github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

promote --service-account-api-audiences to top level kube-apiserver config

Browse Source 
The service account authenticator isn't the only authenticator that
should respect API audience. The authentication config structure should
reflect that.
This commit is contained in:
Mike Danese
2018-10-22 18:01:40 -07:00
parent 1af393d58e
commit 371b1e7fed
6 changed files with 24 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/kubeapiserver/authenticator/config.go
View File

@@ -63,7 +63,7 @@ type AuthenticatorConfig struct {
ServiceAccountKeyFiles []string
ServiceAccountLookup bool
ServiceAccountIssuer string
ServiceAccountAPIAudiences []string
APIAudiences []string
WebhookTokenAuthnConfigFile string
WebhookTokenAuthnCacheTTL time.Duration
@@ -141,7 +141,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
tokenAuthenticators = append(tokenAuthenticators, serviceAccountAuth)
}
if utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) && config.ServiceAccountIssuer != "" {
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.ServiceAccountAPIAudiences, config.ServiceAccountKeyFiles, config.ServiceAccountTokenGetter)
serviceAccountAuth, err := newServiceAccountAuthenticator(config.ServiceAccountIssuer, config.APIAudiences, config.ServiceAccountKeyFiles, config.ServiceAccountTokenGetter)
if err != nil {
return nil, nil, err
}