github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

serviceaccount: check token is issued by correct iss before verifying

Browse Source 
Right now if a JWT for an unknown issuer, for any subject hits the
serviceaccount token authenticator, we return a errors as if the token
was meant for us but we couldn't find a key to verify it. We should
instead return nil, false, nil.

This change helps us support multiple service account token
authenticators with different issuers.
This commit is contained in:
Mike Danese
2018-01-24 20:21:07 -08:00
parent f02f438a7a
commit 057b7af798
5 changed files with 75 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kube-controller-manager/app/controllermanager.go
View File

@@ -568,7 +568,7 @@ func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController
ctx.InformerFactory.Core().V1().Secrets(),
c.rootClientBuilder.ClientOrDie("tokens-controller"),
serviceaccountcontroller.TokensControllerOptions{
TokenGenerator: serviceaccount.JWTTokenGenerator(privateKey),
TokenGenerator: serviceaccount.JWTTokenGenerator(serviceaccount.LegacyIssuer, privateKey),
RootCA: rootCA,
},
)