github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

apiserver: add warning about not trusting authz of aggregator

Browse Source
This commit is contained in:
Dr. Stefan Schimanski
2018-03-19 13:37:52 +01:00
parent ebae09e741
commit 50b98169ed
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View File

@@ -59,7 +59,8 @@ func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.ClientCAFile, "requestheader-client-ca-file", s.ClientCAFile, ""+ fs.StringVar(&s.ClientCAFile, "requestheader-client-ca-file", s.ClientCAFile, ""+
"Root certificate bundle to use to verify client certificates on incoming requests "+ "Root certificate bundle to use to verify client certificates on incoming requests "+
"before trusting usernames in headers specified by --requestheader-username-headers") "before trusting usernames in headers specified by --requestheader-username-headers. "+
"WARNING: generally do not depend on authorization being already done for incoming requests.")
fs.StringSliceVar(&s.AllowedNames, "requestheader-allowed-names", s.AllowedNames, ""+ fs.StringSliceVar(&s.AllowedNames, "requestheader-allowed-names", s.AllowedNames, ""+
"List of client certificate common names to allow to provide usernames in headers "+ "List of client certificate common names to allow to provide usernames in headers "+
@@ -218,8 +219,12 @@ func (s *DelegatingAuthenticationOptions) ToAuthenticationConfig() (authenticato
const ( const (
authenticationConfigMapNamespace = metav1.NamespaceSystem authenticationConfigMapNamespace = metav1.NamespaceSystem
authenticationConfigMapName = "extension-apiserver-authentication" // authenticationConfigMapName is the name of ConfigMap in the kube-system namespace holding the root certificate
authenticationRoleName = "extension-apiserver-authentication-reader" // bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified
// by --requestheader-username-headers. This is created in the cluster by the kube-apiserver.
// "WARNING: generally do not depend on authorization being already done for incoming requests.")
authenticationConfigMapName = "extension-apiserver-authentication"
authenticationRoleName = "extension-apiserver-authentication-reader"
) )
func (s *DelegatingAuthenticationOptions) getClientCA() (*ClientCertAuthenticationOptions, error) { func (s *DelegatingAuthenticationOptions) getClientCA() (*ClientCertAuthenticationOptions, error) {

5
staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
View File

@@ -29,7 +29,10 @@ import (
) )
// DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to // DelegatingAuthorizationOptions provides an easy way for composing API servers to delegate their authorization to
// the root kube API server // the root kube API server.
// WARNING: never assume that every authenticated incoming request already does authorization.
// The aggregator in the kube API server does this today, but this behaviour is not
// guaranteed in the future.
type DelegatingAuthorizationOptions struct { type DelegatingAuthorizationOptions struct {
// RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the // RemoteKubeConfigFile is the file to use to connect to a "normal" kube API server which hosts the
// SubjectAccessReview.authorization.k8s.io endpoint for checking tokens. // SubjectAccessReview.authorization.k8s.io endpoint for checking tokens.