Webhook Token Authenticator

cmd/kube-apiserver/app/options/options.go

@@ -35,31 +35,36 @@ import (
 // APIServer runs a kubernetes api server.
 type APIServer struct {
 	*genericapiserver.ServerRunOptions
-	AdmissionControl           string
-	AdmissionControlConfigFile string
-	AllowPrivileged            bool
-	AuthorizationMode          string
-	AuthorizationConfig        apiserver.AuthorizationConfig
-	BasicAuthFile              string
-	DefaultStorageMediaType    string
-	DeleteCollectionWorkers    int
-	EtcdServersOverrides       []string
-	EventTTL                   time.Duration
-	KeystoneURL                string
-	KubeletConfig              kubeletclient.KubeletClientConfig
-	MasterServiceNamespace     string
-	MaxConnectionBytesPerSec   int64
-	OIDCCAFile                 string
-	OIDCClientID               string
-	OIDCIssuerURL              string
-	OIDCUsernameClaim          string
-	OIDCGroupsClaim            string
-	SSHKeyfile                 string
-	SSHUser                    string
-	ServiceAccountKeyFile      string
-	ServiceAccountLookup       bool
-	TokenAuthFile              string
-	WatchCacheSizes            []string
+	AdmissionControl            string
+	AdmissionControlConfigFile  string
+	AllowPrivileged             bool
+	AuthorizationMode           string
+	AuthorizationConfig         apiserver.AuthorizationConfig
+	BasicAuthFile               string
+	DefaultStorageMediaType     string
+	DeleteCollectionWorkers     int
+	EtcdServersOverrides        []string
+	EventTTL                    time.Duration
+	KeystoneURL                 string
+	KubeletConfig               kubeletclient.KubeletClientConfig
+	MasterServiceNamespace      string
+	MaxConnectionBytesPerSec    int64
+	OIDCCAFile                  string
+	OIDCClientID                string
+	OIDCIssuerURL               string
+	OIDCUsernameClaim           string
+	OIDCGroupsClaim             string
+	SSHKeyfile                  string
+	SSHUser                     string
+	ServiceAccountKeyFile       string
+	ServiceAccountLookup        bool
+	WebhookTokenAuthnConfigFile string
+	// The default values for StorageVersions. StorageVersions overrides
+	// these; you can change this if you want to change the defaults (e.g.,
+	// for testing). This is not actually exposed as a flag.
+	DefaultStorageVersions string
+	TokenAuthFile          string
+	WatchCacheSizes        []string
 }
 
 // NewAPIServer creates a new APIServer object with default parameters
@@ -104,6 +109,7 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.AuthorizationMode, "authorization-mode", s.AuthorizationMode, "Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+strings.Join(apiserver.AuthorizationModeChoices, ","))
 	fs.StringVar(&s.AuthorizationConfig.PolicyFile, "authorization-policy-file", s.AuthorizationConfig.PolicyFile, "File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.")
 	fs.StringVar(&s.AuthorizationConfig.WebhookConfigFile, "authorization-webhook-config-file", s.AuthorizationConfig.WebhookConfigFile, "File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port.")
+	fs.StringVar(&s.WebhookTokenAuthnConfigFile, "authentication-token-webhook-config-file", s.WebhookTokenAuthnConfigFile, "File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens.")
 	fs.StringVar(&s.AdmissionControl, "admission-control", s.AdmissionControl, "Ordered list of plug-ins to do admission control of resources into cluster. Comma-delimited list of: "+strings.Join(admission.GetPlugins(), ", "))
 	fs.StringVar(&s.AdmissionControlConfigFile, "admission-control-config-file", s.AdmissionControlConfigFile, "File with admission control configuration.")
 	fs.StringSliceVar(&s.EtcdServersOverrides, "etcd-servers-overrides", s.EtcdServersOverrides, "Per-resource etcd servers overrides, comma separated. The individual override format: group/resource#servers, where servers are http://ip:port, semicolon separated.")

cmd/kube-apiserver/app/server.go

@@ -177,18 +177,19 @@ func Run(s *options.APIServer) error {
 	}
 
 	authenticator, err := authenticator.New(authenticator.AuthenticatorConfig{
-		BasicAuthFile:             s.BasicAuthFile,
-		ClientCAFile:              s.ClientCAFile,
-		TokenAuthFile:             s.TokenAuthFile,
-		OIDCIssuerURL:             s.OIDCIssuerURL,
-		OIDCClientID:              s.OIDCClientID,
-		OIDCCAFile:                s.OIDCCAFile,
-		OIDCUsernameClaim:         s.OIDCUsernameClaim,
-		OIDCGroupsClaim:           s.OIDCGroupsClaim,
-		ServiceAccountKeyFile:     s.ServiceAccountKeyFile,
-		ServiceAccountLookup:      s.ServiceAccountLookup,
-		ServiceAccountTokenGetter: serviceAccountGetter,
-		KeystoneURL:               s.KeystoneURL,
+		BasicAuthFile:               s.BasicAuthFile,
+		ClientCAFile:                s.ClientCAFile,
+		TokenAuthFile:               s.TokenAuthFile,
+		OIDCIssuerURL:               s.OIDCIssuerURL,
+		OIDCClientID:                s.OIDCClientID,
+		OIDCCAFile:                  s.OIDCCAFile,
+		OIDCUsernameClaim:           s.OIDCUsernameClaim,
+		OIDCGroupsClaim:             s.OIDCGroupsClaim,
+		ServiceAccountKeyFile:       s.ServiceAccountKeyFile,
+		ServiceAccountLookup:        s.ServiceAccountLookup,
+		ServiceAccountTokenGetter:   serviceAccountGetter,
+		KeystoneURL:                 s.KeystoneURL,
+		WebhookTokenAuthnConfigFile: s.WebhookTokenAuthnConfigFile,
 	})
 
 	if err != nil {

cmd/libs/go2idl/conversion-gen/main.go

@@ -35,6 +35,8 @@ func main() {
 	arguments.InputDirs = []string{
 		"k8s.io/kubernetes/pkg/api/v1",
 		"k8s.io/kubernetes/pkg/api",
+		"k8s.io/kubernetes/pkg/apis/authentication.k8s.io",
+		"k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1",
 		"k8s.io/kubernetes/pkg/apis/authorization",
 		"k8s.io/kubernetes/pkg/apis/authorization/v1beta1",
 		"k8s.io/kubernetes/pkg/apis/autoscaling",

cmd/libs/go2idl/deepcopy-gen/main.go

@@ -35,6 +35,8 @@ func main() {
 	arguments.InputDirs = []string{
 		"k8s.io/kubernetes/pkg/api",
 		"k8s.io/kubernetes/pkg/api/v1",
+		"k8s.io/kubernetes/pkg/apis/authentication.k8s.io",
+		"k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1",
 		"k8s.io/kubernetes/pkg/apis/authorization",
 		"k8s.io/kubernetes/pkg/apis/authorization/v1beta1",
 		"k8s.io/kubernetes/pkg/apis/autoscaling",

docs/admin/kube-apiserver.md

@@ -56,6 +56,7 @@ kube-apiserver
       --advertise-address=<nil>: The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used.
       --allow-privileged[=false]: If true, allow privileged containers.
       --apiserver-count=1: The number of apiservers running in the cluster
+      --authentication-token-webhook-config-file="": File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens.
       --authorization-mode="AlwaysAllow": Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: AlwaysAllow,AlwaysDeny,ABAC,Webhook
       --authorization-policy-file="": File with authorization policy in csv format, used with --authorization-mode=ABAC, on the secure port.
       --authorization-webhook-config-file="": File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port.
@@ -111,7 +112,7 @@ kube-apiserver
       --ssh-user="": If non-empty, use secure SSH proxy to the nodes, using this user name
       --storage-backend="": The storage backend for persistence. Options: 'etcd2' (default), 'etcd3'.
       --storage-media-type="application/json": The media type to use to store objects in storage. Defaults to application/json. Some resources may only support a specific media type and will ignore this setting.
-      --storage-versions="apps/v1alpha1,authorization.k8s.io/v1beta1,autoscaling/v1,batch/v1,componentconfig/v1alpha1,extensions/v1beta1,metrics/v1alpha1,policy/v1alpha1,v1": The per-group version to store resources in. Specified in the format "group1/version1,group2/version2,...". In the case where objects are moved from one group to the other, you may specify the format "group1=group2/v1beta1,group3/v1beta1,...". You only need to pass the groups you wish to change from the defaults. It defaults to a list of preferred versions of all registered groups, which is derived from the KUBE_API_VERSIONS environment variable.
+      --storage-versions="apps/v1alpha1,authentication.k8s.io/v1beta1,authorization.k8s.io/v1beta1,autoscaling/v1,batch/v1,componentconfig/v1alpha1,extensions/v1beta1,metrics/v1alpha1,policy/v1alpha1,v1": The per-group version to store resources in. Specified in the format "group1/version1,group2/version2,...". In the case where objects are moved from one group to the other, you may specify the format "group1=group2/v1beta1,group3/v1beta1,...". You only need to pass the groups you wish to change from the defaults. It defaults to a list of preferred versions of all registered groups, which is derived from the KUBE_API_VERSIONS environment variable.
       --tls-cert-file="": File containing x509 Certificate for HTTPS.  (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to /var/run/kubernetes.
       --tls-private-key-file="": File containing x509 private key matching --tls-cert-file.
       --token-auth-file="": If set, the file that will be used to secure the secure port of the API server via token authentication.

hack/verify-flags/known-flags.txt

@@ -18,6 +18,7 @@ api-token
 api-version
 apiserver-count
 auth-path
+authentication-token-webhook-config-file
 authorization-mode
 authorization-policy-file
 authorization-webhook-config-file

pkg/apis/authentication.k8s.io/deep_copy_generated.go

@@ -0,0 +1,91 @@
+// +build !ignore_autogenerated
+
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This file was autogenerated by deepcopy-gen. Do not edit it manually!
+
+package authentication
+
+import (
+	api "k8s.io/kubernetes/pkg/api"
+	unversioned "k8s.io/kubernetes/pkg/api/unversioned"
+	conversion "k8s.io/kubernetes/pkg/conversion"
+)
+
+func init() {
+	if err := api.Scheme.AddGeneratedDeepCopyFuncs(
+		DeepCopy_authenticationk8sio_TokenReview,
+		DeepCopy_authenticationk8sio_TokenReviewSpec,
+		DeepCopy_authenticationk8sio_TokenReviewStatus,
+		DeepCopy_authenticationk8sio_UserInfo,
+	); err != nil {
+		// if one of the deep copy functions is malformed, detect it immediately.
+		panic(err)
+	}
+}
+
+func DeepCopy_authenticationk8sio_TokenReview(in TokenReview, out *TokenReview, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_authenticationk8sio_TokenReviewSpec(in.Spec, &out.Spec, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_authenticationk8sio_TokenReviewStatus(in.Status, &out.Status, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_authenticationk8sio_TokenReviewSpec(in TokenReviewSpec, out *TokenReviewSpec, c *conversion.Cloner) error {
+	out.Token = in.Token
+	return nil
+}
+
+func DeepCopy_authenticationk8sio_TokenReviewStatus(in TokenReviewStatus, out *TokenReviewStatus, c *conversion.Cloner) error {
+	out.Authenticated = in.Authenticated
+	if err := DeepCopy_authenticationk8sio_UserInfo(in.User, &out.User, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_authenticationk8sio_UserInfo(in UserInfo, out *UserInfo, c *conversion.Cloner) error {
+	out.Username = in.Username
+	out.UID = in.UID
+	if in.Groups != nil {
+		in, out := in.Groups, &out.Groups
+		*out = make([]string, len(in))
+		copy(*out, in)
+	} else {
+		out.Groups = nil
+	}
+	if in.Extra != nil {
+		in, out := in.Extra, &out.Extra
+		*out = make(map[string][]string)
+		for key, val := range in {
+			if newVal, err := c.DeepCopy(val); err != nil {
+				return err
+			} else {
+				(*out)[key] = newVal.([]string)
+			}
+		}
+	} else {
+		out.Extra = nil
+	}
+	return nil
+}

pkg/apis/authentication.k8s.io/install/install.go

@@ -0,0 +1,123 @@
+/*
+Copyright 2016 The Kubernetes Authors All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package install installs the experimental API group, making it available as
+// an option to all of the API encoding/decoding machinery.
+package install
+
+import (
+	"fmt"
+
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/meta"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/apimachinery"
+	"k8s.io/kubernetes/pkg/apimachinery/registered"
+	"k8s.io/kubernetes/pkg/apis/authentication.k8s.io"
+	"k8s.io/kubernetes/pkg/apis/authentication.k8s.io/v1beta1"
+	"k8s.io/kubernetes/pkg/runtime"
+	"k8s.io/kubernetes/pkg/util/sets"
+)
+
+const importPrefix = "k8s.io/kubernetes/pkg/apis/authentication.k8s.io"
+
+var accessor = meta.NewAccessor()
+
+// availableVersions lists all known external versions for this group from most preferred to least preferred
+var availableVersions = []unversioned.GroupVersion{v1beta1.SchemeGroupVersion}
+
+func init() {
+	registered.RegisterVersions(availableVersions)
+	externalVersions := []unversioned.GroupVersion{}
+	for _, v := range availableVersions {
+		if registered.IsAllowedVersion(v) {
+			externalVersions = append(externalVersions, v)
+		}
+	}
+	if len(externalVersions) == 0 {
+		glog.V(4).Infof("No version is registered for group %v", authentication.GroupName)
+		return
+	}
+
+	if err := registered.EnableVersions(externalVersions...); err != nil {
+		glog.V(4).Infof("%v", err)
+		return
+	}
+	if err := enableVersions(externalVersions); err != nil {
+		glog.V(4).Infof("%v", err)
+		return
+	}
+}
+
+// TODO: enableVersions should be centralized rather than spread in each API
+// group.
+// We can combine registered.RegisterVersions, registered.EnableVersions and
+// registered.RegisterGroup once we have moved enableVersions there.
+func enableVersions(externalVersions []unversioned.GroupVersion) error {
+	addVersionsToScheme(externalVersions...)
+	preferredExternalVersion := externalVersions[0]
+
+	groupMeta := apimachinery.GroupMeta{
+		GroupVersion:  preferredExternalVersion,
+		GroupVersions: externalVersions,
+		RESTMapper:    newRESTMapper(externalVersions),
+		SelfLinker:    runtime.SelfLinker(accessor),
+		InterfacesFor: interfacesFor,
+	}
+
+	if err := registered.RegisterGroup(groupMeta); err != nil {
+		return err
+	}
+	api.RegisterRESTMapper(groupMeta.RESTMapper)
+	return nil
+}
+
+func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
+	// add the internal version to Scheme
+	authentication.AddToScheme(api.Scheme)
+	// add the enabled external versions to Scheme
+	for _, v := range externalVersions {
+		if !registered.IsEnabledVersion(v) {
+			glog.Errorf("Version %s is not enabled, so it will not be added to the Scheme.", v)
+			continue
+		}
+		switch v {
+		case v1beta1.SchemeGroupVersion:
+			v1beta1.AddToScheme(api.Scheme)
+		}
+	}
+}
+
+func newRESTMapper(externalVersions []unversioned.GroupVersion) meta.RESTMapper {
+	rootScoped := sets.NewString("TokenReview")
+	ignoredKinds := sets.NewString()
+	return api.NewDefaultRESTMapper(externalVersions, interfacesFor, importPrefix, ignoredKinds, rootScoped)
+}
+
+func interfacesFor(version unversioned.GroupVersion) (*meta.VersionInterfaces, error) {
+	switch version {
+	case v1beta1.SchemeGroupVersion:
+		return &meta.VersionInterfaces{
+			ObjectConvertor:  api.Scheme,
+			MetadataAccessor: accessor,
+		}, nil
+	default:
+		g, _ := registered.Group(authentication.GroupName)
+		return nil, fmt.Errorf("unsupported storage version: %s (valid: %v)", version, g.GroupVersions)
+	}
+}