github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Ignore Bootstrap Token secrets that don't use predictable names.

Browse Source 
This aligns with spec changes coming in https://github.com/kubernetes/community/pull/381.

Signed-off-by: Joe Beda <joe.github@bedafamily.com>
This commit is contained in:
Joe Beda
2017-02-20 10:21:07 -08:00
parent eb755a3306
commit 3a3c2fa0c8
10 changed files with 119 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/controller/bootstrap/util.go
View File

@@ -17,6 +17,7 @@ limitations under the License.
package bootstrap
import (
"regexp"
"time"
"github.com/golang/glog"
@@ -25,6 +26,9 @@ import (
bootstrapapi "k8s.io/kubernetes/pkg/bootstrap/api"
)
var namePattern = `^` + regexp.QuoteMeta(bootstrapapi.BootstrapTokenSecretPrefix) + `([a-z0-9]{6})$`
var nameRegExp = regexp.MustCompile(namePattern)
// getSecretString gets a string value from a secret. If there is an error or
// if the key doesn't exist, an empty string is returned.
func getSecretString(secret *v1.Secret, key string) string {
@@ -36,13 +40,33 @@ func getSecretString(secret *v1.Secret, key string) string {
return string(data)
}
// parseSecretName parses the name of the secret to extract the secret ID.
func parseSecretName(name string) (secretID string, ok bool) {
r := nameRegExp.FindStringSubmatch(name)
if r == nil {
return "", false
}
return r[1], true
}
func validateSecretForSigning(secret *v1.Secret) (tokenID, tokenSecret string, ok bool) {
nameTokenID, ok := parseSecretName(secret.Name)
if !ok {
glog.V(3).Infof("Invalid secret name: %s. Must be of form %s<secret-id>.", secret.Name, bootstrapapi.BootstrapTokenSecretPrefix)
return "", "", false
}
tokenID = getSecretString(secret, bootstrapapi.BootstrapTokenIDKey)
if len(tokenID) == 0 {
glog.V(3).Infof("No %s key in %s/%s Secret", bootstrapapi.BootstrapTokenIDKey, secret.Namespace, secret.Name)
return "", "", false
}
if nameTokenID != tokenID {
glog.V(3).Infof("Token ID (%s) doesn't match secret name: %s", tokenID, nameTokenID)
return "", "", false
}
tokenSecret = getSecretString(secret, bootstrapapi.BootstrapTokenSecretKey)
if len(tokenSecret) == 0 {
glog.V(3).Infof("No %s key in %s/%s Secret", bootstrapapi.BootstrapTokenSecretKey, secret.Namespace, secret.Name)