Merge pull request #71816 from liggitt/service-account-lookup
Look up service accounts from informer before trying live lookup
This commit is contained in:
Kubernetes Prow Robot
@@ -20,30 +20,43 @@ import (
|
||||
"k8s.io/api/core/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
v1listers "k8s.io/client-go/listers/core/v1"
|
||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||
)
|
||||
|
||||
// clientGetter implements ServiceAccountTokenGetter using a clientset.Interface
|
||||
type clientGetter struct {
|
||||
client clientset.Interface
|
||||
client clientset.Interface
|
||||
secretLister v1listers.SecretLister
|
||||
serviceAccountLister v1listers.ServiceAccountLister
|
||||
podLister v1listers.PodLister
|
||||
}
|
||||
|
||||
// NewGetterFromClient returns a ServiceAccountTokenGetter that
|
||||
// uses the specified client to retrieve service accounts and secrets.
|
||||
// The client should NOT authenticate using a service account token
|
||||
// the returned getter will be used to retrieve, or recursion will result.
|
||||
func NewGetterFromClient(c clientset.Interface) serviceaccount.ServiceAccountTokenGetter {
|
||||
return clientGetter{c}
|
||||
func NewGetterFromClient(c clientset.Interface, secretLister v1listers.SecretLister, serviceAccountLister v1listers.ServiceAccountLister, podLister v1listers.PodLister) serviceaccount.ServiceAccountTokenGetter {
|
||||
return clientGetter{c, secretLister, serviceAccountLister, podLister}
|
||||
}
|
||||
|
||||
func (c clientGetter) GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error) {
|
||||
if serviceAccount, err := c.serviceAccountLister.ServiceAccounts(namespace).Get(name); err == nil {
|
||||
return serviceAccount, nil
|
||||
}
|
||||
return c.client.CoreV1().ServiceAccounts(namespace).Get(name, metav1.GetOptions{})
|
||||
}
|
||||
|
||||
func (c clientGetter) GetPod(namespace, name string) (*v1.Pod, error) {
|
||||
if pod, err := c.podLister.Pods(namespace).Get(name); err == nil {
|
||||
return pod, nil
|
||||
}
|
||||
return c.client.CoreV1().Pods(namespace).Get(name, metav1.GetOptions{})
|
||||
}
|
||||
|
||||
func (c clientGetter) GetSecret(namespace, name string) (*v1.Secret, error) {
|
||||
if secret, err := c.secretLister.Secrets(namespace).Get(name); err == nil {
|
||||
return secret, nil
|
||||
}
|
||||
return c.client.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{})
|
||||
}
|
||||
|
||||
@@ -57,6 +57,8 @@ go_test(
|
||||
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/kubernetes/fake:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/listers/core/v1:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/tools/cache:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
|
||||
"//vendor/gopkg.in/square/go-jose.v2/jwt:go_default_library",
|
||||
],
|
||||
|
||||
@@ -19,6 +19,7 @@ package serviceaccount_test
|
||||
import (
|
||||
"context"
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"k8s.io/api/core/v1"
|
||||
@@ -26,6 +27,8 @@ import (
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
v1listers "k8s.io/client-go/listers/core/v1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
|
||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||
@@ -277,7 +280,18 @@ func TestTokenGenerateAndValidate(t *testing.T) {
|
||||
|
||||
for k, tc := range testCases {
|
||||
auds := authenticator.Audiences{"api"}
|
||||
getter := serviceaccountcontroller.NewGetterFromClient(tc.Client)
|
||||
getter := serviceaccountcontroller.NewGetterFromClient(
|
||||
tc.Client,
|
||||
v1listers.NewSecretLister(newIndexer(func(namespace, name string) (interface{}, error) {
|
||||
return tc.Client.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{})
|
||||
})),
|
||||
v1listers.NewServiceAccountLister(newIndexer(func(namespace, name string) (interface{}, error) {
|
||||
return tc.Client.CoreV1().ServiceAccounts(namespace).Get(name, metav1.GetOptions{})
|
||||
})),
|
||||
v1listers.NewPodLister(newIndexer(func(namespace, name string) (interface{}, error) {
|
||||
return tc.Client.CoreV1().Pods(namespace).Get(name, metav1.GetOptions{})
|
||||
})),
|
||||
)
|
||||
authn := serviceaccount.JWTTokenAuthenticator(serviceaccount.LegacyIssuer, tc.Keys, auds, serviceaccount.NewLegacyValidator(tc.Client != nil, getter))
|
||||
|
||||
// An invalid, non-JWT token should always fail
|
||||
@@ -316,3 +330,23 @@ func TestTokenGenerateAndValidate(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func newIndexer(get func(namespace, name string) (interface{}, error)) cache.Indexer {
|
||||
return &fakeIndexer{get: get}
|
||||
}
|
||||
|
||||
type fakeIndexer struct {
|
||||
cache.Indexer
|
||||
get func(namespace, name string) (interface{}, error)
|
||||
}
|
||||
|
||||
func (f *fakeIndexer) GetByKey(key string) (interface{}, bool, error) {
|
||||
parts := strings.SplitN(key, "/", 2)
|
||||
namespace := parts[0]
|
||||
name := ""
|
||||
if len(parts) == 2 {
|
||||
name = parts[1]
|
||||
}
|
||||
obj, err := f.get(namespace, name)
|
||||
return obj, err == nil, err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user