Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

authn: extend authenticator.Token to support audience validation #62692

Merged
merged 4 commits into from Nov 17, 2018

Conversation

@mikedanese
Copy link
Member

commented Apr 17, 2018

TokenReview now supports audience validation of tokens with audiences other than the kube-apiserver. 

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch 2 times, most recently from a28b61f to 2071d9f Apr 17, 2018

@k8s-ci-robot k8s-ci-robot added size/L and removed size/M labels Apr 17, 2018

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch from 2071d9f to 72ab1ae Apr 23, 2018

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch from 72ab1ae to 45d5225 Apr 23, 2018

@ericchiang

This comment has been minimized.

Copy link
Member

commented Apr 23, 2018

This is to let TokenReview start handling audiences, right?

@mikedanese

This comment has been minimized.

Copy link
Member Author

commented Apr 23, 2018

@ericchiang that's the goal.

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch 3 times, most recently from d913e4d to e99d1c0 Apr 24, 2018

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch 2 times, most recently from e75aa0a to 595ba18 May 2, 2018

@@ -147,6 +149,8 @@ func (s *DelegatingAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
if s.RemoteKubeConfigFileOptional {
optionalKubeConfigSentence = " This is optional. If empty, all token requests are considered to be anonymous and no client CA is looked up in the cluster."
}
fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, "Identifiers of this API server. Authenticators will validate that tokens used against this API server are bound to at least one of these audiences.")

This comment has been minimized.

Copy link
@liggitt

liggitt Nov 16, 2018

Member

indicate what happens if unset

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch from 9be009a to e1566ec Nov 16, 2018

mikedanese added some commits Apr 17, 2018

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch 2 times, most recently from 9e17d8b to 31ba622 Nov 16, 2018

@mikedanese

This comment has been minimized.

Copy link
Member Author

commented Nov 16, 2018

@liggitt PTAL

if len(auds) == 0 {
auds = r.apiAudiences
}
if len(auds) == 0 {

This comment has been minimized.

Copy link
@liggitt

liggitt Nov 16, 2018

Member

if len >= 0, right? (and if tests passed with this, add a test that would have caught this)

This comment has been minimized.

Copy link
@mikedanese

@mikedanese mikedanese force-pushed the mikedanese:trev2 branch from 31ba622 to effad15 Nov 17, 2018

@liggitt

This comment has been minimized.

Copy link
Member

commented Nov 17, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label Nov 17, 2018

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Nov 17, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, mikedanese

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mikedanese

This comment has been minimized.

Copy link
Member Author

commented Nov 17, 2018

/retest

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Nov 17, 2018

@mikedanese: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-local-e2e-containerized 3c95aee link /test pull-kubernetes-local-e2e-containerized

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@mikedanese

This comment has been minimized.

Copy link
Member Author

commented Nov 17, 2018

/retest

@mikedanese

This comment has been minimized.

Copy link
Member Author

commented Nov 17, 2018

@k8s-ci-robot k8s-ci-robot merged commit f38cc95 into kubernetes:master Nov 17, 2018

18 checks passed

cla/linuxfoundation mikedanese authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-e2e-kubeadm-gce Skipped
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details

@mikedanese mikedanese deleted the mikedanese:trev2 branch Nov 17, 2018

@liggitt

This comment has been minimized.

Copy link
Member

commented Nov 18, 2018

can you link the docs PR for the relevant docs update against the dev-1.13 branch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.