Commit eb3b0e78 authored by CJ Cullen's avatar CJ Cullen

Add a webhook token authenticator plugin.

parent 1d096d29
......@@ -35,31 +35,36 @@ import (
// APIServer runs a kubernetes api server.
type APIServer struct {
*genericapiserver.ServerRunOptions
AdmissionControl string
AdmissionControlConfigFile string
AllowPrivileged bool
AuthorizationMode string
AuthorizationConfig apiserver.AuthorizationConfig
BasicAuthFile string
DefaultStorageMediaType string
DeleteCollectionWorkers int
EtcdServersOverrides []string
EventTTL time.Duration
KeystoneURL string
KubeletConfig kubeletclient.KubeletClientConfig
MasterServiceNamespace string
MaxConnectionBytesPerSec int64
OIDCCAFile string
OIDCClientID string
OIDCIssuerURL string
OIDCUsernameClaim string
OIDCGroupsClaim string
SSHKeyfile string
SSHUser string
ServiceAccountKeyFile string
ServiceAccountLookup bool
TokenAuthFile string
WatchCacheSizes []string
AdmissionControl string
AdmissionControlConfigFile string
AllowPrivileged bool
AuthorizationMode string
AuthorizationConfig apiserver.AuthorizationConfig
BasicAuthFile string
DefaultStorageMediaType string
DeleteCollectionWorkers int
EtcdServersOverrides []string
EventTTL time.Duration
KeystoneURL string
KubeletConfig kubeletclient.KubeletClientConfig
MasterServiceNamespace string
MaxConnectionBytesPerSec int64
OIDCCAFile string
OIDCClientID string
OIDCIssuerURL string
OIDCUsernameClaim string
OIDCGroupsClaim string
SSHKeyfile string
SSHUser string
ServiceAccountKeyFile string
ServiceAccountLookup bool
WebhookTokenAuthnConfigFile string
// The default values for StorageVersions. StorageVersions overrides
// these; you can change this if you want to change the defaults (e.g.,
// for testing). This is not actually exposed as a flag.
DefaultStorageVersions string
TokenAuthFile string
WatchCacheSizes []string
}
// NewAPIServer creates a new APIServer object with default parameters
......@@ -104,6 +109,7 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.AuthorizationMode, "authorization-mode", s.AuthorizationMode, "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+strings.Join(apiserver.AuthorizationModeChoices, ","))
fs.StringVar(&s.AuthorizationConfig.PolicyFile, "authorization-policy-file", s.AuthorizationConfig.PolicyFile, "File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")
fs.StringVar(&s.AuthorizationConfig.WebhookConfigFile, "authorization-webhook-config-file", s.AuthorizationConfig.WebhookConfigFile, "File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port.")
fs.StringVar(&s.WebhookTokenAuthnConfigFile, "authentication-token-webhook-config-file", s.WebhookTokenAuthnConfigFile, "File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens.")
fs.StringVar(&s.AdmissionControl, "admission-control", s.AdmissionControl, "Ordered list of plug-ins to do admission control of resources into cluster. Comma-delimited list of: "+strings.Join(admission.GetPlugins(), ", "))
fs.StringVar(&s.AdmissionControlConfigFile, "admission-control-config-file", s.AdmissionControlConfigFile, "File with admission control configuration.")
fs.StringSliceVar(&s.EtcdServersOverrides, "etcd-servers-overrides", s.EtcdServersOverrides, "Per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are http://ip:port, semicolon separated.")
......
......@@ -177,18 +177,19 @@ func Run(s *options.APIServer) error {
}
authenticator, err := authenticator.New(authenticator.AuthenticatorConfig{
BasicAuthFile: s.BasicAuthFile,
ClientCAFile: s.ClientCAFile,
TokenAuthFile: s.TokenAuthFile,
OIDCIssuerURL: s.OIDCIssuerURL,
OIDCClientID: s.OIDCClientID,
OIDCCAFile: s.OIDCCAFile,
OIDCUsernameClaim: s.OIDCUsernameClaim,
OIDCGroupsClaim: s.OIDCGroupsClaim,
ServiceAccountKeyFile: s.ServiceAccountKeyFile,
ServiceAccountLookup: s.ServiceAccountLookup,
ServiceAccountTokenGetter: serviceAccountGetter,
KeystoneURL: s.KeystoneURL,
BasicAuthFile: s.BasicAuthFile,
ClientCAFile: s.ClientCAFile,
TokenAuthFile: s.TokenAuthFile,
OIDCIssuerURL: s.OIDCIssuerURL,
OIDCClientID: s.OIDCClientID,
OIDCCAFile: s.OIDCCAFile,
OIDCUsernameClaim: s.OIDCUsernameClaim,
OIDCGroupsClaim: s.OIDCGroupsClaim,
ServiceAccountKeyFile: s.ServiceAccountKeyFile,
ServiceAccountLookup: s.ServiceAccountLookup,
ServiceAccountTokenGetter: serviceAccountGetter,
KeystoneURL: s.KeystoneURL,
WebhookTokenAuthnConfigFile: s.WebhookTokenAuthnConfigFile,
})
if err != nil {
......
......@@ -35,6 +35,8 @@ func main() {
arguments.InputDirs = []string{
"k8s.io/kubernetes/pkg/api/v1",
"k8s.io/kubernetes/pkg/api",
"k8s.io/kubernetes/pkg/apis/authentication.k8s.io",
"k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1",
"k8s.io/kubernetes/pkg/apis/authorization",
"k8s.io/kubernetes/pkg/apis/authorization/v1beta1",
"k8s.io/kubernetes/pkg/apis/autoscaling",
......
......@@ -35,6 +35,8 @@ func main() {
arguments.InputDirs = []string{
"k8s.io/kubernetes/pkg/api",
"k8s.io/kubernetes/pkg/api/v1",
"k8s.io/kubernetes/pkg/apis/authentication.k8s.io",
"k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1",
"k8s.io/kubernetes/pkg/apis/authorization",
"k8s.io/kubernetes/pkg/apis/authorization/v1beta1",
"k8s.io/kubernetes/pkg/apis/autoscaling",
......
......@@ -56,6 +56,7 @@ kube-apiserver
--advertise-address=<nil>: The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used.
--allow-privileged[=false]: If true, allow privileged containers.
--apiserver-count=1: The number of apiservers running in the cluster
--authentication-token-webhook-config-file="": File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens.
--authorization-mode="AlwaysAllow": Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC,Webhook
--authorization-policy-file="": File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.
--authorization-webhook-config-file="": File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port.
......@@ -111,7 +112,7 @@ kube-apiserver
--ssh-user="": If non-empty, use secure SSH proxy to the nodes, using this user name
--storage-backend="": The storage backend for persistence. Options: 'etcd2' (default), 'etcd3'.
--storage-media-type="application/json": The media type to use to store objects in storage. Defaults to application/json. Some resources may only support a specific media type and will ignore this setting.
--storage-versions="apps/v1alpha1,authorization.k8s.io/v1beta1,autoscaling/v1,batch/v1,componentconfig/v1alpha1,extensions/v1beta1,metrics/v1alpha1,policy/v1alpha1,v1": The per-group version to store resources in. Specified in the format "group1/version1,group2/version2,...". In the case where objects are moved from one group to the other, you may specify the format "group1=group2/v1beta1,group3/v1beta1,...". You only need to pass the groups you wish to change from the defaults. It defaults to a list of preferred versions of all registered groups, which is derived from the KUBE_API_VERSIONS environment variable.
--storage-versions="apps/v1alpha1,authentication.k8s.io/v1beta1,authorization.k8s.io/v1beta1,autoscaling/v1,batch/v1,componentconfig/v1alpha1,extensions/v1beta1,metrics/v1alpha1,policy/v1alpha1,v1": The per-group version to store resources in. Specified in the format "group1/version1,group2/version2,...". In the case where objects are moved from one group to the other, you may specify the format "group1=group2/v1beta1,group3/v1beta1,...". You only need to pass the groups you wish to change from the defaults. It defaults to a list of preferred versions of all registered groups, which is derived from the KUBE_API_VERSIONS environment variable.
--tls-cert-file="": File containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to /var/run/kubernetes.
--tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
--token-auth-file="": If set, the file that will be used to secure the secure port of the API server via token authentication.
......
......@@ -18,6 +18,7 @@ api-token
api-version
apiserver-count
auth-path
authentication-token-webhook-config-file
authorization-mode
authorization-policy-file
authorization-webhook-config-file
......
// +build !ignore_autogenerated
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file was autogenerated by deepcopy-gen. Do not edit it manually!
package authentication
import (
api "k8s.io/kubernetes/pkg/api"
unversioned "k8s.io/kubernetes/pkg/api/unversioned"
conversion "k8s.io/kubernetes/pkg/conversion"
)
func init() {
if err := api.Scheme.AddGeneratedDeepCopyFuncs(
DeepCopy_authenticationk8sio_TokenReview,
DeepCopy_authenticationk8sio_TokenReviewSpec,
DeepCopy_authenticationk8sio_TokenReviewStatus,
DeepCopy_authenticationk8sio_UserInfo,
); err != nil {
// if one of the deep copy functions is malformed, detect it immediately.
panic(err)
}
}
func DeepCopy_authenticationk8sio_TokenReview(in TokenReview, out *TokenReview, c *conversion.Cloner) error {
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_authenticationk8sio_TokenReviewSpec(in.Spec, &out.Spec, c); err != nil {
return err
}
if err := DeepCopy_authenticationk8sio_TokenReviewStatus(in.Status, &out.Status, c); err != nil {
return err
}
return nil
}
func DeepCopy_authenticationk8sio_TokenReviewSpec(in TokenReviewSpec, out *TokenReviewSpec, c *conversion.Cloner) error {
out.Token = in.Token
return nil
}
func DeepCopy_authenticationk8sio_TokenReviewStatus(in TokenReviewStatus, out *TokenReviewStatus, c *conversion.Cloner) error {
out.Authenticated = in.Authenticated
if err := DeepCopy_authenticationk8sio_UserInfo(in.User, &out.User, c); err != nil {
return err
}
return nil
}
func DeepCopy_authenticationk8sio_UserInfo(in UserInfo, out *UserInfo, c *conversion.Cloner) error {
out.Username = in.Username
out.UID = in.UID
if in.Groups != nil {
in, out := in.Groups, &out.Groups
*out = make([]string, len(in))
copy(*out, in)
} else {
out.Groups = nil
}
if in.Extra != nil {
in, out := in.Extra, &out.Extra
*out = make(map[string][]string)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
} else {
(*out)[key] = newVal.([]string)
}
}
} else {
out.Extra = nil
}
return nil
}
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package install installs the experimental API group, making it available as
// an option to all of the API encoding/decoding machinery.
package install
import (
"fmt"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/meta"
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/apimachinery"
"k8s.io/kubernetes/pkg/apimachinery/registered"
"k8s.io/kubernetes/pkg/apis/authentication.k8s.io"
"k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1"
"k8s.io/kubernetes/pkg/runtime"
"k8s.io/kubernetes/pkg/util/sets"
)
const importPrefix = "k8s.io/kubernetes/pkg/apis/authentication.k8s.io"
var accessor = meta.NewAccessor()
// availableVersions lists all known external versions for this group from most preferred to least preferred
var availableVersions = []unversioned.GroupVersion{v1beta1.SchemeGroupVersion}
func init() {
registered.RegisterVersions(availableVersions)
externalVersions := []unversioned.GroupVersion{}
for _, v := range availableVersions {
if registered.IsAllowedVersion(v) {
externalVersions = append(externalVersions, v)
}
}
if len(externalVersions) == 0 {
glog.V(4).Infof("No version is registered for group %v", authentication.GroupName)
return
}
if err := registered.EnableVersions(externalVersions...); err != nil {
glog.V(4).Infof("%v", err)
return
}
if err := enableVersions(externalVersions); err != nil {
glog.V(4).Infof("%v", err)
return
}
}
// TODO: enableVersions should be centralized rather than spread in each API
// group.
// We can combine registered.RegisterVersions, registered.EnableVersions and
// registered.RegisterGroup once we have moved enableVersions there.
func enableVersions(externalVersions []unversioned.GroupVersion) error {
addVersionsToScheme(externalVersions...)
preferredExternalVersion := externalVersions[0]
groupMeta := apimachinery.GroupMeta{
GroupVersion: preferredExternalVersion,
GroupVersions: externalVersions,
RESTMapper: newRESTMapper(externalVersions),
SelfLinker: runtime.SelfLinker(accessor),
InterfacesFor: interfacesFor,
}
if err := registered.RegisterGroup(groupMeta); err != nil {
return err
}
api.RegisterRESTMapper(groupMeta.RESTMapper)
return nil
}
func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
// add the internal version to Scheme
authentication.AddToScheme(api.Scheme)
// add the enabled external versions to Scheme
for _, v := range externalVersions {
if !registered.IsEnabledVersion(v) {
glog.Errorf("Version %s is not enabled, so it will not be added to the Scheme.", v)
continue
}
switch v {
case v1beta1.SchemeGroupVersion:
v1beta1.AddToScheme(api.Scheme)
}
}
}
func newRESTMapper(externalVersions []unversioned.GroupVersion) meta.RESTMapper {
rootScoped := sets.NewString("TokenReview")
ignoredKinds := sets.NewString()
return api.NewDefaultRESTMapper(externalVersions, interfacesFor, importPrefix, ignoredKinds, rootScoped)
}
func interfacesFor(version unversioned.GroupVersion) (*meta.VersionInterfaces, error) {
switch version {
case v1beta1.SchemeGroupVersion:
return &meta.VersionInterfaces{
ObjectConvertor: api.Scheme,
MetadataAccessor: accessor,
}, nil
default:
g, _ := registered.Group(authentication.GroupName)
return nil, fmt.Errorf("unsupported storage version: %s (valid: %v)", version, g.GroupVersions)
}
}
/*
Copyright 2015 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package authentication
import (
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/runtime"
)
// GroupName is the group name use in this package
const GroupName = "authentication.k8s.io"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
// Kind takes an unqualified kind and returns back a Group qualified GroupKind
func Kind(kind string) unversioned.GroupKind {
return SchemeGroupVersion.WithKind(kind).GroupKind()
}
// Resource takes an unqualified resource and returns back a Group qualified GroupResource
func Resource(resource string) unversioned.GroupResource {
return SchemeGroupVersion.WithResource(resource).GroupResource()
}
func AddToScheme(scheme *runtime.Scheme) {
addKnownTypes(scheme)
}
func addKnownTypes(scheme *runtime.Scheme) {
scheme.AddKnownTypes(SchemeGroupVersion,
&TokenReview{},
)
}
func (obj *TokenReview) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package authentication
import (
"k8s.io/kubernetes/pkg/api/unversioned"
)
// TokenReview attempts to authenticate a token to a known user.
type TokenReview struct {
unversioned.TypeMeta
// Spec holds information about the request being evaluated
Spec TokenReviewSpec
// Status is filled in by the server and indicates whether the request can be authenticated.
Status TokenReviewStatus
}
// TokenReviewSpec is a description of the token authentication request.
type TokenReviewSpec struct {
// Token is the opaque bearer token.
Token string
}
// TokenReviewStatus is the result of the token authentication request.
type TokenReviewStatus struct {
// Authenticated indicates that the token was associated with a known user.
Authenticated bool
// User is the UserInfo associated with the provided token.
User UserInfo
}
// UserInfo holds the information about the user needed to implement the
// user.Info interface.
type UserInfo struct {
// The name that uniquely identifies this user among all active users.
Username string
// A unique value that identifies this user across time. If this user is
// deleted and another user by the same name is added, they will have
// different UIDs.
UID string
// The names of groups this user is a part of.
Groups []string
// Any additional information provided by the authenticator.
Extra map[string][]string
}
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/kubernetes/pkg/runtime"
)
func addConversionFuncs(scheme *runtime.Scheme) {
// Add non-generated conversion functions
err := scheme.AddConversionFuncs()
if err != nil {
// If one of the conversion functions is malformed, detect it immediately.
panic(err)
}
}
// +build !ignore_autogenerated
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file was autogenerated by conversion-gen. Do not edit it manually!
package v1beta1
import (
api "k8s.io/kubernetes/pkg/api"
authentication_k8s_io "k8s.io/kubernetes/pkg/apis/authentication.k8s.io"
conversion "k8s.io/kubernetes/pkg/conversion"
)
func init() {
if err := api.Scheme.AddGeneratedConversionFuncs(
Convert_v1beta1_TokenReview_To_authenticationk8sio_TokenReview,
Convert_authenticationk8sio_TokenReview_To_v1beta1_TokenReview,
Convert_v1beta1_TokenReviewSpec_To_authenticationk8sio_TokenReviewSpec,
Convert_authenticationk8sio_TokenReviewSpec_To_v1beta1_TokenReviewSpec,
Convert_v1beta1_TokenReviewStatus_To_authenticationk8sio_TokenReviewStatus,
Convert_authenticationk8sio_TokenReviewStatus_To_v1beta1_TokenReviewStatus,
Convert_v1beta1_UserInfo_To_authenticationk8sio_UserInfo,
Convert_authenticationk8sio_UserInfo_To_v1beta1_UserInfo,
); err != nil {
// if one of the conversion functions is malformed, detect it immediately.
panic(err)
}
}
func autoConvert_v1beta1_TokenReview_To_authenticationk8sio_TokenReview(in *TokenReview, out *authentication_k8s_io.TokenReview, s conversion.Scope) error {
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
return err
}
if err := Convert_v1beta1_TokenReviewSpec_To_authenticationk8sio_TokenReviewSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_v1beta1_TokenReviewStatus_To_authenticationk8sio_TokenReviewStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
func Convert_v1beta1_TokenReview_To_authenticationk8sio_TokenReview(in *TokenReview, out *authentication_k8s_io.TokenReview, s conversion.Scope) error {
return autoConvert_v1beta1_TokenReview_To_authenticationk8sio_TokenReview(in, out, s)
}
func autoConvert_authenticationk8sio_TokenReview_To_v1beta1_TokenReview(in *authentication_k8s_io.TokenReview, out *TokenReview, s conversion.Scope) error {
if err := api.Convert_unversioned_TypeMeta_To_unversioned_TypeMeta(&in.TypeMeta, &out.TypeMeta, s); err != nil {
return err
}
if err := Convert_authenticationk8sio_TokenReviewSpec_To_v1beta1_TokenReviewSpec(&in.Spec, &out.Spec, s); err != nil {
return err
}
if err := Convert_authenticationk8sio_TokenReviewStatus_To_v1beta1_TokenReviewStatus(&in.Status, &out.Status, s); err != nil {
return err
}
return nil
}
func Convert_authenticationk8sio_TokenReview_To_v1beta1_TokenReview(in *authentication_k8s_io.TokenReview, out *TokenReview, s conversion.Scope) error {
return autoConvert_authenticationk8sio_TokenReview_To_v1beta1_TokenReview(in, out, s)
}
func autoConvert_v1beta1_TokenReviewSpec_To_authenticationk8sio_TokenReviewSpec(in *TokenReviewSpec, out *authentication_k8s_io.TokenReviewSpec, s conversion.Scope) error {
out.Token = in.Token
return nil
}
func Convert_v1beta1_TokenReviewSpec_To_authenticationk8sio_TokenReviewSpec(in *TokenReviewSpec, out *authentication_k8s_io.TokenReviewSpec, s conversion.Scope) error {
return autoConvert_v1beta1_TokenReviewSpec_To_authenticationk8sio_TokenReviewSpec(in, out, s)
}
func autoConvert_authenticationk8sio_TokenReviewSpec_To_v1beta1_TokenReviewSpec(in *authentication_k8s_io.TokenReviewSpec, out *TokenReviewSpec, s conversion.Scope) error {
out.Token = in.Token
return nil
}
func Convert_authenticationk8sio_TokenReviewSpec_To_v1beta1_TokenReviewSpec(in *authentication_k8s_io.TokenReviewSpec, out *TokenReviewSpec, s conversion.Scope) error {
return autoConvert_authenticationk8sio_TokenReviewSpec_To_v1beta1_TokenReviewSpec(in, out, s)
}
func autoConvert_v1beta1_TokenReviewStatus_To_authenticationk8sio_TokenReviewStatus(in *TokenReviewStatus, out *authentication_k8s_io.TokenReviewStatus, s conversion.Scope) error {
out.Authenticated = in.Authenticated
if err := Convert_v1beta1_UserInfo_To_authenticationk8sio_UserInfo(&in.User, &out.User, s); err != nil {
return err
}
return nil
}
func Convert_v1beta1_TokenReviewStatus_To_authenticationk8sio_TokenReviewStatus(in *TokenReviewStatus, out *authentication_k8s_io.TokenReviewStatus, s conversion.Scope) error {
return autoConvert_v1beta1_TokenReviewStatus_To_authenticationk8sio_TokenReviewStatus(in, out, s)
}
func autoConvert_authenticationk8sio_TokenReviewStatus_To_v1beta1_TokenReviewStatus(in *authentication_k8s_io.TokenReviewStatus, out *TokenReviewStatus, s conversion.Scope) error {
out.Authenticated = in.Authenticated
if err := Convert_authenticationk8sio_UserInfo_To_v1beta1_UserInfo(&in.User, &out.User, s); err != nil {
return err
}
return nil
}
func Convert_authenticationk8sio_TokenReviewStatus_To_v1beta1_TokenReviewStatus(in *authentication_k8s_io.TokenReviewStatus, out *TokenReviewStatus, s conversion.Scope) error {
return autoConvert_authenticationk8sio_TokenReviewStatus_To_v1beta1_TokenReviewStatus(in, out, s)
}
func autoConvert_v1beta1_UserInfo_To_authenticationk8sio_UserInfo(in *UserInfo, out *authentication_k8s_io.UserInfo, s conversion.Scope) error {
out.Username = in.Username
out.UID = in.UID
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
} else {
out.Groups = nil
}
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string][]string, len(*in))
for key, val := range *in {
newVal := new([]string)
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&val, newVal, 0); err != nil {
return err
}
(*out)[key] = *newVal
}
} else {
out.Extra = nil
}
return nil
}
func Convert_v1beta1_UserInfo_To_authenticationk8sio_UserInfo(in *UserInfo, out *authentication_k8s_io.UserInfo, s conversion.Scope) error {
return autoConvert_v1beta1_UserInfo_To_authenticationk8sio_UserInfo(in, out, s)
}
func autoConvert_authenticationk8sio_UserInfo_To_v1beta1_UserInfo(in *authentication_k8s_io.UserInfo, out *UserInfo, s conversion.Scope) error {
out.Username = in.Username
out.UID = in.UID
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
} else {
out.Groups = nil
}
if in.Extra != nil {
in, out := &in.Extra, &out.Extra
*out = make(map[string][]string, len(*in))
for key, val := range *in {
newVal := new([]string)
// TODO: Inefficient conversion - can we improve it?
if err := s.Convert(&val, newVal, 0); err != nil {
return err
}
(*out)[key] = *newVal
}
} else {
out.Extra = nil
}
return nil
}
func Convert_authenticationk8sio_UserInfo_To_v1beta1_UserInfo(in *authentication_k8s_io.UserInfo, out *UserInfo, s conversion.Scope) error {
return autoConvert_authenticationk8sio_UserInfo_To_v1beta1_UserInfo(in, out, s)
}
// +build !ignore_autogenerated
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file was autogenerated by deepcopy-gen. Do not edit it manually!
package v1beta1
import (
api "k8s.io/kubernetes/pkg/api"
unversioned "k8s.io/kubernetes/pkg/api/unversioned"
conversion "k8s.io/kubernetes/pkg/conversion"
)
func init() {
if err := api.Scheme.AddGeneratedDeepCopyFuncs(
DeepCopy_v1beta1_TokenReview,
DeepCopy_v1beta1_TokenReviewSpec,
DeepCopy_v1beta1_TokenReviewStatus,
DeepCopy_v1beta1_UserInfo,
); err != nil {
// if one of the deep copy functions is malformed, detect it immediately.
panic(err)
}
}
func DeepCopy_v1beta1_TokenReview(in TokenReview, out *TokenReview, c *conversion.Cloner) error {
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_v1beta1_TokenReviewSpec(in.Spec, &out.Spec, c); err != nil {
return err
}
if err := DeepCopy_v1beta1_TokenReviewStatus(in.Status, &out.Status, c); err != nil {
return err
}
return nil
}
func DeepCopy_v1beta1_TokenReviewSpec(in TokenReviewSpec, out *TokenReviewSpec, c *conversion.Cloner) error {
out.Token = in.Token
return nil
}
func DeepCopy_v1beta1_TokenReviewStatus(in TokenReviewStatus, out *TokenReviewStatus, c *conversion.Cloner) error {
out.Authenticated = in.Authenticated
if err := DeepCopy_v1beta1_UserInfo(in.User, &out.User, c); err != nil {
return err
}
return nil
}
func DeepCopy_v1beta1_UserInfo(in UserInfo, out *UserInfo, c *conversion.Cloner) error {
out.Username = in.Username
out.UID = in.UID
if in.Groups != nil {
in, out := in.Groups, &out.Groups
*out = make([]string, len(in))
copy(*out, in)
} else {
out.Groups = nil
}
if in.Extra != nil {
in, out := in.Extra, &out.Extra
*out = make(map[string][]string)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
} else {
(*out)[key] = newVal.([]string)
}
}
} else {
out.Extra = nil
}
return nil
}
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/kubernetes/pkg/runtime"
)
func addDefaultingFuncs(scheme *runtime.Scheme) {
scheme.AddDefaultingFuncs()
}
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// +genconversion=true
package v1beta1
/*
Copyright 2015 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/runtime"
)
// GroupName is the group name use in this package
const GroupName = "authentication.k8s.io"
// SchemeGroupVersion is group version used to register these objects
var SchemeGroupVersion = unversioned.GroupVersion{Group: GroupName, Version: "v1beta1"}
func AddToScheme(scheme *runtime.Scheme) {
// Add the API to Scheme.
addKnownTypes(scheme)
addDefaultingFuncs(scheme)
addConversionFuncs(scheme)
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) {
scheme.AddKnownTypes(SchemeGroupVersion,
&TokenReview{},
)
}
func (obj *TokenReview) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1beta1
import (
"k8s.io/kubernetes/pkg/api/unversioned"
)
// TokenReview attempts to authenticate a token to a known user.
type TokenReview struct {
unversioned.TypeMeta `json:",inline"`
// Spec holds information about the request being evaluated
Spec TokenReviewSpec `json:"spec"`
// Status is filled in by the server and indicates whether the request can be authenticated.
Status TokenReviewStatus `json:"status,omitempty"`
}
// TokenReviewSpec is a description of the token authentication request.
type TokenReviewSpec struct {
// Token is the opaque bearer token.
Token string `json:"token,omitempty"`
}
// TokenReviewStatus is the result of the token authentication request.
type TokenReviewStatus struct {
// Authenticated indicates that the token was associated with a known user.
Authenticated bool `json:"authenticated,omitempty"`
// User is the UserInfo associated with the provided token.
User UserInfo `json:"user,omitempty"`
}
// UserInfo holds the information about the user needed to implement the
// user.Info interface.
type UserInfo struct {
// The name that uniquely identifies this user among all active users.
Username string `json:"username,omitempty"`
// A unique value that identifies this user across time. If this user is
// deleted and another user by the same name is added, they will have
// different UIDs.
UID string `json:"uid,omitempty"`
// The names of groups this user is a part of.
Groups []string `json:"groups,omitempty"`
// Any additional information provided by the authenticator.
Extra map[string][]string `json:"extra,omitempty"`
}
......@@ -30,21 +30,23 @@ import (
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/x509"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/oidc"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokenfile"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/webhook"
)
type AuthenticatorConfig struct {
BasicAuthFile string
ClientCAFile string
TokenAuthFile string
OIDCIssuerURL string
OIDCClientID string
OIDCCAFile string
OIDCUsernameClaim string
OIDCGroupsClaim string
ServiceAccountKeyFile string
ServiceAccountLookup bool
ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter
KeystoneURL string
BasicAuthFile string
ClientCAFile string
TokenAuthFile string
OIDCIssuerURL string
OIDCClientID string
OIDCCAFile string
OIDCUsernameClaim string
OIDCGroupsClaim string
ServiceAccountKeyFile string
ServiceAccountLookup bool
ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter
KeystoneURL string
WebhookTokenAuthnConfigFile string
}
// New returns an authenticator.Request or an error that supports the standard
......@@ -100,6 +102,14 @@ func New(config AuthenticatorConfig) (authenticator.Request, error) {
authenticators = append(authenticators, keystoneAuth)
}
if len(config.WebhookTokenAuthnConfigFile) > 0 {
webhookTokenAuth, err := newWebhookTokenAuthenticator(config.WebhookTokenAuthnConfigFile)
if err != nil {
return nil, err
}
authenticators = append(authenticators, webhookTokenAuth)
}
switch len(authenticators) {
case 0:
return nil, nil
......@@ -187,3 +197,12 @@ func newAuthenticatorFromKeystoneURL(keystoneConfigFile string) (authenticator.R
return basicauth.New(keystoneAuthenticator), nil
}
func newWebhookTokenAuthenticator(webhookConfigFile string) (authenticator.Request, error) {
webhookTokenAuthenticator, err := webhook.New(webhookConfigFile)
if err != nil {
return nil, err
}
return bearertoken.New(webhookTokenAuthenticator), nil
}
......@@ -23,6 +23,7 @@ import (
_ "k8s.io/kubernetes/pkg/api/install"
"k8s.io/kubernetes/pkg/apimachinery/registered"
_ "k8s.io/kubernetes/pkg/apis/apps/install"
_ "k8s.io/kubernetes/pkg/apis/authentication.k8s.io/install"
_ "k8s.io/kubernetes/pkg/apis/authorization/install"
_ "k8s.io/kubernetes/pkg/apis/autoscaling/install"
_ "k8s.io/kubernetes/pkg/apis/batch/install"
......
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package webhook implements the authenticator.Token interface using HTTP webhooks.
package webhook
import (
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1"
"k8s.io/kubernetes/pkg/auth/authenticator"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/plugin/pkg/webhook"
_ "k8s.io/kubernetes/pkg/apis/authentication.k8s.io/install"
)
var (
groupVersions = []unversioned.GroupVersion{v1beta1.SchemeGroupVersion}
)
// Ensure WebhookTokenAuthenticator implements the authenticator.Token interface.
var _ authenticator.Token = (*WebhookTokenAuthenticator)(nil)
type WebhookTokenAuthenticator struct {
*webhook.GenericWebhook
}
// New creates a new WebhookTokenAuthenticator from the provided kubeconfig file.
func New(kubeConfigFile string) (*WebhookTokenAuthenticator, error) {
gw, err := webhook.NewGenericWebhook(kubeConfigFile, groupVersions)
if err != nil {
return nil, err
}
return &WebhookTokenAuthenticator{gw}, nil
}
// AuthenticateToken
func (w *WebhookTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, error) {
r := &v1beta1.TokenReview{
Spec: v1beta1.TokenReviewSpec{
Token: token,
},
}
result := w.RestClient.Post().Body(r).Do()
if err := result.Error(); err != nil {
return nil, false, err
}
if err := result.Into(r); err != nil {
return nil, false, err
}
if !r.Status.Authenticated {
return nil, false, nil
}
return &user.DefaultInfo{
Name: r.Status.User.Username,
UID: r.Status.User.UID,
Groups: r.Status.User.Groups,
}, true, nil
}
......@@ -38,6 +38,7 @@ import (
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/testapi"
authenticationv1beta1 "k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1"
"k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apiserver"
......@@ -46,10 +47,12 @@ import (
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api/v1"
"k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/pkg/serviceaccount"
"k8s.io/kubernetes/plugin/pkg/admission/admit"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/tokentest"
"k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/webhook"
"k8s.io/kubernetes/test/integration/framework"
)
......@@ -66,6 +69,29 @@ func getTestTokenAuth() authenticator.Request {
return bearertoken.New(tokenAuthenticator)
}
func getTestWebhookTokenAuth(serverURL string) (authenticator.Request, error) {
kubecfgFile, err := ioutil.TempFile("", "webhook-kubecfg")
if err != nil {
return nil, err
}
defer os.Remove(kubecfgFile.Name())
config := v1.Config{
Clusters: []v1.NamedCluster{
{
Cluster: v1.Cluster{Server: serverURL},
},
},
}
if err := json.NewEncoder(kubecfgFile).Encode(config); err != nil {
return nil, err
}
webhookTokenAuth, err := webhook.New(kubecfgFile.Name())
if err != nil {
return nil, err
}
return bearertoken.New(webhookTokenAuth), nil
}
func path(resource, namespace, name string) string {
return testapi.Default.ResourcePath(resource, namespace, name)
}
......@@ -1221,3 +1247,128 @@ func TestReadOnlyAuthorization(t *testing.T) {
}()
}
}
// TestWebhookTokenAuthenticator tests that a master can use the webhook token
// authenticator to call out to a remote web server for authentication
// decisions.
func TestWebhookTokenAuthenticator(t *testing.T) {
framework.DeleteAllEtcdKeys()
var m *master.Master
s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
m.Handler.ServeHTTP(w, req)
}))
defer s.Close()
authServer := newTestWebhookTokenAuthServer()
defer authServer.Close()
authenticator, err := getTestWebhookTokenAuth(authServer.URL)
if err != nil {
t.Fatalf("error starting webhook token authenticator server: %v", err)
}
masterConfig := framework.NewIntegrationTestMasterConfig()
masterConfig.Authenticator = authenticator
masterConfig.Authorizer = allowAliceAuthorizer{}
m, err = master.New(masterConfig)
if err != nil {
t.Fatalf("error in bringing up the master: %v", err)
}
transport := http.DefaultTransport
for _, r := range getTestRequests() {
// Expect Bob's requests to all fail.
token := BobToken
bodyBytes := bytes.NewReader([]byte(r.body))
req, err := http.NewRequest(r.verb, s.URL+r.URL, bodyBytes)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
// Expect all of Bob's actions to return Forbidden
if resp.StatusCode != http.StatusForbidden {
t.Logf("case %v", r)
t.Errorf("Expected http.Forbidden, but got %s", resp.Status)
}
}()
// Expect Alice's requests to succeed.
token = AliceToken
bodyBytes = bytes.NewReader([]byte(r.body))
req, err = http.NewRequest(r.verb, s.URL+r.URL, bodyBytes)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
func() {
resp, err := transport.RoundTrip(req)
defer resp.Body.Close()
if err != nil {
t.Logf("case %v", r)
t.Fatalf("unexpected error: %v", err)
}
// Expect all of Alice's actions to at least get past authn/authz.
if resp.StatusCode == http.StatusUnauthorized || resp.StatusCode == http.StatusForbidden {
t.Logf("case %v", r)
t.Errorf("Expected something other than Unauthorized/Forbidden, but got %s", resp.Status)
}
}()
}
}
// newTestWebhookTokenAuthServer creates an http token authentication server
// that knows about both Alice and Bob.
func newTestWebhookTokenAuthServer() *httptest.Server {
serveHTTP := func(w http.ResponseWriter, r *http.Request) {
var review authenticationv1beta1.TokenReview
if err := json.NewDecoder(r.Body).Decode(&review); err != nil {
http.Error(w, fmt.Sprintf("failed to decode body: %v", err), http.StatusBadRequest)
return
}
type userInfo struct {
Username string `json:"username"`
UID string `json:"uid"`
Groups []string `json:"groups"`
}
type status struct {
Authenticated bool `json:"authenticated"`
User userInfo `json:"user"`
}
var username, uid string
authenticated := false
if review.Spec.Token == AliceToken {
authenticated, username, uid = true, "alice", "1"
} else if review.Spec.Token == BobToken {
authenticated, username, uid = true, "bob", "2"
}
resp := struct {
APIVersion string `json:"apiVersion"`
Status status `json:"status"`
}{
APIVersion: authenticationv1beta1.SchemeGroupVersion.String(),
Status: status{
authenticated,
userInfo{
Username: username,
UID: uid,
},
},
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(resp)
}
server := httptest.NewUnstartedServer(http.HandlerFunc(serveHTTP))
server.Start()
return server
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment