github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enable service account token lookup by default

Browse Source 
```release-note
kube-apiserver: --service-account-lookup now defaults to true. This enables service account tokens to be revoked by deleting the Secret object containing the token.
```
This commit is contained in:
Jordan Liggitt 2017-04-04 22:00:07 -04:00
parent 4d8ffb23ef
commit 0d2e5a0dd8
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
5 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/libvirt-coreos/util.sh
View File

@ -26,7 +26,7 @@ source "$ROOT/${KUBE_CONFIG_FILE:-"config-default.sh"}"
source "$KUBE_ROOT/cluster/common.sh" source "$KUBE_ROOT/cluster/common.sh"
export LIBVIRT_DEFAULT_URI=qemu:///system export LIBVIRT_DEFAULT_URI=qemu:///system
export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-true}
export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota} export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota}
readonly POOL=kubernetes readonly POOL=kubernetes
readonly POOL_PATH=/var/lib/libvirt/images/kubernetes readonly POOL_PATH=/var/lib/libvirt/images/kubernetes

2
cluster/rackspace/cloud-config/master-cloud-config.yaml
View File

@ -135,7 +135,7 @@ coreos:
--token-auth-file=/var/lib/kube-apiserver/known_tokens.csv \ --token-auth-file=/var/lib/kube-apiserver/known_tokens.csv \
--v=2 \ --v=2 \
--service-account-key-file=/var/run/kubernetes/kube-serviceaccount.key \ --service-account-key-file=/var/run/kubernetes/kube-serviceaccount.key \
--service-account-lookup=false \ --service-account-lookup=true \
--admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultTolerationSeconds,ResourceQuota --admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,DefaultTolerationSeconds,ResourceQuota
Restart=always Restart=always
RestartSec=5 RestartSec=5

2
hack/local-up-cluster.sh
View File

@ -361,7 +361,7 @@ function start_etcd {
} }
function set_service_accounts { function set_service_accounts {
SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false} SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-true}
SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-/tmp/kube-serviceaccount.key} SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-/tmp/kube-serviceaccount.key}
# Generate ServiceAccount key if needed # Generate ServiceAccount key if needed
if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then

2
pkg/kubeapiserver/options/authentication.go
View File

@ -147,7 +147,7 @@ func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticatio
} }
func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { func (s *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions {
s.ServiceAccounts = &ServiceAccountAuthenticationOptions{} s.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true}
return s return s
} }

2
test/fixtures/doc-yaml/getting-started-guides/coreos/cloud-configs/master.yaml vendored
View File

@ -90,7 +90,7 @@ coreos:
ExecStartPre=/opt/bin/wupiao 127.0.0.1:2379/v2/machines ExecStartPre=/opt/bin/wupiao 127.0.0.1:2379/v2/machines
ExecStart=/opt/bin/kube-apiserver \ ExecStart=/opt/bin/kube-apiserver \
--service-account-key-file=/opt/bin/kube-serviceaccount.key \ --service-account-key-file=/opt/bin/kube-serviceaccount.key \
--service-account-lookup=false \ --service-account-lookup=true \
--admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \ --admission-control=NamespaceLifecycle,NamespaceAutoProvision,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
--runtime-config=api/v1 \ --runtime-config=api/v1 \
--allow-privileged=true \ --allow-privileged=true \