Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support all key algs with structured authn config #123282

Merged
merged 2 commits into from Feb 15, 2024
Merged

Support all key algs with structured authn config #123282

merged 2 commits into from Feb 15, 2024

Conversation

enj
Copy link
Member

@enj enj commented Feb 13, 2024

/kind bug
/assign aramase
/triage accepted
/priority important-soon

Fixed an issue where a JWT authenticator configured via --authentication-config would fail to verify tokens that were not signed using RS256.

@enj
test/oidc: extract key type to allow testing different algs
b8a5934 
Signed-off-by: Monis Khan <mok@microsoft.com>
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. area/apiserver area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 13, 2024
@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Feb 13, 2024
aramase
aramase reviewed Feb 13, 2024
View reviewed changes
pkg/kubeapiserver/options/authentication.go Outdated
Comment on lines 467 to 477
ret.OIDCSigningAlgs = []string{
oidc.RS256,
oidc.RS384,
oidc.RS512,
oidc.ES256,
oidc.ES384,
oidc.ES512,
oidc.PS256,
oidc.PS384,
oidc.PS512,
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just have an exported function in oidc.go that returns keys from

kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go

Lines 201 to 211 in 7ec1a89

var allowedSigningAlgs = map[string]bool{
oidc.RS256: true,
oidc.RS384: true,
oidc.RS512: true,
oidc.ES256: true,
oidc.ES384: true,
oidc.ES512: true,
oidc.PS256: true,
oidc.PS384: true,
oidc.PS512: true,
}

Then we don't have to maintain the list in 2 places.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

pkg/kubeapiserver/options/authentication.go
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can add a test in https://github.com/aramase/kubernetes/blob/15c02f2a034d23174d7c9ef1bb61982cc36126a5/pkg/kubeapiserver/options/authentication_test.go#L448 to validate expected config with --authentication-config flag.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a blocker for the PR. I can do this in a follow-up.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@enj
Support all key algs with structured authn config
b5e0068 
Signed-off-by: Monis Khan <mok@microsoft.com>
liggitt
liggitt reviewed Feb 14, 2024
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 14, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: cf794323380511d17757850a178ef08384f9a097

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 14, 2024
@enj
Copy link
Member Author

enj commented Feb 14, 2024

/retest

1 similar comment
@aramase
Copy link
Member

aramase commented Feb 14, 2024

/retest

@openshift-ci-robot openshift-ci-robot mentioned this pull request Feb 14, 2024
Closed
@enj
Copy link
Member Author

enj commented Feb 14, 2024

/retest

@aramase
Copy link
Member

aramase commented Feb 14, 2024

@enj
Copy link
Member Author

enj commented Feb 14, 2024

/retest

@k8s-triage-robot
Copy link

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

  • The PR does have any do-not-merge/* labels
  • The PR does not have the needs-ok-to-test label
  • The PR is mergeable (does not have a needs-rebase label)
  • The PR is approved (has cncf-cla: yes, lgtm, approved labels)
  • The PR is failing tests required for merge

You can:

/retest

@k8s-ci-robot k8s-ci-robot merged commit 72c3c7c into kubernetes:master Feb 15, 2024
15 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Feb 15, 2024
@aramase aramase mentioned this pull request Feb 15, 2024
Merged
@aramase aramase mentioned this pull request Mar 11, 2024
Closed
@enj enj mentioned this pull request Mar 11, 2024
Open
36 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@aramase aramase aramase left review comments

@johnSchnake johnSchnake Awaiting requested review from johnSchnake

Assignees

@liggitt liggitt

@aramase aramase

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@enj @k8s-ci-robot @aramase @k8s-triage-robot @liggitt