Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
3cafde2e
Commit
3cafde2e
authored
Oct 08, 2018
by
Darren Shepherd
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Delete anonymous auth
parent
b9c72ff9
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
1 addition
and
182 deletions
+1
-182
auth.go
cmd/kubelet/app/auth.go
+0
-1
config.go
pkg/kubeapiserver/authenticator/config.go
+0
-11
authentication.go
pkg/kubeapiserver/options/authentication.go
+1
-32
delegating.go
...ver/pkg/authentication/authenticatorfactory/delegating.go
+0
-9
BUILD
...s.io/apiserver/pkg/authentication/request/anonymous/BUILD
+0
-42
anonymous.go
...iserver/pkg/authentication/request/anonymous/anonymous.go
+0
-43
anonymous_test.go
...er/pkg/authentication/request/anonymous/anonymous_test.go
+0
-43
authentication.go
...src/k8s.io/apiserver/pkg/server/options/authentication.go
+0
-1
No files found.
cmd/kubelet/app/auth.go
View file @
3cafde2e
...
...
@@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
// BuildAuthn creates an authenticator compatible with the kubelet's needs
func
BuildAuthn
(
client
authenticationclient
.
TokenReviewInterface
,
authn
kubeletconfig
.
KubeletAuthentication
)
(
authenticator
.
Request
,
error
)
{
authenticatorConfig
:=
authenticatorfactory
.
DelegatingAuthenticatorConfig
{
Anonymous
:
authn
.
Anonymous
.
Enabled
,
CacheTTL
:
authn
.
Webhook
.
CacheTTL
.
Duration
,
ClientCAFile
:
authn
.
X509
.
ClientCAFile
,
}
...
...
pkg/kubeapiserver/authenticator/config.go
View file @
3cafde2e
...
...
@@ -21,7 +21,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/websocket"
...
...
@@ -42,7 +41,6 @@ import (
// Config contains the data on how to authenticate a request to the Kube API Server
type
Config
struct
{
Anonymous
bool
BasicAuthFile
string
ClientCAFile
string
TokenAuthFile
string
...
...
@@ -125,9 +123,6 @@ func (config Config) New() (authenticator.Request, error) {
}
if
len
(
authenticators
)
==
0
{
if
config
.
Anonymous
{
return
anonymous
.
NewAuthenticator
(),
nil
}
return
nil
,
nil
}
...
...
@@ -135,12 +130,6 @@ func (config Config) New() (authenticator.Request, error) {
authenticator
=
group
.
NewAuthenticatedGroupAdder
(
authenticator
)
if
config
.
Anonymous
{
// If the authenticator chain returns an error, return an error (don't consider a bad bearer token
// or invalid username/password combination anonymous).
authenticator
=
union
.
NewFailOnError
(
authenticator
,
anonymous
.
NewAuthenticator
())
}
return
authenticator
,
nil
}
...
...
pkg/kubeapiserver/options/authentication.go
View file @
3cafde2e
...
...
@@ -25,16 +25,13 @@ import (
"github.com/spf13/pflag"
"k8s.io/klog"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapiserver
"k8s.io/apiserver/pkg/server"
kubeauthenticator
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
type
BuiltInAuthenticationOptions
struct
{
APIAudiences
[]
string
Anonymous
*
AnonymousAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
ServiceAccounts
*
ServiceAccountAuthenticationOptions
TokenFile
*
TokenFileAuthenticationOptions
...
...
@@ -44,10 +41,6 @@ type BuiltInAuthenticationOptions struct {
TokenFailureCacheTTL
time
.
Duration
}
type
AnonymousAuthenticationOptions
struct
{
Allow
bool
}
type
PasswordFileAuthenticationOptions
struct
{
BasicAuthFile
string
}
...
...
@@ -77,18 +70,12 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
func
(
s
*
BuiltInAuthenticationOptions
)
WithAll
()
*
BuiltInAuthenticationOptions
{
return
s
.
WithAnonymous
()
.
WithPasswordFile
()
.
WithServiceAccounts
()
.
WithTokenFile
()
.
WithWebHook
()
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithAnonymous
()
*
BuiltInAuthenticationOptions
{
s
.
Anonymous
=
&
AnonymousAuthenticationOptions
{
Allow
:
true
}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithPasswordFile
()
*
BuiltInAuthenticationOptions
{
s
.
PasswordFile
=
&
PasswordFileAuthenticationOptions
{}
return
s
...
...
@@ -131,13 +118,6 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
"--service-account-issuer flag is configured and this flag is not, this field "
+
"defaults to a single element list containing the issuer URL ."
)
if
s
.
Anonymous
!=
nil
{
fs
.
BoolVar
(
&
s
.
Anonymous
.
Allow
,
"anonymous-auth"
,
s
.
Anonymous
.
Allow
,
""
+
"Enables anonymous requests to the secure port of the API server. "
+
"Requests that are not rejected by another authentication method are treated as anonymous requests. "
+
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated."
)
}
if
s
.
PasswordFile
!=
nil
{
fs
.
StringVar
(
&
s
.
PasswordFile
.
BasicAuthFile
,
"basic-auth-file"
,
s
.
PasswordFile
.
BasicAuthFile
,
""
+
"If set, the file that will be used to admit requests to the secure port of the API server "
+
...
...
@@ -192,10 +172,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
TokenFailureCacheTTL
:
s
.
TokenFailureCacheTTL
,
}
if
s
.
Anonymous
!=
nil
{
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
}
if
s
.
PasswordFile
!=
nil
{
ret
.
BasicAuthFile
=
s
.
PasswordFile
.
BasicAuthFile
}
...
...
@@ -249,14 +225,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
// ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func
(
o
*
BuiltInAuthenticationOptions
)
ApplyAuthorization
(
authorization
*
BuiltInAuthorizationOptions
)
{
if
o
==
nil
||
authorization
==
nil
||
o
.
Anonymous
==
nil
{
if
o
==
nil
||
authorization
==
nil
{
return
}
// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
// in such a case the AnonymousAuth is stomped to false and you get a message
if
o
.
Anonymous
.
Allow
&&
sets
.
NewString
(
authorization
.
Modes
...
)
.
Has
(
authzmodes
.
ModeAlwaysAllow
)
{
klog
.
Warningf
(
"AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer"
)
o
.
Anonymous
.
Allow
=
false
}
}
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
View file @
3cafde2e
...
...
@@ -23,7 +23,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
unionauth
"k8s.io/apiserver/pkg/authentication/request/union"
...
...
@@ -38,8 +37,6 @@ import (
// DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
// built to delegate authentication to a kube API server
type
DelegatingAuthenticatorConfig
struct
{
Anonymous
bool
// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
TokenAccessReviewClient
authenticationclient
.
TokenReviewInterface
...
...
@@ -94,15 +91,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) {
}
if
len
(
authenticators
)
==
0
{
if
c
.
Anonymous
{
return
anonymous
.
NewAuthenticator
(),
nil
}
return
nil
,
errors
.
New
(
"No authentication method configured"
)
}
authenticator
:=
group
.
NewAuthenticatedGroupAdder
(
unionauth
.
New
(
authenticators
...
))
if
c
.
Anonymous
{
authenticator
=
unionauth
.
NewFailOnError
(
authenticator
,
anonymous
.
NewAuthenticator
())
}
return
authenticator
,
nil
}
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
deleted
100644 → 0
View file @
b9c72ff9
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_test(
name = "go_default_test",
srcs = ["anonymous_test.go"],
embed = [":go_default_library"],
deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
go_library(
name = "go_default_library",
srcs = ["anonymous.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous",
importpath = "k8s.io/apiserver/pkg/authentication/request/anonymous",
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
deleted
100644 → 0
View file @
b9c72ff9
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
anonymous
import
(
"net/http"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
const
(
anonymousUser
=
user
.
Anonymous
unauthenticatedGroup
=
user
.
AllUnauthenticated
)
func
NewAuthenticator
()
authenticator
.
Request
{
return
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
*
authenticator
.
Response
,
bool
,
error
)
{
auds
,
_
:=
authenticator
.
AudiencesFrom
(
req
.
Context
())
return
&
authenticator
.
Response
{
User
:
&
user
.
DefaultInfo
{
Name
:
anonymousUser
,
Groups
:
[]
string
{
unauthenticatedGroup
},
},
Audiences
:
auds
,
},
true
,
nil
})
}
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
deleted
100644 → 0
View file @
b9c72ff9
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
anonymous
import
(
"net/http"
"testing"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
func
TestAnonymous
(
t
*
testing
.
T
)
{
var
a
authenticator
.
Request
=
NewAuthenticator
()
r
,
ok
,
err
:=
a
.
AuthenticateRequest
(
&
http
.
Request
{})
if
err
!=
nil
{
t
.
Fatalf
(
"Unexpected error %v"
,
err
)
}
if
!
ok
{
t
.
Fatalf
(
"Unexpectedly unauthenticated"
)
}
if
r
.
User
.
GetName
()
!=
user
.
Anonymous
{
t
.
Fatalf
(
"Expected username %s, got %s"
,
user
.
Anonymous
,
r
.
User
.
GetName
())
}
if
!
sets
.
NewString
(
r
.
User
.
GetGroups
()
...
)
.
Equal
(
sets
.
NewString
(
user
.
AllUnauthenticated
))
{
t
.
Fatalf
(
"Expected group %s, got %v"
,
user
.
AllUnauthenticated
,
r
.
User
.
GetGroups
())
}
}
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View file @
3cafde2e
...
...
@@ -96,7 +96,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
}
cfg
:=
authenticatorfactory
.
DelegatingAuthenticatorConfig
{
Anonymous
:
true
,
CacheTTL
:
s
.
CacheTTL
,
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment