Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
cf3a9309
Unverified
Commit
cf3a9309
authored
Oct 15, 2018
by
k8s-ci-robot
Committed by
GitHub
Oct 15, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #69607 from mikedanese/audctx
tokenreview: add APIAudiences config to generic API server and augment context
parents
e42f5215
21fd8f20
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
58 additions
and
9 deletions
+58
-9
serve.go
cmd/controller-manager/app/serve.go
+1
-1
server.go
cmd/kube-scheduler/app/server.go
+1
-1
authentication.go
pkg/kubeapiserver/options/authentication.go
+4
-3
insecure_handler.go
pkg/kubeapiserver/server/insecure_handler.go
+1
-1
BUILD
...c/k8s.io/apiserver/pkg/authentication/authenticator/BUILD
+4
-1
helpers.go
....io/apiserver/pkg/authentication/authenticator/helpers.go
+20
-0
authentication.go
.../k8s.io/apiserver/pkg/endpoints/filters/authentication.go
+4
-1
authentication_test.go
...io/apiserver/pkg/endpoints/filters/authentication_test.go
+3
-0
BUILD
staging/src/k8s.io/apiserver/pkg/endpoints/request/BUILD
+1
-0
context.go
...ing/src/k8s.io/apiserver/pkg/endpoints/request/context.go
+15
-0
config.go
staging/src/k8s.io/apiserver/pkg/server/config.go
+4
-1
No files found.
cmd/controller-manager/app/serve.go
View file @
cf3a9309
...
@@ -44,7 +44,7 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut
...
@@ -44,7 +44,7 @@ func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.Aut
handler
=
genericapifilters
.
WithAuthorization
(
apiHandler
,
authorizationInfo
.
Authorizer
,
legacyscheme
.
Codecs
)
handler
=
genericapifilters
.
WithAuthorization
(
apiHandler
,
authorizationInfo
.
Authorizer
,
legacyscheme
.
Codecs
)
}
}
if
authenticationInfo
!=
nil
{
if
authenticationInfo
!=
nil
{
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
authenticationInfo
.
Authenticator
,
failedHandler
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
authenticationInfo
.
Authenticator
,
failedHandler
,
nil
)
}
}
handler
=
genericapifilters
.
WithRequestInfo
(
handler
,
requestInfoResolver
)
handler
=
genericapifilters
.
WithRequestInfo
(
handler
,
requestInfoResolver
)
handler
=
genericfilters
.
WithPanicRecovery
(
handler
)
handler
=
genericfilters
.
WithPanicRecovery
(
handler
)
...
...
cmd/kube-scheduler/app/server.go
View file @
cf3a9309
...
@@ -252,7 +252,7 @@ func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz
...
@@ -252,7 +252,7 @@ func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz
handler
=
genericapifilters
.
WithRequestInfo
(
handler
,
requestInfoResolver
)
handler
=
genericapifilters
.
WithRequestInfo
(
handler
,
requestInfoResolver
)
handler
=
genericapifilters
.
WithAuthorization
(
handler
,
authz
,
legacyscheme
.
Codecs
)
handler
=
genericapifilters
.
WithAuthorization
(
handler
,
authz
,
legacyscheme
.
Codecs
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
authn
,
failedHandler
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
authn
,
failedHandler
,
nil
)
handler
=
genericapifilters
.
WithRequestInfo
(
handler
,
requestInfoResolver
)
handler
=
genericapifilters
.
WithRequestInfo
(
handler
,
requestInfoResolver
)
handler
=
genericfilters
.
WithPanicRecovery
(
handler
)
handler
=
genericfilters
.
WithPanicRecovery
(
handler
)
...
...
pkg/kubeapiserver/options/authentication.go
View file @
cf3a9309
...
@@ -29,7 +29,7 @@ import (
...
@@ -29,7 +29,7 @@ import (
genericapiserver
"k8s.io/apiserver/pkg/server"
genericapiserver
"k8s.io/apiserver/pkg/server"
genericoptions
"k8s.io/apiserver/pkg/server/options"
genericoptions
"k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/util/flag"
"k8s.io/apiserver/pkg/util/flag"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
kubeauthenticator
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
)
...
@@ -283,8 +283,8 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -283,8 +283,8 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
}
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
ToAuthenticationConfig
()
authenticator
.
AuthenticatorConfig
{
func
(
s
*
BuiltInAuthenticationOptions
)
ToAuthenticationConfig
()
kube
authenticator
.
AuthenticatorConfig
{
ret
:=
authenticator
.
AuthenticatorConfig
{
ret
:=
kube
authenticator
.
AuthenticatorConfig
{
TokenSuccessCacheTTL
:
s
.
TokenSuccessCacheTTL
,
TokenSuccessCacheTTL
:
s
.
TokenSuccessCacheTTL
,
TokenFailureCacheTTL
:
s
.
TokenFailureCacheTTL
,
TokenFailureCacheTTL
:
s
.
TokenFailureCacheTTL
,
}
}
...
@@ -367,6 +367,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
...
@@ -367,6 +367,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
}
}
c
.
Authentication
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
c
.
Authentication
.
SupportsBasicAuth
=
o
.
PasswordFile
!=
nil
&&
len
(
o
.
PasswordFile
.
BasicAuthFile
)
>
0
c
.
Authentication
.
APIAudiences
=
o
.
ServiceAccounts
.
APIAudiences
return
nil
return
nil
}
}
...
...
pkg/kubeapiserver/server/insecure_handler.go
View file @
cf3a9309
...
@@ -32,7 +32,7 @@ import (
...
@@ -32,7 +32,7 @@ import (
func
BuildInsecureHandlerChain
(
apiHandler
http
.
Handler
,
c
*
server
.
Config
)
http
.
Handler
{
func
BuildInsecureHandlerChain
(
apiHandler
http
.
Handler
,
c
*
server
.
Config
)
http
.
Handler
{
handler
:=
apiHandler
handler
:=
apiHandler
handler
=
genericapifilters
.
WithAudit
(
handler
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
,
c
.
LongRunningFunc
)
handler
=
genericapifilters
.
WithAudit
(
handler
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
,
c
.
LongRunningFunc
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
server
.
InsecureSuperuser
{},
nil
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
server
.
InsecureSuperuser
{},
nil
,
nil
)
handler
=
genericfilters
.
WithCORS
(
handler
,
c
.
CorsAllowedOriginList
,
nil
,
nil
,
nil
,
"true"
)
handler
=
genericfilters
.
WithCORS
(
handler
,
c
.
CorsAllowedOriginList
,
nil
,
nil
,
nil
,
"true"
)
handler
=
genericfilters
.
WithTimeoutForNonLongRunningRequests
(
handler
,
c
.
LongRunningFunc
,
c
.
RequestTimeout
)
handler
=
genericfilters
.
WithTimeoutForNonLongRunningRequests
(
handler
,
c
.
LongRunningFunc
,
c
.
RequestTimeout
)
handler
=
genericfilters
.
WithMaxInFlightLimit
(
handler
,
c
.
MaxRequestsInFlight
,
c
.
MaxMutatingRequestsInFlight
,
c
.
LongRunningFunc
)
handler
=
genericfilters
.
WithMaxInFlightLimit
(
handler
,
c
.
MaxRequestsInFlight
,
c
.
MaxMutatingRequestsInFlight
,
c
.
LongRunningFunc
)
...
...
staging/src/k8s.io/apiserver/pkg/authentication/authenticator/BUILD
View file @
cf3a9309
...
@@ -7,7 +7,10 @@ load(
...
@@ -7,7 +7,10 @@ load(
go_library(
go_library(
name = "go_default_library",
name = "go_default_library",
srcs = ["interfaces.go"],
srcs = [
"helpers.go",
"interfaces.go",
],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/authenticator",
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/authenticator",
importpath = "k8s.io/apiserver/pkg/authentication/authenticator",
importpath = "k8s.io/apiserver/pkg/authentication/authenticator",
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"],
...
...
staging/src/k8s.io/apiserver/pkg/authentication/authenticator/helpers.go
0 → 100644
View file @
cf3a9309
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
authenticator
// Audiences is a container for the Audiences of a token.
type
Audiences
[]
string
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go
View file @
cf3a9309
...
@@ -50,12 +50,15 @@ func init() {
...
@@ -50,12 +50,15 @@ func init() {
// stores any such user found onto the provided context for the request. If authentication fails or returns an error
// stores any such user found onto the provided context for the request. If authentication fails or returns an error
// the failed handler is used. On success, "Authorization" header is removed from the request and handler
// the failed handler is used. On success, "Authorization" header is removed from the request and handler
// is invoked to serve the request.
// is invoked to serve the request.
func
WithAuthentication
(
handler
http
.
Handler
,
auth
authenticator
.
Request
,
failed
http
.
Handler
)
http
.
Handler
{
func
WithAuthentication
(
handler
http
.
Handler
,
auth
authenticator
.
Request
,
failed
http
.
Handler
,
apiAuds
authenticator
.
Audiences
)
http
.
Handler
{
if
auth
==
nil
{
if
auth
==
nil
{
glog
.
Warningf
(
"Authentication is disabled"
)
glog
.
Warningf
(
"Authentication is disabled"
)
return
handler
return
handler
}
}
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
if
len
(
apiAuds
)
>
0
{
req
=
req
.
WithContext
(
genericapirequest
.
WithAudiences
(
req
.
Context
(),
apiAuds
))
}
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
req
)
user
,
ok
,
err
:=
auth
.
AuthenticateRequest
(
req
)
if
err
!=
nil
||
!
ok
{
if
err
!=
nil
||
!
ok
{
if
err
!=
nil
{
if
err
!=
nil
{
...
...
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication_test.go
View file @
cf3a9309
...
@@ -50,6 +50,7 @@ func TestAuthenticateRequest(t *testing.T) {
...
@@ -50,6 +50,7 @@ func TestAuthenticateRequest(t *testing.T) {
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
t
.
Errorf
(
"unexpected call to failed"
)
t
.
Errorf
(
"unexpected call to failed"
)
}),
}),
nil
,
)
)
auth
.
ServeHTTP
(
httptest
.
NewRecorder
(),
&
http
.
Request
{
Header
:
map
[
string
][]
string
{
"Authorization"
:
{
"Something"
}}})
auth
.
ServeHTTP
(
httptest
.
NewRecorder
(),
&
http
.
Request
{
Header
:
map
[
string
][]
string
{
"Authorization"
:
{
"Something"
}}})
...
@@ -69,6 +70,7 @@ func TestAuthenticateRequestFailed(t *testing.T) {
...
@@ -69,6 +70,7 @@ func TestAuthenticateRequestFailed(t *testing.T) {
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
close
(
failed
)
close
(
failed
)
}),
}),
nil
,
)
)
auth
.
ServeHTTP
(
httptest
.
NewRecorder
(),
&
http
.
Request
{})
auth
.
ServeHTTP
(
httptest
.
NewRecorder
(),
&
http
.
Request
{})
...
@@ -88,6 +90,7 @@ func TestAuthenticateRequestError(t *testing.T) {
...
@@ -88,6 +90,7 @@ func TestAuthenticateRequestError(t *testing.T) {
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
http
.
HandlerFunc
(
func
(
_
http
.
ResponseWriter
,
_
*
http
.
Request
)
{
close
(
failed
)
close
(
failed
)
}),
}),
nil
,
)
)
auth
.
ServeHTTP
(
httptest
.
NewRecorder
(),
&
http
.
Request
{})
auth
.
ServeHTTP
(
httptest
.
NewRecorder
(),
&
http
.
Request
{})
...
...
staging/src/k8s.io/apiserver/pkg/endpoints/request/BUILD
View file @
cf3a9309
...
@@ -35,6 +35,7 @@ go_library(
...
@@ -35,6 +35,7 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
],
],
...
...
staging/src/k8s.io/apiserver/pkg/endpoints/request/context.go
View file @
cf3a9309
...
@@ -21,6 +21,7 @@ import (
...
@@ -21,6 +21,7 @@ import (
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/apis/audit"
"k8s.io/apiserver/pkg/apis/audit"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
)
)
...
@@ -36,6 +37,9 @@ const (
...
@@ -36,6 +37,9 @@ const (
// auditKey is the context key for the audit event.
// auditKey is the context key for the audit event.
auditKey
auditKey
// audiencesKey is the context key for request audiences.
audiencesKey
)
)
// NewContext instantiates a base context object for request flows.
// NewContext instantiates a base context object for request flows.
...
@@ -91,3 +95,14 @@ func AuditEventFrom(ctx context.Context) *audit.Event {
...
@@ -91,3 +95,14 @@ func AuditEventFrom(ctx context.Context) *audit.Event {
ev
,
_
:=
ctx
.
Value
(
auditKey
)
.
(
*
audit
.
Event
)
ev
,
_
:=
ctx
.
Value
(
auditKey
)
.
(
*
audit
.
Event
)
return
ev
return
ev
}
}
// WithAudiences returns a context that stores a request's expected audiences.
func
WithAudiences
(
ctx
context
.
Context
,
auds
authenticator
.
Audiences
)
context
.
Context
{
return
context
.
WithValue
(
ctx
,
audiencesKey
,
auds
)
}
// AudiencesFrom returns a request's expected audiences stored in the request context.
func
AudiencesFrom
(
ctx
context
.
Context
)
(
authenticator
.
Audiences
,
bool
)
{
auds
,
ok
:=
ctx
.
Value
(
audiencesKey
)
.
(
authenticator
.
Audiences
)
return
auds
,
ok
}
staging/src/k8s.io/apiserver/pkg/server/config.go
View file @
cf3a9309
...
@@ -227,6 +227,9 @@ type SecureServingInfo struct {
...
@@ -227,6 +227,9 @@ type SecureServingInfo struct {
}
}
type
AuthenticationInfo
struct
{
type
AuthenticationInfo
struct
{
// APIAudiences is a list of identifier that the API identifies as. This is
// used by some authenticators to validate audience bound credentials.
APIAudiences
authenticator
.
Audiences
// Authenticator determines which subject is making the request
// Authenticator determines which subject is making the request
Authenticator
authenticator
.
Request
Authenticator
authenticator
.
Request
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
// SupportsBasicAuth indicates that's at least one Authenticator supports basic auth
...
@@ -534,7 +537,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
...
@@ -534,7 +537,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
handler
=
genericapifilters
.
WithAudit
(
handler
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
,
c
.
LongRunningFunc
)
handler
=
genericapifilters
.
WithAudit
(
handler
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
,
c
.
LongRunningFunc
)
failedHandler
:=
genericapifilters
.
Unauthorized
(
c
.
Serializer
,
c
.
Authentication
.
SupportsBasicAuth
)
failedHandler
:=
genericapifilters
.
Unauthorized
(
c
.
Serializer
,
c
.
Authentication
.
SupportsBasicAuth
)
failedHandler
=
genericapifilters
.
WithFailedAuthenticationAudit
(
failedHandler
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
)
failedHandler
=
genericapifilters
.
WithFailedAuthenticationAudit
(
failedHandler
,
c
.
AuditBackend
,
c
.
AuditPolicyChecker
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
c
.
Authentication
.
Authenticator
,
failedHandler
)
handler
=
genericapifilters
.
WithAuthentication
(
handler
,
c
.
Authentication
.
Authenticator
,
failedHandler
,
c
.
Authentication
.
APIAudiences
)
handler
=
genericfilters
.
WithCORS
(
handler
,
c
.
CorsAllowedOriginList
,
nil
,
nil
,
nil
,
"true"
)
handler
=
genericfilters
.
WithCORS
(
handler
,
c
.
CorsAllowedOriginList
,
nil
,
nil
,
nil
,
"true"
)
handler
=
genericfilters
.
WithTimeoutForNonLongRunningRequests
(
handler
,
c
.
LongRunningFunc
,
c
.
RequestTimeout
)
handler
=
genericfilters
.
WithTimeoutForNonLongRunningRequests
(
handler
,
c
.
LongRunningFunc
,
c
.
RequestTimeout
)
handler
=
genericfilters
.
WithWaitGroup
(
handler
,
c
.
LongRunningFunc
,
c
.
HandlerChainWaitGroup
)
handler
=
genericfilters
.
WithWaitGroup
(
handler
,
c
.
LongRunningFunc
,
c
.
HandlerChainWaitGroup
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment