.UID), secref.UID)
-			return "", "", "", fmt.Errorf("Secret UID (%s) does not match claim (%s)", secret.UID, secref.UID)
+			return nil, fmt.Errorf("Secret UID (%s) does not match claim (%s)", secret.UID, secref.UID)
 		}
 	}

+	var podName, podUID string
 	if podref != nil {
 		// Make sure token hasn't been invalidated by deletion of the pod
 		pod, err := v.getter.GetPod(namespace, podref.Name)
 		if err != nil {
 			glog.V(4).Infof("Could not retrieve bound pod %s/%s for service account %s/%s: %v", namespace, podref.Name, namespace, saref.Name, err)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if pod.DeletionTimestamp != nil {
 			glog.V(4).Infof("Bound pod is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, podref.Name, namespace, saref.Name)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if podref.UID != string(pod.UID) {
 			glog.V(4).Infof("Pod UID no longer matches %s/%s: %q != %q", namespace, podref.Name, string(pod.UID), podref.UID)
-			return "", "", "", fmt.Errorf("Pod UID (%s) does not match claim (%s)", pod.UID, podref.UID)
+			return nil, fmt.Errorf("Pod UID (%s) does not match claim (%s)", pod.UID, podref.UID)
 		}
+		podName = podref.Name
+		podUID = podref.UID
 	}

-	return private.Kubernetes.Namespace, private.Kubernetes.Svcacct.Name, private.Kubernetes.Svcacct.UID, nil
+	return &ServiceAccountInfo{
+		Namespace: private.Kubernetes.Namespace,
+		Name:      private.Kubernetes.Svcacct.Name,
+		UID:       private.Kubernetes.Svcacct.UID,
+		PodName:   podName,
+		PodUID:    podUID,
+	}, nil
 }

 func (v *validator) NewPrivateClaims() interface{} {
--- a/pkg/serviceaccount/jwt.go
+++ b/pkg/serviceaccount/jwt.go
@ -131,7 +131,7 @@ type Validator interface {
 	// Validate validates a token and returns user information or an error.
 	// Validator can assume that the issuer and signature of a token are already
 	// verified when this function is called.
-	Validate(tokenData string, public *jwt.Claims, private interface{}) (namespace, name, uid string, err error)
+	Validate(tokenData string, public *jwt.Claims, private interface{}) (*ServiceAccountInfo, error)
 	// NewPrivateClaims returns a struct that the authenticator should
 	// deserialize the JWT payload into. The authenticator may then pass this
 	// struct back to the Validator as the 'private' argument to a Validate()
@ -172,12 +172,12 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,

 	// If we get here, we have a token with a recognized signature and
 	// issuer string.
-	ns, name, uid, err := j.validator.Validate(tokenData, public, private)
+	sa, err := j.validator.Validate(tokenData, public, private)
 	if err != nil {
 		return nil, false, err
 	}

-	return UserInfo(ns, name, uid), true, nil
+	return sa.UserInfo(), true, nil
 }

 // hasCorrectIssuer returns true if tokenData is a valid JWT in compact
--- a/pkg/serviceaccount/legacy.go
+++ b/pkg/serviceaccount/legacy.go
@ -62,37 +62,37 @@ type legacyValidator struct {

 var _ = Validator(&legacyValidator{})

-func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
+func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) {
 	private, ok := privateObj.(*legacyPrivateClaims)
 	if !ok {
 		glog.Errorf("jwt validator expected private claim of type *legacyPrivateClaims but got: %T", privateObj)
-		return "", "", "", errors.New("Token could not be validated.")
+		return nil, errors.New("Token could not be validated.")
 	}

 	// Make sure the claims we need exist
 	if len(public.Subject) == 0 {
-		return "", "", "", errors.New("sub claim is missing")
+		return nil, errors.New("sub claim is missing")
 	}
 	namespace := private.Namespace
 	if len(namespace) == 0 {
-		return "", "", "", errors.New("namespace claim is missing")
+		return nil, errors.New("namespace claim is missing")
 	}
 	secretName := private.SecretName
 	if len(secretName) == 0 {
-		return "", "", "", errors.New("secretName claim is missing")
+		return nil, errors.New("secretName claim is missing")
 	}
 	serviceAccountName := private.ServiceAccountName
 	if len(serviceAccountName) == 0 {
-		return "", "", "", errors.New("serviceAccountName claim is missing")
+		return nil, errors.New("serviceAccountName claim is missing")
 	}
 	serviceAccountUID := private.ServiceAccountUID
 	if len(serviceAccountUID) == 0 {
-		return "", "", "", errors.New("serviceAccountUID claim is missing")
+		return nil, errors.New("serviceAccountUID claim is missing")
 	}

 	subjectNamespace, subjectName, err := apiserverserviceaccount.SplitUsername(public.Subject)
 	if err != nil || subjectNamespace != namespace || subjectName != serviceAccountName {
-		return "", "", "", errors.New("sub claim is invalid")
+		return nil, errors.New("sub claim is invalid")
 	}

 	if v.lookup {
@ -100,34 +100,38 @@ func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, private
 		secret, err := v.getter.GetSecret(namespace, secretName)
 		if err != nil {
 			glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if secret.DeletionTimestamp != nil {
 			glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) != 0 {
 			glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
-			return "", "", "", errors.New("Token does not match server's copy")
+			return nil, errors.New("Token does not match server's copy")
 		}

 		// Make sure service account still exists (name and UID)
 		serviceAccount, err := v.getter.GetServiceAccount(namespace, serviceAccountName)
 		if err != nil {
 			glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
-			return "", "", "", err
+			return nil, err
 		}
 		if serviceAccount.DeletionTimestamp != nil {
 			glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
-			return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
+			return nil, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
 		}
 		if string(serviceAccount.UID) != serviceAccountUID {
 			glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
-			return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
+			return nil, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
 		}
 	}

-	return private.Namespace, private.ServiceAccountName, private.ServiceAccountUID, nil
+	return &ServiceAccountInfo{
+		Namespace: private.Namespace,
+		Name:      private.ServiceAccountName,
+		UID:       private.ServiceAccountUID,
+	}, nil
 }

 func (v *legacyValidator) NewPrivateClaims() interface{} {
--- a/pkg/serviceaccount/util.go
+++ b/pkg/serviceaccount/util.go
@ -22,13 +22,42 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 )

+const (
+	// PodNameKey is the key used in a user's "extra" to specify the pod name of
+	// the authenticating request.
+	PodNameKey = "authentication.kubernetes.io/pod-name"
+	// PodUIDKey is the key used in a user's "extra" to specify the pod UID of
+	// the authenticating request.
+	PodUIDKey = "authentication.kubernetes.io/pod-uid"
+)
+
 // UserInfo returns a user.Info interface for the given namespace, service account name and UID
 func UserInfo(namespace, name, uid string) user.Info {
-	return &user.DefaultInfo{
-		Name:   apiserverserviceaccount.MakeUsername(namespace, name),
-		UID:    uid,
-		Groups: apiserverserviceaccount.MakeGroupNames(namespace),
+	return (&ServiceAccountInfo{
+		Name:      name,
+		Namespace: namespace,
+		UID:       uid,
+	}).UserInfo()
+}
+
+type ServiceAccountInfo struct {
+	Name, Namespace, UID string
+	PodName, PodUID      string
+}
+
+func (sa *ServiceAccountInfo) UserInfo() user.Info {
+	info := &user.DefaultInfo{
+		Name:   apiserverserviceaccount.MakeUsername(sa.Namespace, sa.Name),
+		UID:    sa.UID,
+		Groups: apiserverserviceaccount.MakeGroupNames(sa.Namespace),
 	}
+	if sa.PodName != "" && sa.PodUID != "" {
+		info.Extra = map[string][]string{
+			PodNameKey: {sa.PodName},
+			PodUIDKey:  {sa.PodUID},
+		}
+	}
+	return info
 }

 // IsServiceAccountToken returns true if the secret is a valid api token for the service account
--- a/test/integration/auth/svcaccttoken_test.go
+++ b/test/integration/auth/svcaccttoken_test.go
@ -21,6 +21,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"strings"
 	"testing"
 	"time"
@ -161,7 +162,10 @@ func TestServiceAccountTokenCreate(t *testing.T) {
 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")

-		doTokenReview(t, cs, treq, false)
+		info := doTokenReview(t, cs, treq, false)
+		if info.Extra != nil {
+			t.Fatalf("expected Extra to be nil but got: %#v", info.Extra)
+		}
 		delSvcAcct()
 		doTokenReview(t, cs, treq, true)
 	})
@ -214,7 +218,16 @@ func TestServiceAccountTokenCreate(t *testing.T) {
 		checkPayload(t, treq.Status.Token, `"myns"`, "kubernetes.io", "namespace")
 		checkPayload(t, treq.Status.Token, `"test-svcacct"`, "kubernetes.io", "serviceaccount", "name")

-		doTokenReview(t, cs, treq, false)
+		info := doTokenReview(t, cs, treq, false)
+		if len(info.Extra) != 2 {
+			t.Fatalf("expected Extra have length of 2 but was length %d: %#v", len(info.Extra), info.Extra)
+		}
+		if expected := map[string]authenticationv1.ExtraValue{
+			"authentication.kubernetes.io/pod-name": {pod.ObjectMeta.Name},
+			"authentication.kubernetes.io/pod-uid":  {string(pod.ObjectMeta.UID)},
+		}; !reflect.DeepEqual(info.Extra, expected) {
+			t.Fatalf("unexpected Extra:\ngot:\t%#v\nwant:\t%#v", info.Extra, expected)
+		}
 		delPod()
 		doTokenReview(t, cs, treq, true)
 	})
@ -539,7 +552,7 @@ func TestServiceAccountTokenCreate(t *testing.T) {
 	})
 }

-func doTokenReview(t *testing.T, cs clientset.Interface, treq *authenticationv1.TokenRequest, expectErr bool) {
+func doTokenReview(t *testing.T, cs clientset.Interface, treq *authenticationv1.TokenRequest, expectErr bool) authenticationv1.UserInfo {
 	t.Helper()
 	trev, err := cs.AuthenticationV1().TokenReviews().Create(&authenticationv1.TokenReview{
 		Spec: authenticationv1.TokenReviewSpec{
@ -559,6 +572,7 @@ func doTokenReview(t *testing.T, cs clientset.Interface, treq *authenticationv1.
 	if !trev.Status.Authenticated && !expectErr {
 		t.Fatal("expected token to be authenticated but it wasn't")
 	}
+	return trev.Status.User
 }

 func checkPayload(t *testing.T, tok string, want string, parts ...string) {