Merge pull request #58791 from mikedanese/jwt0

Automatic merge from submit-queue (batch tested with PRs 58626, 58791). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. serviceaccount: check token is issued by correct iss before verifying Right now if a JWT for an unknown issuer, for any subject hits the serviceaccount token authenticator, we return a errors as if the token was meant for us but we couldn't find a key to verify it. We should instead return nil, false, nil. This change helps us support multiple service account token authenticators with different issuers. https://github.com/kubernetes/kubernetes/issues/58790 ```release-note NONE ```
2018-01-25 14:06:37 -08:00
parent 48c5e90d3b c89cb942cd
commit 49532f59a6
5 changed files with 93 additions and 28 deletions
--- a/cmd/kube-controller-manager/app/controllermanager.go
+++ b/cmd/kube-controller-manager/app/controllermanager.go
@@ -571,7 +571,7 @@ func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController
 		ctx.InformerFactory.Core().V1().Secrets(),
 		c.rootClientBuilder.ClientOrDie("tokens-controller"),
 		serviceaccountcontroller.TokensControllerOptions{
-			TokenGenerator: serviceaccount.JWTTokenGenerator(privateKey),
+			TokenGenerator: serviceaccount.JWTTokenGenerator(serviceaccount.LegacyIssuer, privateKey),
 			RootCA:         rootCA,
 		},
 	)