Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

retrofit svcacct token authenticator to support audience validation #70157

Merged
merged 1 commit into from
Nov 14, 2018
Merged

retrofit svcacct token authenticator to support audience validation #70157

merged 1 commit into from
Nov 14, 2018

Conversation

mikedanese
Copy link
Member

@mikedanese mikedanese commented Oct 24, 2018
edited

/kind feature
/sig auth

#69893

@kubernetes/sig-auth-pr-reviews

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Oct 24, 2018
mikedanese
mikedanese commented Oct 24, 2018
View reviewed changes
pkg/serviceaccount/jwt.go Outdated Show resolved Hide resolved
@jennybuckley
Copy link

/assign @caesarxuchao

@jennybuckley
Copy link

/assign @liggitt

awly
awly reviewed Nov 1, 2018
View reviewed changes
pkg/serviceaccount/jwt.go Outdated Show resolved Hide resolved
pkg/serviceaccount/jwt_test.go Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 2, 2018
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 2, 2018
@liggitt liggitt added this to the v1.13 milestone Nov 10, 2018
@mikedanese
Copy link
Member Author

@awly fixed.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mikedanese

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 14, 2018
@awly
Copy link
Contributor

awly commented Nov 14, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 14, 2018
@awly
Copy link
Contributor

awly commented Nov 14, 2018

/retest

@k8s-ci-robot k8s-ci-robot merged commit 9c304cf into kubernetes:master Nov 14, 2018
@mikedanese mikedanese deleted the trev1 branch November 14, 2018 22:32
cjcullen
cjcullen reviewed Nov 15, 2018
View reviewed changes
pkg/serviceaccount/jwt.go
@@ -170,14 +172,34 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(ctx context.Context, tokenData
return nil, false, utilerrors.NewAggregate(errlist)
}

tokenAudiences := authenticator.Audiences(public.Audience)
if len(tokenAudiences) == 0 {
// only apiserver audiences are allowed for legacy tokens
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this comment be // tokens with no audience (legacy tokens) implicitly have the apiserver audience.

pkg/serviceaccount/jwt.go

requestedAudiences, ok := authenticator.AudiencesFrom(ctx)
if !ok {
// default to apiserver audiences
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

// requests that don't explicitly request an audience are requesting the implicit apiserver audience.

pkg/serviceaccount/jwt.go
requestedAudiences = j.implicitAuds
}

auds := authenticator.Audiences(tokenAudiences).Intersect(requestedAudiences)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

matchingAudiences := ...? Up to you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awly awly awly left review comments

@cjcullen cjcullen cjcullen left review comments

@deads2k deads2k Awaiting requested review from deads2k

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

@awly awly

@cjcullen cjcullen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.13
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@mikedanese @jennybuckley @k8s-ci-robot @awly @liggitt @cjcullen @caesarxuchao