New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UPSTREAM: <carry>: oauth-authn: add implicit audience support #24461
UPSTREAM: <carry>: oauth-authn: add implicit audience support #24461
Conversation
6e5f508
to
5e8d514
Compare
I have to get to a computer to see, but this looks plausible. /Approve |
5e8d514
to
163c216
Compare
Fixed the unit tests using the changed constructor. |
|
||
auds := kauthenticator.Audiences(tokenAudiences).Intersect(requestedAudiences) | ||
if len(auds) == 0 && len(a.implicitAuds) != 0 { | ||
return nil, false, fmt.Errorf("token audiences %q is invalid for the target audiences %q", tokenAudiences, requestedAudiences) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll allow this because I think it will never happen, but the oidc example suggests return nil, false, nil
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's copied one-to-one from the service account authenticator.
/lgtm holding on proof that the serial test is improve |
/retest |
GCP infra flakes |
/retest |
|
@@ -55,6 +58,18 @@ func (a *tokenAuthenticator) AuthenticateToken(ctx context.Context, name string) | |||
groupNames = append(groupNames, group.Name) | |||
} | |||
|
|||
tokenAudiences := a.implicitAuds |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(No action required) Consider simplifying:
// Default to implicit audiences
audiences := a.implicitAuds
if len(a.implicitAuds) > 0 {
// Only validate audiences when both implicit audiences and context-provided
// audiences are present.
requestedAudiences, ok := kauthenticator.AudiencesFrom(ctx)
if ok {
// Valid audiences for the token consist of the non-empty intersection
// between the implicit and requested audiences.
audiences = kauthenticator.Audiences(a.implicitAuds).Intersect(requestedAudiences)
if len(audiences) == 0 {
return nil, false, fmt.Errorf("token audiences %q is invalid for the target audiences %q", a.implicitAuds, requestedAudiences)
}
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wanted to keep the structure of the service account authenticator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to less nesting however visual-only that might appear
/retest |
Now that #24458 was manually merged e2e-aws-serial should be capable of passing. |
/retest |
/retest |
163c216
to
0d87344
Compare
#24458 merged to fix the imagetags issue. Rebased. |
|
/retest GCP flakes |
/lgtm |
/test e2e-cmd |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/test e2e-cmd |
/hold cancel |
/retest |
/ignore e2e-cmd |
/override ci/prow/e2e-aws-serial |
force merging this as it make the queue stable again. |
@mfojtik: Overrode contexts on behalf of mfojtik: ci/prow/e2e-aws-serial, ci/prow/e2e-cmd, ci/prow/e2e-gcp, ci/prow/e2e-gcp-upgrade In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sttts: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
The TokenReview REST implementation expects that the authn chain returns audiences in the authn response. Authenticators that don't support audiences must return the default slice of audiences, e.g. the legacy service account authenticator does that. This PR adds that to our custom oauth authenticator.
Folliowing https://github.com/kubernetes/kubernetes/blob/master/pkg/serviceaccount/jwt.go#L283.
Compare https://github.com/kubernetes/kubernetes/pull/69582/files#r225535241.