Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix incompatible AAD token #86412

Merged
merged 1 commit into from Dec 19, 2019
Merged

fix incompatible AAD token #86412

merged 1 commit into from Dec 19, 2019

Conversation

@weinong
Copy link
Contributor

weinong commented Dec 19, 2019

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

/kind api-change
/kind bug
/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
It fixes issue #86410 where AAD token obtained by kubectl is incompatible with on-behalf-of flow and oidc. The audience claim before this fix has spn: prefix. After this fix, spn: prefix is omitted.

Which issue(s) this PR fixes:
Fixes #86410

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Fixes issue where AAD token obtained by kubectl is incompatible with on-behalf-of flow and oidc.
The audience claim before this fix has "spn:" prefix. After this fix, "spn:" prefix is omitted.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Dec 19, 2019

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Dec 19, 2019

Welcome @weinong!

It looks like this is your first PR to kubernetes/kubernetes 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kubernetes has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Dec 19, 2019

Hi @weinong. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@andyzhangx

This comment has been minimized.

Copy link
Member

andyzhangx commented Dec 19, 2019

/ok-to-test
/priority important-soon
/sig cloud-provider
/area provider/azure

@andyzhangx

This comment has been minimized.

Copy link
Member

andyzhangx commented Dec 19, 2019

/test pull-kubernetes-e2e-aks-engine-azure
/test pull-kubernetes-e2e-azure-disk
/test pull-kubernetes-e2e-azure-disk-vmss

Copy link
Member

feiskyer left a comment

Looks good.

Could you sign CLA following #86412 (comment) and add a release note for this change? We need cherry-pick this to old branches.

@andyzhangx

This comment has been minimized.

Copy link
Member

andyzhangx commented Dec 19, 2019

/test pull-kubernetes-e2e-aks-engine-azure
/test pull-kubernetes-e2e-azure-disk
/test pull-kubernetes-e2e-azure-disk-vmss

@andyzhangx

This comment has been minimized.

Copy link
Member

andyzhangx commented Dec 19, 2019

let's wait for the azure test result, will approve if it passes

@weinong

This comment has been minimized.

Copy link
Contributor Author

weinong commented Dec 19, 2019

@feiskyer thanks. signed cla and fixed release note

@feiskyer

This comment has been minimized.

Copy link
Member

feiskyer commented Dec 19, 2019

/retest

1 similar comment
@weinong

This comment has been minimized.

Copy link
Contributor Author

weinong commented Dec 19, 2019

/retest

Copy link
Member

feiskyer left a comment

/lgtm
/approve

@feiskyer

This comment has been minimized.

Copy link
Member

feiskyer commented Dec 19, 2019

/assign @mikedanese

@mikedanese could you help to approve the changes? Thanks

@feiskyer

This comment has been minimized.

Copy link
Member

feiskyer commented Dec 19, 2019

e2e-gce tests are flacky: [Flaky Test] In-tree Volumes #86318

@mikedanese

This comment has been minimized.

Copy link
Member

mikedanese commented Dec 19, 2019

/approve
/retest

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Dec 19, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feiskyer, mikedanese, weinong

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 3577447 into kubernetes:master Dec 19, 2019
18 checks passed
18 checks passed
cla/linuxfoundation weinong authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-aks-engine-azure Job succeeded.
Details
pull-kubernetes-e2e-azure-disk Job succeeded.
Details
pull-kubernetes-e2e-azure-disk-vmss Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-kind Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Dec 19, 2019
@weinong weinong deleted the weinong:issue-86410 branch Dec 19, 2019
k8s-ci-robot added a commit that referenced this pull request Dec 25, 2019
…2-upstream-release-1.15

Automated cherry pick of #86412: It fixes a bug where AAD token obtained by kubectl is
k8s-ci-robot added a commit that referenced this pull request Dec 25, 2019
…2-upstream-release-1.16

Automated cherry pick of #86412: It fixes a bug where AAD token obtained by kubectl is
k8s-ci-robot added a commit that referenced this pull request Dec 25, 2019
…2-upstream-release-1.17

Automated cherry pick of #86412: It fixes a bug where AAD token obtained by kubectl is
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.