echo audiences in anonymous and insecure authenticators

part of https://github.com/kubernetes/kubernetes/issues/69893
2025-07-27 13:37:30 +00:00 · 2018-10-26 15:29:55 -07:00 · 2018-10-26 15:29:55 -07:00 · f94bc6193e
commit f94bc6193e
parent 1355e6b277
4 changed files with 9 additions and 1 deletions
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
@ -25,6 +25,7 @@ go_library(
    deps = [
        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
    ],
 )

--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
@ -21,6 +21,7 @@ import (

 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/endpoints/request"
 )

 const (
@ -31,11 +32,13 @@ const (

 func NewAuthenticator() authenticator.Request {
 	return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
+		auds, _ := request.AudiencesFrom(req.Context())
 		return &authenticator.Response{
 			User: &user.DefaultInfo{
 				Name:   anonymousUser,
 				Groups: []string{unauthenticatedGroup},
 			},
+			Audiences: auds,
 		}, true, nil
 	})
 }
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
@ -17,6 +17,7 @@ limitations under the License.
 package anonymous

 import (
+	"net/http"
 	"testing"

 	"k8s.io/apimachinery/pkg/util/sets"
@ -26,7 +27,7 @@ import (

 func TestAnonymous(t *testing.T) {
 	var a authenticator.Request = NewAuthenticator()
-	r, ok, err := a.AuthenticateRequest(nil)
+	r, ok, err := a.AuthenticateRequest(&http.Request{})
 	if err != nil {
 		t.Fatalf("Unexpected error %v", err)
 	}
--- a/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go
@ -25,6 +25,7 @@ import (

 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/client-go/rest"
 )

@ -79,10 +80,12 @@ func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config,
 type InsecureSuperuser struct{}

 func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) {
+	auds, _ := request.AudiencesFrom(req.Context())
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
 			Name:   "system:unsecured",
 			Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated},
 		},
+		Audiences: auds,
 	}, true, nil
 }