kubernetes · k8s-github-robot · Feb 28, 2018 · Feb 23, 2018 · Feb 25, 2018 · liggitt
diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go
@@ -326,18 +326,25 @@ func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunnele
 	}
 
 	var issuer serviceaccount.TokenGenerator
-	if s.ServiceAccountSigningKeyFile != "" || s.Authentication.ServiceAccounts.Issuer != "" {
+	var apiAudiences []string
+	if s.ServiceAccountSigningKeyFile != "" ||
+		s.Authentication.ServiceAccounts.Issuer != "" ||
+		len(s.Authentication.ServiceAccounts.APIAudiences) > 0 {
 		if !utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
 			return nil, nil, nil, nil, nil, fmt.Errorf("the TokenRequest feature is not enabled but --service-account-signing-key-file and/or --service-account-issuer-id flags were passed")
 		}
-		if s.ServiceAccountSigningKeyFile == "" || s.Authentication.ServiceAccounts.Issuer == "" {
-			return nil, nil, nil, nil, nil, fmt.Errorf("service-account-signing-key-file and service-account-issuer should be specified together")
+		if s.ServiceAccountSigningKeyFile == "" ||
+			s.Authentication.ServiceAccounts.Issuer == "" ||
+			len(s.Authentication.ServiceAccounts.APIAudiences) == 0 ||
+			len(s.Authentication.ServiceAccounts.KeyFiles) == 0 {
+			return nil, nil, nil, nil, nil, fmt.Errorf("service-account-signing-key-file, service-account-issuer, service-account-api-audiences and service-account-key-file should be specified together")
 		}
 		sk, err := certutil.PrivateKeyFromFile(s.ServiceAccountSigningKeyFile)
 		if err != nil {
 			return nil, nil, nil, nil, nil, fmt.Errorf("failed to parse service-account-issuer-key-file: %v", err)
 		}
 		issuer = serviceaccount.JWTTokenGenerator(s.Authentication.ServiceAccounts.Issuer, sk)
+		apiAudiences = s.Authentication.ServiceAccounts.APIAudiences
 	}
 
 	config := &master.Config{
@@ -371,7 +378,9 @@ func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunnele
 
 			EndpointReconcilerType: reconcilers.Type(s.EndpointReconcilerType),
 			MasterCount:            s.MasterCount,
-			ServiceAccountIssuer:   issuer,
+
+			ServiceAccountIssuer:       issuer,
+			ServiceAccountAPIAudiences: apiAudiences,
 		},
 	}
 
@@ -471,7 +480,7 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp
 		)
 	}
 
-	genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, sharedInformers)
+	genericConfig.Authentication.Authenticator, genericConfig.OpenAPIConfig.SecurityDefinitions, err = BuildAuthenticator(s, storageFactory, client, clientgoExternalClient, sharedInformers)
 	if err != nil {
 		return nil, nil, nil, nil, nil, fmt.Errorf("invalid authentication config: %v", err)
 	}
@@ -555,25 +564,10 @@ func BuildAdmissionPluginInitializers(s *options.ServerRunOptions, client intern
 }
 
 // BuildAuthenticator constructs the authenticator
-func BuildAuthenticator(s *options.ServerRunOptions, storageFactory serverstorage.StorageFactory, client internalclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
+func BuildAuthenticator(s *options.ServerRunOptions, storageFactory serverstorage.StorageFactory, client internalclientset.Interface, extclient clientgoclientset.Interface, sharedInformers informers.SharedInformerFactory) (authenticator.Request, *spec.SecurityDefinitions, error) {
 	authenticatorConfig := s.Authentication.ToAuthenticationConfig()
 	if s.Authentication.ServiceAccounts.Lookup {
-		// we have to go direct to storage because the clientsets fail when they're initialized with some API versions excluded
-		// we should stop trying to control them like that.
-		storageConfigServiceAccounts, err := storageFactory.NewConfig(api.Resource("serviceaccounts"))
-		if err != nil {
-			return nil, nil, fmt.Errorf("unable to get serviceaccounts storage: %v", err)
-		}
-		storageConfigSecrets, err := storageFactory.NewConfig(api.Resource("secrets"))
-		if err != nil {
-			return nil, nil, fmt.Errorf("unable to get secrets storage: %v", err)
-		}
-		authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromStorageInterface(
-			storageConfigServiceAccounts,
-			storageFactory.ResourcePrefix(api.Resource("serviceaccounts")),
-			storageConfigSecrets,
-			storageFactory.ResourcePrefix(api.Resource("secrets")),
-		)
+		authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromClient(extclient)
 	}
 	if client == nil || reflect.ValueOf(client).IsNil() {
 		// TODO: Remove check once client can never be nil.
@@ -687,12 +681,19 @@ func defaultOptions(s *options.ServerRunOptions) error {
 
 	s.Authentication.ApplyAuthorization(s.Authorization)
 
-	// Default to the private server key for service account token signing
-	if len(s.Authentication.ServiceAccounts.KeyFiles) == 0 && s.SecureServing.ServerCert.CertKey.KeyFile != "" {
-		if kubeauthenticator.IsValidServiceAccountKeyFile(s.SecureServing.ServerCert.CertKey.KeyFile) {
-			s.Authentication.ServiceAccounts.KeyFiles = []string{s.SecureServing.ServerCert.CertKey.KeyFile}
-		} else {
-			glog.Warning("No TLS key provided, service account token authentication disabled")
+	// Use (ServiceAccountSigningKeyFile != "") as a proxy to the user enabling
+	// TokenRequest functionality. This defaulting was convenient, but messed up
+	// a lot of people when they rotated their serving cert with no idea it was
+	// connected to their service account keys. We are taking this oppurtunity to
+	// remove this problematic defaulting.
+	if s.ServiceAccountSigningKeyFile == "" {
+		// Default to the private server key for service account token signing
+		if len(s.Authentication.ServiceAccounts.KeyFiles) == 0 && s.SecureServing.ServerCert.CertKey.KeyFile != "" {
+			if kubeauthenticator.IsValidServiceAccountKeyFile(s.SecureServing.ServerCert.CertKey.KeyFile) {
+				s.Authentication.ServiceAccounts.KeyFiles = []string{s.SecureServing.ServerCert.CertKey.KeyFile}
+			} else {
+				glog.Warning("No TLS key provided, service account token authentication disabled")
+			}
 		}
 	}
 

diff --git a/pkg/controller/serviceaccount/BUILD b/pkg/controller/serviceaccount/BUILD
@@ -16,12 +16,8 @@ go_library(
     ],
     importpath = "k8s.io/kubernetes/pkg/controller/serviceaccount",
     deps = [
-        "//pkg/apis/core/v1:go_default_library",
         "//pkg/controller:go_default_library",
         "//pkg/registry/core/secret:go_default_library",
-        "//pkg/registry/core/secret/storage:go_default_library",
-        "//pkg/registry/core/serviceaccount:go_default_library",
-        "//pkg/registry/core/serviceaccount/storage:go_default_library",
         "//pkg/serviceaccount:go_default_library",
         "//pkg/util/metrics:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
@@ -33,9 +29,6 @@ go_library(
         "//vendor/k8s.io/apimachinery/pkg/util/runtime:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/registry/generic:go_default_library",
-        "//vendor/k8s.io/apiserver/pkg/storage/storagebackend:go_default_library",
         "//vendor/k8s.io/client-go/informers/core/v1:go_default_library",
         "//vendor/k8s.io/client-go/kubernetes:go_default_library",
         "//vendor/k8s.io/client-go/listers/core/v1:go_default_library",

diff --git a/pkg/controller/serviceaccount/tokengetter.go b/pkg/controller/serviceaccount/tokengetter.go
@@ -19,15 +19,7 @@ package serviceaccount
 import (
 	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
-	"k8s.io/apiserver/pkg/registry/generic"
-	"k8s.io/apiserver/pkg/storage/storagebackend"
 	clientset "k8s.io/client-go/kubernetes"
-	apiv1 "k8s.io/kubernetes/pkg/apis/core/v1"
-	"k8s.io/kubernetes/pkg/registry/core/secret"
-	secretstore "k8s.io/kubernetes/pkg/registry/core/secret/storage"
-	serviceaccountregistry "k8s.io/kubernetes/pkg/registry/core/serviceaccount"
-	serviceaccountstore "k8s.io/kubernetes/pkg/registry/core/serviceaccount/storage"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 )
 
@@ -43,59 +35,15 @@ type clientGetter struct {
 func NewGetterFromClient(c clientset.Interface) serviceaccount.ServiceAccountTokenGetter {
 	return clientGetter{c}
 }
+
 func (c clientGetter) GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error) {
 	return c.client.CoreV1().ServiceAccounts(namespace).Get(name, metav1.GetOptions{})
 }
-func (c clientGetter) GetSecret(namespace, name string) (*v1.Secret, error) {
-	return c.client.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{})
-}
 
-// registryGetter implements ServiceAccountTokenGetter using a service account and secret registry
-type registryGetter struct {
-	serviceAccounts serviceaccountregistry.Registry
-	secrets         secret.Registry
+func (c clientGetter) GetPod(namespace, name string) (*v1.Pod, error) {
+	return c.client.CoreV1().Pods(namespace).Get(name, metav1.GetOptions{})
 }
 
-// NewGetterFromRegistries returns a ServiceAccountTokenGetter that
-// uses the specified registries to retrieve service accounts and secrets.
-func NewGetterFromRegistries(serviceAccounts serviceaccountregistry.Registry, secrets secret.Registry) serviceaccount.ServiceAccountTokenGetter {
-	return &registryGetter{serviceAccounts, secrets}
-}
-func (r *registryGetter) GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error) {
-	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), namespace)
-	internalServiceAccount, err := r.serviceAccounts.GetServiceAccount(ctx, name, &metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-	v1ServiceAccount := v1.ServiceAccount{}
-	err = apiv1.Convert_core_ServiceAccount_To_v1_ServiceAccount(internalServiceAccount, &v1ServiceAccount, nil)
-	return &v1ServiceAccount, err
-
-}
-func (r *registryGetter) GetSecret(namespace, name string) (*v1.Secret, error) {
-	ctx := genericapirequest.WithNamespace(genericapirequest.NewContext(), namespace)
-	internalSecret, err := r.secrets.GetSecret(ctx, name, &metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-	v1Secret := v1.Secret{}
-	err = apiv1.Convert_core_Secret_To_v1_Secret(internalSecret, &v1Secret, nil)
-	return &v1Secret, err
-
-}
-
-// NewGetterFromStorageInterface returns a ServiceAccountTokenGetter that
-// uses the specified storage to retrieve service accounts and secrets.
-func NewGetterFromStorageInterface(
-	saConfig *storagebackend.Config,
-	saPrefix string,
-	secretConfig *storagebackend.Config,
-	secretPrefix string) serviceaccount.ServiceAccountTokenGetter {
-
-	saOpts := generic.RESTOptions{StorageConfig: saConfig, Decorator: generic.UndecoratedStorage, ResourcePrefix: saPrefix}
-	secretOpts := generic.RESTOptions{StorageConfig: secretConfig, Decorator: generic.UndecoratedStorage, ResourcePrefix: secretPrefix}
-	return NewGetterFromRegistries(
-		serviceaccountregistry.NewRegistry(serviceaccountstore.NewREST(saOpts, nil, nil, nil)),
-		secret.NewRegistry(secretstore.NewREST(secretOpts)),
-	)
+func (c clientGetter) GetSecret(namespace, name string) (*v1.Secret, error) {
+	return c.client.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{})
 }
diff --git a/pkg/kubeapiserver/authenticator/BUILD b/pkg/kubeapiserver/authenticator/BUILD
@@ -10,6 +10,7 @@ go_library(
     srcs = ["config.go"],
     importpath = "k8s.io/kubernetes/pkg/kubeapiserver/authenticator",
     deps = [
+        "//pkg/features:go_default_library",
         "//pkg/serviceaccount:go_default_library",
         "//vendor/github.com/go-openapi/spec:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
@@ -24,6 +25,7 @@ go_library(
         "//vendor/k8s.io/apiserver/pkg/authentication/token/cache:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authentication/token/tokenfile:go_default_library",
         "//vendor/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/util/feature:go_default_library",
         "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
         "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",
         "//vendor/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:go_default_library",

diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go
@@ -33,11 +33,13 @@ import (
 	tokencache "k8s.io/apiserver/pkg/authentication/token/cache"
 	"k8s.io/apiserver/pkg/authentication/token/tokenfile"
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile"
 	"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/kubernetes/pkg/features"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -59,6 +61,8 @@ type AuthenticatorConfig struct {
 	OIDCSigningAlgs             []string
 	ServiceAccountKeyFiles      []string
 	ServiceAccountLookup        bool
+	ServiceAccountIssuer        string
+	ServiceAccountAPIAudiences  []string
 	WebhookTokenAuthnConfigFile string
 	WebhookTokenAuthnCacheTTL   time.Duration
 
@@ -123,7 +127,14 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
 		tokenAuthenticators = append(tokenAuthenticators, tokenAuth)
 	}
 	if len(config.ServiceAccountKeyFiles) > 0 {
-		serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
+		serviceAccountAuth, err := newLegacyServiceAccountAuthenticator(config.ServiceAccountKeyFiles, config.ServiceAccountLookup, config.ServiceAccountTokenGetter)
+		if err != nil {
+			return nil, nil, err
+		}
+		tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
+	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) && config.ServiceAccountIssuer != "" {
+		serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.ServiceAccountAPIAudiences, config.ServiceAccountKeyFiles, config.ServiceAccountTokenGetter)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -267,8 +278,8 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai
 	return tokenAuthenticator, nil
 }
 
-// newServiceAccountAuthenticator returns an authenticator.Token or an error
-func newServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
+// newLegacyServiceAccountAuthenticator returns an authenticator.Token or an error
+func newLegacyServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
 	allPublicKeys := []interface{}{}
 	for _, keyfile := range keyfiles {
 		publicKeys, err := certutil.PublicKeysFromFile(keyfile)
@@ -282,6 +293,21 @@ func newServiceAccountAuthenticator(keyfiles []string, lookup bool, serviceAccou
 	return tokenAuthenticator, nil
 }
 
+// newServiceAccountAuthenticator returns an authenticator.Token or an error
+func newServiceAccountAuthenticator(iss string, audiences []string, keyfiles []string, serviceAccountGetter serviceaccount.ServiceAccountTokenGetter) (authenticator.Token, error) {
+	allPublicKeys := []interface{}{}
+	for _, keyfile := range keyfiles {
+		publicKeys, err := certutil.PublicKeysFromFile(keyfile)
+		if err != nil {
+			return nil, err
+		}
+		allPublicKeys = append(allPublicKeys, publicKeys...)
+	}
+
+	tokenAuthenticator := serviceaccount.JWTTokenAuthenticator(iss, allPublicKeys, serviceaccount.NewValidator(audiences, serviceAccountGetter))
+	return tokenAuthenticator, nil
+}
+
 // newAuthenticatorFromClientCAFile returns an authenticator.Request or an error
 func newAuthenticatorFromClientCAFile(clientCAFile string) (authenticator.Request, error) {
 	roots, err := certutil.NewPool(clientCAFile)

diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go
@@ -70,9 +70,10 @@ type PasswordFileAuthenticationOptions struct {
 }
 
 type ServiceAccountAuthenticationOptions struct {
-	KeyFiles []string
-	Lookup   bool
-	Issuer   string
+	KeyFiles     []string
+	Lookup       bool
+	Issuer       string
+	APIAudiences []string
 }
 
 type TokenFileAuthenticationOptions struct {
@@ -236,15 +237,21 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 	if s.ServiceAccounts != nil {
 		fs.StringArrayVar(&s.ServiceAccounts.KeyFiles, "service-account-key-file", s.ServiceAccounts.KeyFiles, ""+
 			"File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify "+
-			"ServiceAccount tokens. If unspecified, --tls-private-key-file is used. "+
-			"The specified file can contain multiple keys, and the flag can be specified multiple times with different files.")
+			"ServiceAccount tokens. The specified file can contain multiple keys, and the flag can "+
+			"be specified multiple times with different files. If unspecified, "+
+			"--tls-private-key-file is used. Must be specified when "+
+			"--service-account-signing-key is provided")
 
 		fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup,
 			"If true, validate ServiceAccount tokens exist in etcd as part of authentication.")
 
 		fs.StringVar(&s.ServiceAccounts.Issuer, "service-account-issuer", s.ServiceAccounts.Issuer, ""+
 			"Identifier of the service account token issuer. The issuer will assert this identifier "+
 			"in \"iss\" claim of issued tokens. This value is a string or URI.")
+
+		fs.StringSliceVar(&s.ServiceAccounts.APIAudiences, "service-account-api-audiences", s.ServiceAccounts.APIAudiences, ""+
+			"Identifiers of the API. The service account token authenticator will validate that "+
+			"tokens used against the API are bound to at least one of these audiences.")
 	}
 
 	if s.TokenFile != nil {
@@ -303,6 +310,8 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
 	if s.ServiceAccounts != nil {
 		ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
 		ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
+		ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
+		ret.ServiceAccountAPIAudiences = s.ServiceAccounts.APIAudiences
 	}
 
 	if s.TokenFile != nil {

diff --git a/pkg/master/master.go b/pkg/master/master.go
@@ -157,7 +157,8 @@ type ExtraConfig struct {
 	// Selects which reconciler to use
 	EndpointReconcilerType reconcilers.Type
 
-	ServiceAccountIssuer serviceaccount.TokenGenerator
+	ServiceAccountIssuer       serviceaccount.TokenGenerator
+	ServiceAccountAPIAudiences []string
 }
 
 type Config struct {
@@ -314,14 +315,15 @@ func (c completedConfig) New(delegationTarget genericapiserver.DelegationTarget)
 	// install legacy rest storage
 	if c.ExtraConfig.APIResourceConfigSource.VersionEnabled(apiv1.SchemeGroupVersion) {
 		legacyRESTStorageProvider := corerest.LegacyRESTStorageProvider{
-			StorageFactory:       c.ExtraConfig.StorageFactory,
-			ProxyTransport:       c.ExtraConfig.ProxyTransport,
-			KubeletClientConfig:  c.ExtraConfig.KubeletClientConfig,
-			EventTTL:             c.ExtraConfig.EventTTL,
-			ServiceIPRange:       c.ExtraConfig.ServiceIPRange,
-			ServiceNodePortRange: c.ExtraConfig.ServiceNodePortRange,
-			LoopbackClientConfig: c.GenericConfig.LoopbackClientConfig,
-			ServiceAccountIssuer: c.ExtraConfig.ServiceAccountIssuer,
+			StorageFactory:             c.ExtraConfig.StorageFactory,
+			ProxyTransport:             c.ExtraConfig.ProxyTransport,
+			KubeletClientConfig:        c.ExtraConfig.KubeletClientConfig,
+			EventTTL:                   c.ExtraConfig.EventTTL,
+			ServiceIPRange:             c.ExtraConfig.ServiceIPRange,
+			ServiceNodePortRange:       c.ExtraConfig.ServiceNodePortRange,
+			LoopbackClientConfig:       c.GenericConfig.LoopbackClientConfig,
+			ServiceAccountIssuer:       c.ExtraConfig.ServiceAccountIssuer,
+			ServiceAccountAPIAudiences: c.ExtraConfig.ServiceAccountAPIAudiences,
 		}
 		m.InstallLegacyAPI(&c, c.GenericConfig.RESTOptionsGetter, legacyRESTStorageProvider)
 	}