Merge pull request #89069 from enj/enj/i/drop_password_file

Remove support for basic authentication

cluster/gce/gci/configure-kubeapiserver.sh

@@ -101,9 +101,6 @@ function start-kube-apiserver {
     params+=" --service-account-key-file=${SERVICEACCOUNT_CERT_PATH}"
   fi
   params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
-  if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
-    params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
-  fi
 
   if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]]; then
     params+=" --request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT_SEC}s"

cmd/controller-manager/app/serve.go

@@ -37,7 +37,7 @@ import (
 // BuildHandlerChain builds a handler chain with a base handler and CompletedConfig.
 func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.AuthorizationInfo, authenticationInfo *apiserver.AuthenticationInfo) http.Handler {
 	requestInfoResolver := &apirequest.RequestInfoFactory{}
-	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
+	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs)
 
 	handler := apiHandler
 	if authorizationInfo != nil {

cmd/kube-apiserver/app/options/options_test.go

@@ -276,7 +276,6 @@ func TestAddFlags(t *testing.T) {
 				UsernameClaim: "sub",
 				SigningAlgs:   []string{"RS256"},
 			},
-			PasswordFile:  &kubeoptions.PasswordFileAuthenticationOptions{},
 			RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{},
 			ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{
 				Lookup: true,

cmd/kube-scheduler/app/server.go

@@ -262,7 +262,7 @@ func Run(ctx context.Context, cc schedulerserverconfig.CompletedConfig, outOfTre
 // buildHandlerChain wraps the given handler with the standard filters.
 func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz authorizer.Authorizer) http.Handler {
 	requestInfoResolver := &apirequest.RequestInfoFactory{}
-	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
+	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs)
 
 	handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs)
 	handler = genericapifilters.WithAuthentication(handler, authn, failedHandler, nil)

pkg/kubeapiserver/authenticator/BUILD

@@ -27,8 +27,6 @@ go_library(
         "//staging/src/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
-        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
-        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",
         "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:go_default_library",
         "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
         "//staging/src/k8s.io/client-go/plugin/pkg/client/auth:go_default_library",

pkg/kubeapiserver/authenticator/config.go

@@ -36,8 +36,6 @@ import (
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile"
-	"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 
@@ -51,7 +49,6 @@ import (
 // Config contains the data on how to authenticate a request to the Kube API Server
 type Config struct {
 	Anonymous      bool
-	BasicAuthFile  string
 	BootstrapToken bool
 
 	TokenAuthFile               string
@@ -109,22 +106,6 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er
 		authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, requestHeaderAuthenticator))
 	}
 
-	// basic auth
-	if len(config.BasicAuthFile) > 0 {
-		basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile)
-		if err != nil {
-			return nil, nil, err
-		}
-		authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, basicAuth))
-
-		securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{
-			SecuritySchemeProps: spec.SecuritySchemeProps{
-				Type:        "basic",
-				Description: "HTTP Basic authentication",
-			},
-		}
-	}
-
 	// X509 methods
 	if config.ClientCAContentProvider != nil {
 		certAuth := x509.NewDynamic(config.ClientCAContentProvider.VerifyOptions, x509.CommonNameUserConversion)
@@ -235,16 +216,6 @@ func IsValidServiceAccountKeyFile(file string) bool {
 	return err == nil
 }
 
-// newAuthenticatorFromBasicAuthFile returns an authenticator.Request or an error
-func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) {
-	basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)
-	if err != nil {
-		return nil, err
-	}
-
-	return basicauth.New(basicAuthenticator), nil
-}
-
 // newAuthenticatorFromTokenFile returns an authenticator.Token or an error
 func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, error) {
 	tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile)

pkg/kubeapiserver/options/authentication.go

@@ -43,7 +43,6 @@ type BuiltInAuthenticationOptions struct {
 	BootstrapToken  *BootstrapTokenAuthenticationOptions
 	ClientCert      *genericoptions.ClientCertAuthenticationOptions
 	OIDC            *OIDCAuthenticationOptions
-	PasswordFile    *PasswordFileAuthenticationOptions
 	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
 	ServiceAccounts *ServiceAccountAuthenticationOptions
 	TokenFile       *TokenFileAuthenticationOptions
@@ -73,10 +72,6 @@ type OIDCAuthenticationOptions struct {
 	RequiredClaims map[string]string
 }
 
-type PasswordFileAuthenticationOptions struct {
-	BasicAuthFile string
-}
-
 type ServiceAccountAuthenticationOptions struct {
 	KeyFiles      []string
 	Lookup        bool
@@ -108,7 +103,6 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
 		WithBootstrapToken().
 		WithClientCert().
 		WithOIDC().
-		WithPasswordFile().
 		WithRequestHeader().
 		WithServiceAccounts().
 		WithTokenFile().
@@ -135,11 +129,6 @@ func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
 	return s
 }
 
-func (s *BuiltInAuthenticationOptions) WithPasswordFile() *BuiltInAuthenticationOptions {
-	s.PasswordFile = &PasswordFileAuthenticationOptions{}
-	return s
-}
-
 func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions {
 	s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{}
 	return s
@@ -274,13 +263,6 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 			"Repeat this flag to specify multiple claims.")
 	}
 
-	if s.PasswordFile != nil {
-		fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
-			"If set, the file that will be used to admit requests to the secure port of the API server "+
-			"via http basic authentication.")
-		fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
-	}
-
 	if s.RequestHeader != nil {
 		s.RequestHeader.AddFlags(fs)
 	}
@@ -377,10 +359,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat
 		ret.OIDCRequiredClaims = s.OIDC.RequiredClaims
 	}
 
-	if s.PasswordFile != nil {
-		ret.BasicAuthFile = s.PasswordFile.BasicAuthFile
-	}
-
 	if s.RequestHeader != nil {
 		var err error
 		ret.RequestHeaderConfig, err = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
@@ -447,8 +425,6 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
 		}
 	}
 
-	c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
-
 	c.Authentication.APIAudiences = o.APIAudiences
 	if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
 		c.Authentication.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}

pkg/kubeapiserver/options/authentication_test.go

@@ -120,9 +120,6 @@ func TestToAuthenticationConfig(t *testing.T) {
 			IssuerURL:     "testIssuerURL",
 			ClientID:      "testClientID",
 		},
-		PasswordFile: &PasswordFileAuthenticationOptions{
-			BasicAuthFile: "/testBasicAuthFile",
-		},
 		RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
 			UsernameHeaders:     []string{"x-remote-user"},
 			GroupHeaders:        []string{"x-remote-group"},
@@ -144,7 +141,6 @@ func TestToAuthenticationConfig(t *testing.T) {
 	expectConfig := kubeauthenticator.Config{
 		APIAudiences:                authenticator.Audiences{"http://foo.bar.com"},
 		Anonymous:                   false,
-		BasicAuthFile:               "/testBasicAuthFile",
 		BootstrapToken:              false,
 		ClientCAContentProvider:     nil, // this is nil because you can't compare functions
 		TokenAuthFile:               "/testTokenFile",

staging/src/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go

@@ -35,13 +35,6 @@ type Request interface {
 	AuthenticateRequest(req *http.Request) (*Response, bool, error)
 }
 
-// Password checks a username and password against a backing authentication
-// store and returns a Response or an error if the password could not be
-// checked.
-type Password interface {
-	AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error)
-}
-
 // TokenFunc is a function that implements the Token interface.
 type TokenFunc func(ctx context.Context, token string) (*Response, bool, error)
 
@@ -58,14 +51,6 @@ func (f RequestFunc) AuthenticateRequest(req *http.Request) (*Response, bool, er
 	return f(req)
 }
 
-// PasswordFunc is a function that implements the Password interface.
-type PasswordFunc func(ctx context.Context, user, password string) (*Response, bool, error)
-
-// AuthenticatePassword implements authenticator.Password.
-func (f PasswordFunc) AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) {
-	return f(ctx, user, password)
-}
-
 // Response is the struct returned by authenticator interfaces upon successful
 // authentication. It contains information about whether the authenticator
 // authenticated the request, information about the context of the

staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go

@@ -71,11 +71,8 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
 	})
 }
 
-func Unauthorized(s runtime.NegotiatedSerializer, supportsBasicAuth bool) http.Handler {
+func Unauthorized(s runtime.NegotiatedSerializer) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		if supportsBasicAuth {
-			w.Header().Set("WWW-Authenticate", `Basic realm="kubernetes-master"`)
-		}
 		ctx := req.Context()
 		requestInfo, found := genericapirequest.RequestInfoFrom(ctx)
 		if !found {

staging/src/k8s.io/apiserver/pkg/server/config.go

@@ -272,10 +272,6 @@ type AuthenticationInfo struct {
 	APIAudiences authenticator.Audiences
 	// Authenticator determines which subject is making the request
 	Authenticator authenticator.Request
-	// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
-	// If this is true, a basic auth challenge is returned on authentication failure
-	// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
-	SupportsBasicAuth bool
 }
 
 type AuthorizationInfo struct {
@@ -670,7 +666,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
 	}
 	handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer)
 	handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc)
-	failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth)
+	failedHandler := genericapifilters.Unauthorized(c.Serializer)
 	failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker)
 	handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences)
 	handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")

staging/src/k8s.io/apiserver/pkg/server/options/authentication.go

@@ -319,7 +319,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(authenticationInfo *server.Aut
 	if openAPIConfig != nil {
 		openAPIConfig.SecurityDefinitions = securityDefinitions
 	}
-	authenticationInfo.SupportsBasicAuth = false
 
 	return nil
 }

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/BUILD

@@ -23,8 +23,6 @@ filegroup(
     name = "all-srcs",
     srcs = [
         ":package-srcs",
-        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password:all-srcs",
-        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:all-srcs",
         "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:all-srcs",
         "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest:all-srcs",
         "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:all-srcs",

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/BUILD

@@ -1,29 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["doc.go"],
-    importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/password",
-    importpath = "k8s.io/apiserver/plugin/pkg/authenticator/password",
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [
-        ":package-srcs",
-        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:all-srcs",
-    ],
-    tags = ["automanaged"],
-)

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/doc.go

@@ -1,18 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package password contains authenticator.Password implementations
-package password // import "k8s.io/apiserver/plugin/pkg/authenticator/password"

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/BUILD

@@ -1,39 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["passwordfile_test.go"],
-    embed = [":go_default_library"],
-    deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["passwordfile.go"],
-    importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile",
-    importpath = "k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile",
-    deps = [
-        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-        "//vendor/k8s.io/klog:go_default_library",
-    ],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go

@@ -1,95 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package passwordfile
-
-import (
-	"context"
-	"crypto/subtle"
-	"encoding/csv"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"k8s.io/klog"
-
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-// PasswordAuthenticator authenticates users by password
-type PasswordAuthenticator struct {
-	users map[string]*userPasswordInfo
-}
-
-type userPasswordInfo struct {
-	info     *user.DefaultInfo
-	password string
-}
-
-// NewCSV returns a PasswordAuthenticator, populated from a CSV file.
-// The CSV file must contain records in the format "password,username,useruid"
-func NewCSV(path string) (*PasswordAuthenticator, error) {
-	file, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer file.Close()
-
-	recordNum := 0
-	users := make(map[string]*userPasswordInfo)
-	reader := csv.NewReader(file)
-	reader.FieldsPerRecord = -1
-	for {
-		record, err := reader.Read()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return nil, err
-		}
-		if len(record) < 3 {
-			return nil, fmt.Errorf("password file '%s' must have at least 3 columns (password, user name, user uid), found %d", path, len(record))
-		}
-		obj := &userPasswordInfo{
-			info:     &user.DefaultInfo{Name: record[1], UID: record[2]},
-			password: record[0],
-		}
-		if len(record) >= 4 {
-			obj.info.Groups = strings.Split(record[3], ",")
-		}
-		recordNum++
-		if _, exist := users[obj.info.Name]; exist {
-			klog.Warningf("duplicate username '%s' has been found in password file '%s', record number '%d'", obj.info.Name, path, recordNum)
-		}
-		users[obj.info.Name] = obj
-	}
-
-	return &PasswordAuthenticator{users}, nil
-}
-
-// AuthenticatePassword returns user info if authentication is successful, nil otherwise
-func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, username, password string) (*authenticator.Response, bool, error) {
-	user, ok := a.users[username]
-	if !ok {
-		return nil, false, nil
-	}
-	if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
-		return nil, false, nil
-	}
-	return &authenticator.Response{User: user.info}, true, nil
-}

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile_test.go

@@ -1,161 +0,0 @@
-/*
-Copyright 2015 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package passwordfile
-
-import (
-	"context"
-	"io/ioutil"
-	"os"
-	"reflect"
-	"testing"
-
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-func TestPasswordFile(t *testing.T) {
-	auth, err := newWithContents(t, `
-password1,user1,uid1
-password2,user2,uid2
-password3,user3,uid3,"group1,group2"
-password4,user4,uid4,"group2"
-password5,user5,uid5,group5
-password6,user6,uid6,group5,otherdata
-password7,user7,uid7,"group1,group2",otherdata
-`)
-	if err != nil {
-		t.Fatalf("unable to read passwordfile: %v", err)
-	}
-
-	testCases := []struct {
-		Username string
-		Password string
-		User     *user.DefaultInfo
-		Ok       bool
-		Err      bool
-	}{
-		{
-			Username: "user1",
-			Password: "password1",
-			User:     &user.DefaultInfo{Name: "user1", UID: "uid1"},
-			Ok:       true,
-		},
-		{
-			Username: "user2",
-			Password: "password2",
-			User:     &user.DefaultInfo{Name: "user2", UID: "uid2"},
-			Ok:       true,
-		},
-		{
-			Username: "user1",
-			Password: "password2",
-		},
-		{
-			Username: "user2",
-			Password: "password1",
-		},
-		{
-			Username: "user3",
-			Password: "password3",
-			User:     &user.DefaultInfo{Name: "user3", UID: "uid3", Groups: []string{"group1", "group2"}},
-			Ok:       true,
-		},
-		{
-			Username: "user4",
-			Password: "password4",
-			User:     &user.DefaultInfo{Name: "user4", UID: "uid4", Groups: []string{"group2"}},
-			Ok:       true,
-		},
-		{
-			Username: "user5",
-			Password: "password5",
-			User:     &user.DefaultInfo{Name: "user5", UID: "uid5", Groups: []string{"group5"}},
-			Ok:       true,
-		},
-		{
-			Username: "user6",
-			Password: "password6",
-			User:     &user.DefaultInfo{Name: "user6", UID: "uid6", Groups: []string{"group5"}},
-			Ok:       true,
-		},
-		{
-			Username: "user7",
-			Password: "password7",
-			User:     &user.DefaultInfo{Name: "user7", UID: "uid7", Groups: []string{"group1", "group2"}},
-			Ok:       true,
-		},
-		{
-			Username: "user7",
-			Password: "passwordbad",
-		},
-		{
-			Username: "userbad",
-			Password: "password7",
-		},
-		{
-			Username: "user8",
-			Password: "password8",
-		},
-	}
-	for i, testCase := range testCases {
-		resp, ok, err := auth.AuthenticatePassword(context.Background(), testCase.Username, testCase.Password)
-		if err != nil {
-			t.Errorf("%d: unexpected error: %v", i, err)
-		}
-		if testCase.User == nil {
-			if resp != nil {
-				t.Errorf("%d: unexpected non-nil user %#v", i, resp.User)
-			}
-		} else if !reflect.DeepEqual(testCase.User, resp.User) {
-			t.Errorf("%d: expected user %#v, got %#v", i, testCase.User, resp.User)
-		}
-		if testCase.Ok != ok {
-			t.Errorf("%d: expected auth %v, got %v", i, testCase.Ok, ok)
-		}
-	}
-}
-
-func TestBadPasswordFile(t *testing.T) {
-	if _, err := newWithContents(t, `
-password1,user1,uid1
-password2,user2,uid2
-password3,user3
-password4
-`); err == nil {
-		t.Fatalf("unexpected non error")
-	}
-}
-
-func TestInsufficientColumnsPasswordFile(t *testing.T) {
-	if _, err := newWithContents(t, "password4\n"); err == nil {
-		t.Fatalf("unexpected non error")
-	}
-}
-
-func newWithContents(t *testing.T, contents string) (auth *PasswordAuthenticator, err error) {
-	f, err := ioutil.TempFile("", "passwordfile_test")
-	if err != nil {
-		t.Fatalf("unexpected error creating passwordfile: %v", err)
-	}
-	f.Close()
-	defer os.Remove(f.Name())
-
-	if err := ioutil.WriteFile(f.Name(), []byte(contents), 0700); err != nil {
-		t.Fatalf("unexpected error writing passwordfile: %v", err)
-	}
-
-	return NewCSV(f.Name())
-}

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/BUILD

@@ -1,38 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["basicauth_test.go"],
-    embed = [":go_default_library"],
-    deps = [
-        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-    ],
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["basicauth.go"],
-    importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth",
-    importpath = "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth",
-    deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library"],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth.go

@@ -1,53 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package basicauth
-
-import (
-	"errors"
-	"net/http"
-
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-)
-
-// Authenticator authenticates requests using basic auth
-type Authenticator struct {
-	auth authenticator.Password
-}
-
-// New returns a request authenticator that validates credentials using the provided password authenticator
-func New(auth authenticator.Password) *Authenticator {
-	return &Authenticator{auth}
-}
-
-var errInvalidAuth = errors.New("invalid username/password combination")
-
-// AuthenticateRequest authenticates the request using the "Authorization: Basic" header in the request
-func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
-	username, password, found := req.BasicAuth()
-	if !found {
-		return nil, false, nil
-	}
-
-	resp, ok, err := a.auth.AuthenticatePassword(req.Context(), username, password)
-
-	// If the password authenticator didn't error, provide a default error
-	if !ok && err == nil {
-		err = errInvalidAuth
-	}
-
-	return resp, ok, err
-}

staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth_test.go

@@ -1,126 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package basicauth
-
-import (
-	"context"
-	"errors"
-	"net/http"
-	"testing"
-
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-type testPassword struct {
-	Username string
-	Password string
-	Called   bool
-
-	User user.Info
-	OK   bool
-	Err  error
-}
-
-func (t *testPassword) AuthenticatePassword(ctx context.Context, user, password string) (*authenticator.Response, bool, error) {
-	t.Called = true
-	t.Username = user
-	t.Password = password
-	return &authenticator.Response{User: t.User}, t.OK, t.Err
-}
-
-func TestBasicAuth(t *testing.T) {
-	testCases := map[string]struct {
-		Header   string
-		Password testPassword
-
-		ExpectedCalled   bool
-		ExpectedUsername string
-		ExpectedPassword string
-
-		ExpectedUser string
-		ExpectedOK   bool
-		ExpectedErr  bool
-	}{
-		"no auth": {},
-		"empty password basic header": {
-			ExpectedCalled:   true,
-			ExpectedUsername: "user_with_empty_password",
-			ExpectedPassword: "",
-			ExpectedErr:      true,
-		},
-		"valid basic header": {
-			ExpectedCalled:   true,
-			ExpectedUsername: "myuser",
-			ExpectedPassword: "mypassword:withcolon",
-			ExpectedErr:      true,
-		},
-		"password auth returned user": {
-			Password:         testPassword{User: &user.DefaultInfo{Name: "returneduser"}, OK: true},
-			ExpectedCalled:   true,
-			ExpectedUsername: "myuser",
-			ExpectedPassword: "mypw",
-			ExpectedUser:     "returneduser",
-			ExpectedOK:       true,
-		},
-		"password auth returned error": {
-			Password:         testPassword{Err: errors.New("auth error")},
-			ExpectedCalled:   true,
-			ExpectedUsername: "myuser",
-			ExpectedPassword: "mypw",
-			ExpectedErr:      true,
-		},
-	}
-
-	for k, testCase := range testCases {
-		password := testCase.Password
-		auth := authenticator.Request(New(&password))
-
-		req, _ := http.NewRequest("GET", "/", nil)
-		if testCase.ExpectedUsername != "" || testCase.ExpectedPassword != "" {
-			req.SetBasicAuth(testCase.ExpectedUsername, testCase.ExpectedPassword)
-		}
-
-		resp, ok, err := auth.AuthenticateRequest(req)
-
-		if testCase.ExpectedCalled != password.Called {
-			t.Errorf("%s: Expected called=%v, got %v", k, testCase.ExpectedCalled, password.Called)
-			continue
-		}
-		if testCase.ExpectedUsername != password.Username {
-			t.Errorf("%s: Expected called with username=%v, got %v", k, testCase.ExpectedUsername, password.Username)
-			continue
-		}
-		if testCase.ExpectedPassword != password.Password {
-			t.Errorf("%s: Expected called with password=%v, got %v", k, testCase.ExpectedPassword, password.Password)
-			continue
-		}
-
-		if testCase.ExpectedErr != (err != nil) {
-			t.Errorf("%s: Expected err=%v, got err=%v", k, testCase.ExpectedErr, err)
-			continue
-		}
-		if testCase.ExpectedOK != ok {
-			t.Errorf("%s: Expected ok=%v, got ok=%v", k, testCase.ExpectedOK, ok)
-			continue
-		}
-		if testCase.ExpectedUser != "" && testCase.ExpectedUser != resp.User.GetName() {
-			t.Errorf("%s: Expected user.GetName()=%v, got %v", k, testCase.ExpectedUser, resp.User.GetName())
-			continue
-		}
-	}
-}

test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml

@@ -13,7 +13,7 @@ spec:
     - /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
       --cloud-provider=gce   --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
       --service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt
-      --basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns
+      --cluster-name=e2e-test-bburns
       --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
       --secure-port=443 --token-auth-file=/srv/kubernetes/known_tokens.csv  --v=2
       --allow-privileged=False 1>>/var/log/kube-apiserver.log 2>&1

test/kubemark/resources/start-kubemark-master.sh

@@ -547,7 +547,6 @@ function compute-kube-apiserver-params {
 	params+=" --client-ca-file=/etc/srv/kubernetes/ca.crt"
 	params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
 	params+=" --secure-port=443"
-	params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
 	params+=" --target-ram-mb=$((NUM_NODES * 60))"
 	params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}"
 	params+=" --admission-control=${CUSTOM_ADMISSION_PLUGINS}"

vendor/modules.txt

@@ -1401,8 +1401,6 @@ k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced
 k8s.io/apiserver/plugin/pkg/audit/log
 k8s.io/apiserver/plugin/pkg/audit/truncate
 k8s.io/apiserver/plugin/pkg/audit/webhook
-k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile
-k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth
 k8s.io/apiserver/plugin/pkg/authenticator/token/oidc
 k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest
 k8s.io/apiserver/plugin/pkg/authenticator/token/webhook