Merge pull request #41058 from liggitt/v1-tokenreview

Automatic merge from submit-queue (batch tested with PRs 41112, 41201, 41058, 40650, 40926) Promote TokenReview to v1 Peer to https://github.com/kubernetes/kubernetes/pull/40709 We have multiple features that depend on this API: - [webhook authentication](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication) - [kubelet delegated authentication](https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication) - add-on API server delegated authentication The API has been in use since 1.3 in beta status (v1beta1) with negligible changes: - Added a status field for reporting errors evaluating the token This PR promotes the existing v1beta1 API to v1 with no changes Because the API does not persist data (it is a query/response-style API), there are no data migration concerns. This positions us to promote the features that depend on this API to stable in 1.7 cc @kubernetes/sig-auth-api-reviews @kubernetes/sig-auth-misc ```release-note The authentication.k8s.io API group was promoted to v1 ```
2025-09-12 12:48:51 +00:00 · 2017-02-10 01:40:44 -08:00
parent 64f34eb5fa 09b5d7279f
commit f9215e8fb3
52 changed files with 4757 additions and 15 deletions
--- a/api/openapi-spec/swagger.json
+++ b/api/openapi-spec/swagger.json
@@ -15582,6 +15582,89 @@
     }
    }
   },
+   "/apis/authentication.k8s.io/v1/": {
+    "get": {
+     "description": "get available resources",
+     "consumes": [
+      "application/json",
+      "application/yaml",
+      "application/vnd.kubernetes.protobuf"
+     ],
+     "produces": [
+      "application/json",
+      "application/yaml",
+      "application/vnd.kubernetes.protobuf"
+     ],
+     "schemes": [
+      "https"
+     ],
+     "tags": [
+      "authentication_v1"
+     ],
+     "operationId": "getAuthenticationV1APIResources",
+     "responses": {
+      "200": {
+       "description": "OK",
+       "schema": {
+        "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList"
+       }
+      },
+      "401": {
+       "description": "Unauthorized"
+      }
+     }
+    }
+   },
+   "/apis/authentication.k8s.io/v1/tokenreviews": {
+    "post": {
+     "description": "create a TokenReview",
+     "consumes": [
+      "*/*"
+     ],
+     "produces": [
+      "application/json",
+      "application/yaml",
+      "application/vnd.kubernetes.protobuf"
+     ],
+     "schemes": [
+      "https"
+     ],
+     "tags": [
+      "authentication_v1"
+     ],
+     "operationId": "createAuthenticationV1TokenReview",
+     "parameters": [
+      {
+       "name": "body",
+       "in": "body",
+       "required": true,
+       "schema": {
+        "$ref": "#/definitions/io.k8s.kubernetes.pkg.apis.authentication.v1.TokenReview"
+       }
+      }
+     ],
+     "responses": {
+      "200": {
+       "description": "OK",
+       "schema": {
+        "$ref": "#/definitions/io.k8s.kubernetes.pkg.apis.authentication.v1.TokenReview"
+       }
+      },
+      "401": {
+       "description": "Unauthorized"
+      }
+     }
+    },
+    "parameters": [
+     {
+      "uniqueItems": true,
+      "type": "string",
+      "description": "If 'true', then the output is pretty printed.",
+      "name": "pretty",
+      "in": "query"
+     }
+    ]
+   },
   "/apis/authentication.k8s.io/v1beta1/": {
    "get": {
     "description": "get available resources",
@@ -39164,6 +39247,96 @@
     }
    }
   },
+   "io.k8s.kubernetes.pkg.apis.authentication.v1.TokenReview": {
+    "description": "TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.",
+    "required": [
+     "spec"
+    ],
+    "properties": {
+     "apiVersion": {
+      "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#resources",
+      "type": "string"
+     },
+     "kind": {
+      "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds",
+      "type": "string"
+     },
+     "metadata": {
+      "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"
+     },
+     "spec": {
+      "description": "Spec holds information about the request being evaluated",
+      "$ref": "#/definitions/io.k8s.kubernetes.pkg.apis.authentication.v1.TokenReviewSpec"
+     },
+     "status": {
+      "description": "Status is filled in by the server and indicates whether the request can be authenticated.",
+      "$ref": "#/definitions/io.k8s.kubernetes.pkg.apis.authentication.v1.TokenReviewStatus"
+     }
+    },
+    "x-kubernetes-group-version-kind": [
+     {
+      "Group": "authentication.k8s.io",
+      "Version": "v1",
+      "Kind": "TokenReview"
+     }
+    ]
+   },
+   "io.k8s.kubernetes.pkg.apis.authentication.v1.TokenReviewSpec": {
+    "description": "TokenReviewSpec is a description of the token authentication request.",
+    "properties": {
+     "token": {
+      "description": "Token is the opaque bearer token.",
+      "type": "string"
+     }
+    }
+   },
+   "io.k8s.kubernetes.pkg.apis.authentication.v1.TokenReviewStatus": {
+    "description": "TokenReviewStatus is the result of the token authentication request.",
+    "properties": {
+     "authenticated": {
+      "description": "Authenticated indicates that the token was associated with a known user.",
+      "type": "boolean"
+     },
+     "error": {
+      "description": "Error indicates that the token couldn't be checked",
+      "type": "string"
+     },
+     "user": {
+      "description": "User is the UserInfo associated with the provided token.",
+      "$ref": "#/definitions/io.k8s.kubernetes.pkg.apis.authentication.v1.UserInfo"
+     }
+    }
+   },
+   "io.k8s.kubernetes.pkg.apis.authentication.v1.UserInfo": {
+    "description": "UserInfo holds the information about the user needed to implement the user.Info interface.",
+    "properties": {
+     "extra": {
+      "description": "Any additional information provided by the authenticator.",
+      "type": "object",
+      "additionalProperties": {
+       "type": "array",
+       "items": {
+        "type": "string"
+       }
+      }
+     },
+     "groups": {
+      "description": "The names of groups this user is a part of.",
+      "type": "array",
+      "items": {
+       "type": "string"
+      }
+     },
+     "uid": {
+      "description": "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.",
+      "type": "string"
+     },
+     "username": {
+      "description": "The name that uniquely identifies this user among all active users.",
+      "type": "string"
+     }
+    }
+   },
   "io.k8s.kubernetes.pkg.apis.authentication.v1beta1.TokenReview": {
    "description": "TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.",
    "required": [