-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ability to authenticators for dynamic update of certs for delegated authn #82371
Conversation
/assign @liggitt |
f207ffb
to
44f8a16
Compare
/retest |
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go
Show resolved
Hide resolved
} | ||
|
||
// NewSimpleStaticVerifierFromFile creates a new verification func from a file. It reads the content and then fails. | ||
// It will return a nil function if you pass an empty CA file. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like it should be handled externally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like it should be handled externally.
It could be, but I suspect it would just be an x509verifyutil
package. I can make that if you prefer.
staging/src/k8s.io/apiserver/pkg/authentication/request/x509/verify_options.go
Outdated
Show resolved
Hide resolved
44f8a16
to
f17df18
Compare
staging/src/k8s.io/apiserver/pkg/authentication/request/x509/verify_options.go
Outdated
Show resolved
Hide resolved
requestHeaderAuthenticator, err := headerrequest.NewSecure( | ||
c.RequestHeaderConfig.ClientCA, | ||
requestHeaderAuthenticator, err := headerrequest.NewDynamicSecure( | ||
c.RequestHeaderConfig.VerifyOptionFn, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this structure is assuming the CA is the only dynamic aspect, even though we populate all of these options dynamically, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this structure is assuming the CA is the only dynamic aspect, even though we populate all of these options dynamically, right?
I'll update to allow functions through, but I'm still planning to defer wiring until step 4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have renamed to make the limitation clear and will continue in a separate pull to keep pull size down.
staging/src/k8s.io/apiserver/pkg/authentication/request/x509/verify_options.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
Outdated
Show resolved
Hide resolved
direction looks good, a few nits, only substantive comment is #82371 (comment) |
f17df18
to
51195dd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approve on kubelet change.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, derekwaynecarr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
part 1 and 2 of #82141
For aggregated apiservers, we created delegated authentication options. These pull from
kubectl get -n kube-system configmap/extension-apiserver-authentication
. ConfigMaps are logically dynamic, but the delegated authentication doesn't automatically pick up the changes. This causes drift between intent and reality.The options from here are still static, but they are wired to use the
verfiyOptionsFunc
variant to allow part 4 of the issue./kind bug
/priority important-soon
@kubernetes/sig-auth-pr-reviews