From 95acec5a3b4c07afba17b526e5cb031f8bb88630 Mon Sep 17 00:00:00 2001 From: cici37 Date: Tue, 26 May 2020 17:01:36 -0700 Subject: [PATCH] Move client_builder to k8s.io/controller-manager --- cluster/gce/gci/BUILD | 2 +- cluster/gce/gci/audit_policy_test.go | 2 +- .../app/options/BUILD | 2 +- .../app/options/options.go | 6 +- cmd/kube-controller-manager/app/BUILD | 1 + .../app/controllermanager.go | 16 +-- pkg/controller/BUILD | 9 +- pkg/controller/client_builder_dynamic.go | 6 +- pkg/controller/serviceaccount/BUILD | 1 + .../serviceaccount/tokens_controller.go | 3 +- pkg/serviceaccount/BUILD | 3 - pkg/serviceaccount/claims.go | 4 +- pkg/serviceaccount/jwt.go | 3 +- pkg/serviceaccount/legacy.go | 4 +- pkg/serviceaccount/util.go | 81 ------------ pkg/serviceaccount/util_test.go | 122 ------------------ .../security/podsecuritypolicy/BUILD | 2 +- .../security/podsecuritypolicy/admission.go | 2 +- plugin/pkg/admission/serviceaccount/BUILD | 1 + .../pkg/admission/serviceaccount/admission.go | 3 +- staging/src/k8s.io/apiserver/go.sum | 9 ++ .../pkg/authentication/serviceaccount/BUILD | 14 +- .../pkg/authentication/serviceaccount/util.go | 89 +++++++++++++ .../serviceaccount/util_test.go | 105 ++++++++++++++- staging/src/k8s.io/cli-runtime/go.sum | 3 + staging/src/k8s.io/controller-manager/BUILD | 1 + staging/src/k8s.io/controller-manager/go.mod | 1 + .../pkg/clientbuilder/BUILD | 41 ++++++ .../pkg/clientbuilder}/client_builder.go | 32 +++-- staging/src/k8s.io/sample-cli-plugin/go.sum | 3 + vendor/modules.txt | 1 + 31 files changed, 321 insertions(+), 251 deletions(-) delete mode 100644 pkg/serviceaccount/util.go delete mode 100644 pkg/serviceaccount/util_test.go create mode 100644 staging/src/k8s.io/controller-manager/pkg/clientbuilder/BUILD rename {pkg/controller => staging/src/k8s.io/controller-manager/pkg/clientbuilder}/client_builder.go (85%) diff --git a/cluster/gce/gci/BUILD b/cluster/gce/gci/BUILD index 9cf6153541e..83b689fd2e4 100644 --- a/cluster/gce/gci/BUILD +++ b/cluster/gce/gci/BUILD @@ -18,13 +18,13 @@ go_test( ], deps = [ "//pkg/api/legacyscheme:go_default_library", - "//pkg/serviceaccount:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/audit:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/audit/install:go_default_library", "//staging/src/k8s.io/apiserver/pkg/audit:go_default_library", "//staging/src/k8s.io/apiserver/pkg/audit/policy:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/github.com/google/go-cmp/cmp:go_default_library", diff --git a/cluster/gce/gci/audit_policy_test.go b/cluster/gce/gci/audit_policy_test.go index 34e4abd27c2..3ea6f54b416 100644 --- a/cluster/gce/gci/audit_policy_test.go +++ b/cluster/gce/gci/audit_policy_test.go @@ -26,9 +26,9 @@ import ( auditinstall "k8s.io/apiserver/pkg/apis/audit/install" auditpkg "k8s.io/apiserver/pkg/audit" auditpolicy "k8s.io/apiserver/pkg/audit/policy" + "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" - "k8s.io/kubernetes/pkg/serviceaccount" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/cmd/cloud-controller-manager/app/options/BUILD b/cmd/cloud-controller-manager/app/options/BUILD index e51020d9ffb..987060b071f 100644 --- a/cmd/cloud-controller-manager/app/options/BUILD +++ b/cmd/cloud-controller-manager/app/options/BUILD @@ -12,7 +12,6 @@ go_library( importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app/options", deps = [ "//cmd/cloud-controller-manager/app/config:go_default_library", - "//pkg/controller:go_default_library", "//staging/src/k8s.io/api/core/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", @@ -32,6 +31,7 @@ go_library( "//staging/src/k8s.io/cloud-provider/options:go_default_library", "//staging/src/k8s.io/component-base/cli/flag:go_default_library", "//staging/src/k8s.io/controller-manager/options:go_default_library", + "//staging/src/k8s.io/controller-manager/pkg/clientbuilder:go_default_library", "//staging/src/k8s.io/controller-manager/pkg/features/register:go_default_library", ], ) diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go index 649f8a0de99..2cb187ca8af 100644 --- a/cmd/cloud-controller-manager/app/options/options.go +++ b/cmd/cloud-controller-manager/app/options/options.go @@ -41,8 +41,8 @@ import ( cpoptions "k8s.io/cloud-provider/options" cliflag "k8s.io/component-base/cli/flag" cmoptions "k8s.io/controller-manager/options" + "k8s.io/controller-manager/pkg/clientbuilder" cloudcontrollerconfig "k8s.io/kubernetes/cmd/cloud-controller-manager/app/config" - "k8s.io/kubernetes/pkg/controller" // add the related feature gates _ "k8s.io/controller-manager/pkg/features/register" @@ -194,11 +194,11 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *cloudcontrollerconfig.Config, c.EventRecorder = createRecorder(c.Client, userAgent) - rootClientBuilder := controller.SimpleControllerClientBuilder{ + rootClientBuilder := clientbuilder.SimpleControllerClientBuilder{ ClientConfig: c.Kubeconfig, } if c.ComponentConfig.KubeCloudShared.UseServiceAccountCredentials { - c.ClientBuilder = controller.SAControllerClientBuilder{ + c.ClientBuilder = clientbuilder.SAControllerClientBuilder{ ClientConfig: restclient.AnonymousClientConfig(c.Kubeconfig), CoreClient: c.Client.CoreV1(), AuthenticationClient: c.Client.AuthenticationV1(), diff --git a/cmd/kube-controller-manager/app/BUILD b/cmd/kube-controller-manager/app/BUILD index a1743c1180c..01073992fbe 100644 --- a/cmd/kube-controller-manager/app/BUILD +++ b/cmd/kube-controller-manager/app/BUILD @@ -145,6 +145,7 @@ go_library( "//staging/src/k8s.io/component-base/version:go_default_library", "//staging/src/k8s.io/component-base/version/verflag:go_default_library", "//staging/src/k8s.io/controller-manager/app:go_default_library", + "//staging/src/k8s.io/controller-manager/pkg/clientbuilder:go_default_library", "//staging/src/k8s.io/csi-translation-lib:go_default_library", "//staging/src/k8s.io/csi-translation-lib/plugins:go_default_library", "//staging/src/k8s.io/metrics/pkg/client/clientset/versioned/typed/metrics/v1beta1:go_default_library", diff --git a/cmd/kube-controller-manager/app/controllermanager.go b/cmd/kube-controller-manager/app/controllermanager.go index 36163663208..ec25b0d604d 100644 --- a/cmd/kube-controller-manager/app/controllermanager.go +++ b/cmd/kube-controller-manager/app/controllermanager.go @@ -30,7 +30,6 @@ import ( "time" "github.com/spf13/cobra" - v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime/schema" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -60,6 +59,7 @@ import ( "k8s.io/component-base/version" "k8s.io/component-base/version/verflag" genericcontrollermanager "k8s.io/controller-manager/app" + "k8s.io/controller-manager/pkg/clientbuilder" "k8s.io/klog/v2" "k8s.io/kubernetes/cmd/kube-controller-manager/app/config" "k8s.io/kubernetes/cmd/kube-controller-manager/app/options" @@ -209,10 +209,10 @@ func Run(c *config.CompletedConfig, stopCh <-chan struct{}) error { } run := func(ctx context.Context) { - rootClientBuilder := controller.SimpleControllerClientBuilder{ + rootClientBuilder := clientbuilder.SimpleControllerClientBuilder{ ClientConfig: c.Kubeconfig, } - var clientBuilder controller.ControllerClientBuilder + var clientBuilder clientbuilder.ControllerClientBuilder if c.ComponentConfig.KubeCloudShared.UseServiceAccountCredentials { if len(c.ComponentConfig.SAController.ServiceAccountKeyFile) == 0 { // It's possible another controller process is creating the tokens for us. @@ -229,7 +229,7 @@ func Run(c *config.CompletedConfig, stopCh <-chan struct{}) error { "kube-system") } else { klog.V(1).Infof("using legacy client builder") - clientBuilder = controller.SAControllerClientBuilder{ + clientBuilder = clientbuilder.SAControllerClientBuilder{ ClientConfig: restclient.AnonymousClientConfig(c.Kubeconfig), CoreClient: c.Client.CoreV1(), AuthenticationClient: c.Client.AuthenticationV1(), @@ -302,7 +302,7 @@ func Run(c *config.CompletedConfig, stopCh <-chan struct{}) error { // ControllerContext defines the context object for controller type ControllerContext struct { // ClientBuilder will provide a client for this controller to use - ClientBuilder controller.ControllerClientBuilder + ClientBuilder clientbuilder.ControllerClientBuilder // InformerFactory gives access to informers for the controller. InformerFactory informers.SharedInformerFactory @@ -433,7 +433,7 @@ func NewControllerInitializers(loopMode ControllerLoopMode) map[string]InitFunc // TODO: In general, any controller checking this needs to be dynamic so // users don't have to restart their controller manager if they change the apiserver. // Until we get there, the structure here needs to be exposed for the construction of a proper ControllerContext. -func GetAvailableResources(clientBuilder controller.ControllerClientBuilder) (map[schema.GroupVersionResource]bool, error) { +func GetAvailableResources(clientBuilder clientbuilder.ControllerClientBuilder) (map[schema.GroupVersionResource]bool, error) { client := clientBuilder.ClientOrDie("controller-discovery") discoveryClient := client.Discovery() _, resourceMap, err := discoveryClient.ServerGroupsAndResources() @@ -461,7 +461,7 @@ func GetAvailableResources(clientBuilder controller.ControllerClientBuilder) (ma // CreateControllerContext creates a context struct containing references to resources needed by the // controllers such as the cloud provider and clientBuilder. rootClientBuilder is only used for // the shared-informers client and token controller. -func CreateControllerContext(s *config.CompletedConfig, rootClientBuilder, clientBuilder controller.ControllerClientBuilder, stop <-chan struct{}) (ControllerContext, error) { +func CreateControllerContext(s *config.CompletedConfig, rootClientBuilder, clientBuilder clientbuilder.ControllerClientBuilder, stop <-chan struct{}) (ControllerContext, error) { versionedClient := rootClientBuilder.ClientOrDie("shared-informers") sharedInformers := informers.NewSharedInformerFactory(versionedClient, ResyncPeriod(s)()) @@ -556,7 +556,7 @@ func StartControllers(ctx ControllerContext, startSATokenController InitFunc, co // It cannot use the "normal" client builder, so it tracks its own. It must also avoid being included in the "normal" // init map so that it can always run first. type serviceAccountTokenControllerStarter struct { - rootClientBuilder controller.ControllerClientBuilder + rootClientBuilder clientbuilder.ControllerClientBuilder } func (c serviceAccountTokenControllerStarter) startServiceAccountTokenController(ctx ControllerContext) (http.Handler, bool, error) { diff --git a/pkg/controller/BUILD b/pkg/controller/BUILD index 2f93b6b1d3d..f7f4992af37 100644 --- a/pkg/controller/BUILD +++ b/pkg/controller/BUILD @@ -3,7 +3,6 @@ load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test") go_library( name = "go_default_library", srcs = [ - "client_builder.go", "client_builder_dynamic.go", "controller_ref_manager.go", "controller_utils.go", @@ -14,12 +13,9 @@ go_library( importpath = "k8s.io/kubernetes/pkg/controller", visibility = ["//visibility:public"], deps = [ - "//pkg/api/legacyscheme:go_default_library", "//pkg/api/v1/pod:go_default_library", - "//pkg/apis/core:go_default_library", "//pkg/apis/core/install:go_default_library", "//pkg/apis/core/validation:go_default_library", - "//pkg/serviceaccount:go_default_library", "//pkg/util/hash:go_default_library", "//pkg/util/taints:go_default_library", "//staging/src/k8s.io/api/apps/v1:go_default_library", @@ -28,7 +24,6 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/meta:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/fields:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", @@ -39,19 +34,17 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/strategicpatch:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", "//staging/src/k8s.io/client-go/informers:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", - "//staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", "//staging/src/k8s.io/client-go/metadata/metadatainformer:go_default_library", "//staging/src/k8s.io/client-go/rest:go_default_library", "//staging/src/k8s.io/client-go/tools/cache:go_default_library", "//staging/src/k8s.io/client-go/tools/record:go_default_library", - "//staging/src/k8s.io/client-go/tools/watch:go_default_library", "//staging/src/k8s.io/client-go/transport:go_default_library", "//staging/src/k8s.io/client-go/util/retry:go_default_library", + "//staging/src/k8s.io/controller-manager/pkg/clientbuilder:go_default_library", "//vendor/github.com/golang/groupcache/lru:go_default_library", "//vendor/golang.org/x/oauth2:go_default_library", "//vendor/k8s.io/klog/v2:go_default_library", diff --git a/pkg/controller/client_builder_dynamic.go b/pkg/controller/client_builder_dynamic.go index e47cd841767..029ceb65800 100644 --- a/pkg/controller/client_builder_dynamic.go +++ b/pkg/controller/client_builder_dynamic.go @@ -24,7 +24,6 @@ import ( "time" "golang.org/x/oauth2" - v1authenticationapi "k8s.io/api/authentication/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/clock" @@ -34,6 +33,7 @@ import ( v1core "k8s.io/client-go/kubernetes/typed/core/v1" restclient "k8s.io/client-go/rest" "k8s.io/client-go/transport" + "k8s.io/controller-manager/pkg/clientbuilder" "k8s.io/klog/v2" utilpointer "k8s.io/utils/pointer" ) @@ -73,7 +73,7 @@ type DynamicControllerClientBuilder struct { clock clock.Clock } -func NewDynamicClientBuilder(clientConfig *restclient.Config, coreClient v1core.CoreV1Interface, ns string) ControllerClientBuilder { +func NewDynamicClientBuilder(clientConfig *restclient.Config, coreClient v1core.CoreV1Interface, ns string) clientbuilder.ControllerClientBuilder { builder := &DynamicControllerClientBuilder{ ClientConfig: clientConfig, CoreClient: coreClient, @@ -87,7 +87,7 @@ func NewDynamicClientBuilder(clientConfig *restclient.Config, coreClient v1core. } // this function only for test purpose, don't call it -func NewTestDynamicClientBuilder(clientConfig *restclient.Config, coreClient v1core.CoreV1Interface, ns string, expirationSeconds int64, leewayPercent int) ControllerClientBuilder { +func NewTestDynamicClientBuilder(clientConfig *restclient.Config, coreClient v1core.CoreV1Interface, ns string, expirationSeconds int64, leewayPercent int) clientbuilder.ControllerClientBuilder { builder := &DynamicControllerClientBuilder{ ClientConfig: clientConfig, CoreClient: coreClient, diff --git a/pkg/controller/serviceaccount/BUILD b/pkg/controller/serviceaccount/BUILD index 2c2fd81d877..addd82bbcdb 100644 --- a/pkg/controller/serviceaccount/BUILD +++ b/pkg/controller/serviceaccount/BUILD @@ -26,6 +26,7 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/util/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/listers/core/v1:go_default_library", diff --git a/pkg/controller/serviceaccount/tokens_controller.go b/pkg/controller/serviceaccount/tokens_controller.go index f490ad23ab0..8ee524afee0 100644 --- a/pkg/controller/serviceaccount/tokens_controller.go +++ b/pkg/controller/serviceaccount/tokens_controller.go @@ -30,6 +30,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" + apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" informers "k8s.io/client-go/informers/core/v1" clientset "k8s.io/client-go/kubernetes" listersv1 "k8s.io/client-go/listers/core/v1" @@ -699,7 +700,7 @@ func (e *TokensController) listTokenSecrets(serviceAccount *v1.ServiceAccount) ( for _, obj := range namespaceSecrets { secret := obj.(*v1.Secret) - if serviceaccount.IsServiceAccountToken(secret, serviceAccount) { + if apiserverserviceaccount.IsServiceAccountToken(secret, serviceAccount) { items = append(items, secret) } } diff --git a/pkg/serviceaccount/BUILD b/pkg/serviceaccount/BUILD index b6bc1740345..0eb22c82ed0 100644 --- a/pkg/serviceaccount/BUILD +++ b/pkg/serviceaccount/BUILD @@ -14,7 +14,6 @@ go_library( "legacy.go", "metrics.go", "openidmetadata.go", - "util.go", ], importpath = "k8s.io/kubernetes/pkg/serviceaccount", deps = [ @@ -25,7 +24,6 @@ go_library( "//staging/src/k8s.io/apiserver/pkg/audit:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/component-base/metrics:go_default_library", "//staging/src/k8s.io/component-base/metrics/legacyregistry:go_default_library", "//vendor/gopkg.in/square/go-jose.v2:go_default_library", @@ -53,7 +51,6 @@ go_test( "claims_test.go", "jwt_test.go", "openidmetadata_test.go", - "util_test.go", ], embed = [":go_default_library"], deps = [ diff --git a/pkg/serviceaccount/claims.go b/pkg/serviceaccount/claims.go index af5210ccd83..eb993789681 100644 --- a/pkg/serviceaccount/claims.go +++ b/pkg/serviceaccount/claims.go @@ -108,7 +108,7 @@ type validator struct { var _ = Validator(&validator{}) -func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) { +func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims, privateObj interface{}) (*apiserverserviceaccount.ServiceAccountInfo, error) { private, ok := privateObj.(*privateClaims) if !ok { klog.Errorf("jwt validator expected private claim of type *privateClaims but got: %T", privateObj) @@ -198,7 +198,7 @@ func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims, } } - return &ServiceAccountInfo{ + return &apiserverserviceaccount.ServiceAccountInfo{ Namespace: private.Kubernetes.Namespace, Name: private.Kubernetes.Svcacct.Name, UID: private.Kubernetes.Svcacct.UID, diff --git a/pkg/serviceaccount/jwt.go b/pkg/serviceaccount/jwt.go index 441666ee668..a90e9076c13 100644 --- a/pkg/serviceaccount/jwt.go +++ b/pkg/serviceaccount/jwt.go @@ -35,6 +35,7 @@ import ( utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/audit" "k8s.io/apiserver/pkg/authentication/authenticator" + apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" ) // ServiceAccountTokenGetter defines functions to retrieve a named service account and secret @@ -245,7 +246,7 @@ type Validator interface { // Validate validates a token and returns user information or an error. // Validator can assume that the issuer and signature of a token are already // verified when this function is called. - Validate(ctx context.Context, tokenData string, public *jwt.Claims, private interface{}) (*ServiceAccountInfo, error) + Validate(ctx context.Context, tokenData string, public *jwt.Claims, private interface{}) (*apiserverserviceaccount.ServiceAccountInfo, error) // NewPrivateClaims returns a struct that the authenticator should // deserialize the JWT payload into. The authenticator may then pass this // struct back to the Validator as the 'private' argument to a Validate() diff --git a/pkg/serviceaccount/legacy.go b/pkg/serviceaccount/legacy.go index 0f6cbfd034f..5cc838dd562 100644 --- a/pkg/serviceaccount/legacy.go +++ b/pkg/serviceaccount/legacy.go @@ -63,7 +63,7 @@ type legacyValidator struct { var _ = Validator(&legacyValidator{}) -func (v *legacyValidator) Validate(ctx context.Context, tokenData string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) { +func (v *legacyValidator) Validate(ctx context.Context, tokenData string, public *jwt.Claims, privateObj interface{}) (*apiserverserviceaccount.ServiceAccountInfo, error) { private, ok := privateObj.(*legacyPrivateClaims) if !ok { klog.Errorf("jwt validator expected private claim of type *legacyPrivateClaims but got: %T", privateObj) @@ -128,7 +128,7 @@ func (v *legacyValidator) Validate(ctx context.Context, tokenData string, public } } - return &ServiceAccountInfo{ + return &apiserverserviceaccount.ServiceAccountInfo{ Namespace: private.Namespace, Name: private.ServiceAccountName, UID: private.ServiceAccountUID, diff --git a/pkg/serviceaccount/util.go b/pkg/serviceaccount/util.go deleted file mode 100644 index 9f0a7a468b6..00000000000 --- a/pkg/serviceaccount/util.go +++ /dev/null @@ -1,81 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package serviceaccount - -import ( - "k8s.io/api/core/v1" - apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" - "k8s.io/apiserver/pkg/authentication/user" -) - -const ( - // PodNameKey is the key used in a user's "extra" to specify the pod name of - // the authenticating request. - PodNameKey = "authentication.kubernetes.io/pod-name" - // PodUIDKey is the key used in a user's "extra" to specify the pod UID of - // the authenticating request. - PodUIDKey = "authentication.kubernetes.io/pod-uid" -) - -// UserInfo returns a user.Info interface for the given namespace, service account name and UID -func UserInfo(namespace, name, uid string) user.Info { - return (&ServiceAccountInfo{ - Name: name, - Namespace: namespace, - UID: uid, - }).UserInfo() -} - -type ServiceAccountInfo struct { - Name, Namespace, UID string - PodName, PodUID string -} - -func (sa *ServiceAccountInfo) UserInfo() user.Info { - info := &user.DefaultInfo{ - Name: apiserverserviceaccount.MakeUsername(sa.Namespace, sa.Name), - UID: sa.UID, - Groups: apiserverserviceaccount.MakeGroupNames(sa.Namespace), - } - if sa.PodName != "" && sa.PodUID != "" { - info.Extra = map[string][]string{ - PodNameKey: {sa.PodName}, - PodUIDKey: {sa.PodUID}, - } - } - return info -} - -// IsServiceAccountToken returns true if the secret is a valid api token for the service account -func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool { - if secret.Type != v1.SecretTypeServiceAccountToken { - return false - } - - name := secret.Annotations[v1.ServiceAccountNameKey] - uid := secret.Annotations[v1.ServiceAccountUIDKey] - if name != sa.Name { - // Name must match - return false - } - if len(uid) > 0 && uid != string(sa.UID) { - // If UID is specified, it must match - return false - } - - return true -} diff --git a/pkg/serviceaccount/util_test.go b/pkg/serviceaccount/util_test.go deleted file mode 100644 index 75db30cf489..00000000000 --- a/pkg/serviceaccount/util_test.go +++ /dev/null @@ -1,122 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package serviceaccount - -import ( - "testing" - - "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func TestIsServiceAccountToken(t *testing.T) { - - secretIns := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "token-secret-1", - Namespace: "default", - UID: "23456", - ResourceVersion: "1", - Annotations: map[string]string{ - v1.ServiceAccountNameKey: "default", - v1.ServiceAccountUIDKey: "12345", - }, - }, - Type: v1.SecretTypeServiceAccountToken, - Data: map[string][]byte{ - "token": []byte("ABC"), - "ca.crt": []byte("CA Data"), - "namespace": []byte("default"), - }, - } - - secretTypeMistmatch := &v1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "token-secret-2", - Namespace: "default", - UID: "23456", - ResourceVersion: "1", - Annotations: map[string]string{ - v1.ServiceAccountNameKey: "default", - v1.ServiceAccountUIDKey: "12345", - }, - }, - Type: v1.SecretTypeOpaque, - } - - saIns := &v1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "default", - UID: "12345", - Namespace: "default", - ResourceVersion: "1", - }, - } - - saInsNameNotEqual := &v1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "non-default", - UID: "12345", - Namespace: "default", - ResourceVersion: "1", - }, - } - - saInsUIDNotEqual := &v1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Name: "default", - UID: "67890", - Namespace: "default", - ResourceVersion: "1", - }, - } - - tests := map[string]struct { - secret *v1.Secret - sa *v1.ServiceAccount - expect bool - }{ - "correct service account": { - secret: secretIns, - sa: saIns, - expect: true, - }, - "service account name not equal": { - secret: secretIns, - sa: saInsNameNotEqual, - expect: false, - }, - "service account uid not equal": { - secret: secretIns, - sa: saInsUIDNotEqual, - expect: false, - }, - "service account type not equal": { - secret: secretTypeMistmatch, - sa: saIns, - expect: false, - }, - } - - for k, v := range tests { - actual := IsServiceAccountToken(v.secret, v.sa) - if actual != v.expect { - t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual) - } - } - -} diff --git a/plugin/pkg/admission/security/podsecuritypolicy/BUILD b/plugin/pkg/admission/security/podsecuritypolicy/BUILD index fd057d7b2e3..cc46abd64bf 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/BUILD +++ b/plugin/pkg/admission/security/podsecuritypolicy/BUILD @@ -17,13 +17,13 @@ go_library( "//pkg/registry/rbac:go_default_library", "//pkg/security/podsecuritypolicy:go_default_library", "//pkg/security/podsecuritypolicy/util:go_default_library", - "//pkg/serviceaccount:go_default_library", "//staging/src/k8s.io/api/policy/v1beta1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/labels:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//staging/src/k8s.io/client-go/informers:go_default_library", diff --git a/plugin/pkg/admission/security/podsecuritypolicy/admission.go b/plugin/pkg/admission/security/podsecuritypolicy/admission.go index e1edb1159a2..ef4966a4a35 100644 --- a/plugin/pkg/admission/security/podsecuritypolicy/admission.go +++ b/plugin/pkg/admission/security/podsecuritypolicy/admission.go @@ -31,6 +31,7 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apiserver/pkg/admission" genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer" + "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/client-go/informers" @@ -41,7 +42,6 @@ import ( rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" psp "k8s.io/kubernetes/pkg/security/podsecuritypolicy" psputil "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util" - "k8s.io/kubernetes/pkg/serviceaccount" ) // PluginName is a string with the name of the plugin diff --git a/plugin/pkg/admission/serviceaccount/BUILD b/plugin/pkg/admission/serviceaccount/BUILD index 88639322e49..bb035df4589 100644 --- a/plugin/pkg/admission/serviceaccount/BUILD +++ b/plugin/pkg/admission/serviceaccount/BUILD @@ -26,6 +26,7 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission:go_default_library", "//staging/src/k8s.io/apiserver/pkg/admission/initializer:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", "//staging/src/k8s.io/apiserver/pkg/storage/names:go_default_library", "//staging/src/k8s.io/client-go/informers:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go index 2b85ddd3f18..6a003f75e0a 100644 --- a/plugin/pkg/admission/serviceaccount/admission.go +++ b/plugin/pkg/admission/serviceaccount/admission.go @@ -33,6 +33,7 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apiserver/pkg/admission" genericadmissioninitializer "k8s.io/apiserver/pkg/admission/initializer" + apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/storage/names" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" @@ -366,7 +367,7 @@ func (s *Plugin) getServiceAccountTokens(serviceAccount *corev1.ServiceAccount) continue } - if serviceaccount.IsServiceAccountToken(secret, serviceAccount) { + if apiserverserviceaccount.IsServiceAccountToken(secret, serviceAccount) { tokens = append(tokens, secret) } } diff --git a/staging/src/k8s.io/apiserver/go.sum b/staging/src/k8s.io/apiserver/go.sum index 9d1fb784127..c52378bc583 100644 --- a/staging/src/k8s.io/apiserver/go.sum +++ b/staging/src/k8s.io/apiserver/go.sum @@ -53,6 +53,7 @@ github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa h1:OaNxuTZr github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/coreos/go-oidc v2.1.0+incompatible h1:sdJrfw8akMnCuUlaZU3tE/uYXFgfqom8DBE9so9EBsM= github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0 h1:3Jm3tLmsgAYcjC+4Up7hJrFBPr+n7rAqYeSw/SZazuY= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0 h1:wkHLiw0WNATZnSG7epLsujiMCgPAc9xhjJ4tgnAxmfM= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= @@ -70,6 +71,7 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumC github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 h1:qk/FSDDxo05wdJH28W+p5yivv7LuLYLRXPPD8KQCtZs= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -102,6 +104,7 @@ github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDB github.com/go-openapi/jsonpointer v0.19.3 h1:gihV7YNZK1iK6Tgwwsxo2rJbD1GTbdm72325Bq8FI3w= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2 h1:o20suLFB4Ri0tuzpWtyHlh7E7HnkqTNLq6aR6WVNS1w= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3 h1:5cxNfTy0UVC3X8JL5ymxzyoUZmo8iZb+jeTWn7tUa8o= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= @@ -163,6 +166,7 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I= github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c h1:Lh2aW+HnU2Nbe1gqD9SOJLJxW1jBMmQOktN2acDyJk8= github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.0 h1:WDFjx/TMzVgy9VdMMQi2K2Emtwi2QcUQsztZ/zLaH/Q= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= @@ -207,12 +211,14 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e h1:hB2xlXdHp/pmPZq0y3QnmWAArdw9PqbmotexnWx/FU8= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.0 h1:aizVhC/NAAcKWb+5QsU1iNOZb4Yws5UO2I+aIprQITM= github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI= github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= @@ -285,6 +291,7 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8 h1:ndzgwNDnKIqyCvHTXaCqh9KlOWKvBry6nuXMJmonVsE= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 h1:LnC5Kc/wtumK+WB441p7ynQJzVuNRJiqddSIE3IlSEQ= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -300,6 +307,7 @@ go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3C go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2 h1:2Oa65PReHzfn29GpvgsYwloV9AVFHPDk8tYxt2c2tr4= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= @@ -446,6 +454,7 @@ google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRn google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/BUILD index 5fdc43113c4..4c9de2e6fce 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/BUILD @@ -10,6 +10,10 @@ go_test( name = "go_default_test", srcs = ["util_test.go"], embed = [":go_default_library"], + deps = [ + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + ], ) go_library( @@ -17,7 +21,15 @@ go_library( srcs = ["util.go"], importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/serviceaccount", importpath = "k8s.io/apiserver/pkg/authentication/serviceaccount", - deps = ["//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library"], + deps = [ + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/api/validation:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", + "//vendor/k8s.io/klog/v2:go_default_library", + ], ) filegroup( diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go b/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go index d4e2162fa52..f0dc0767639 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go @@ -17,10 +17,18 @@ limitations under the License. package serviceaccount import ( + "context" "fmt" "strings" + v1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apiserver/pkg/authentication/user" + v1core "k8s.io/client-go/kubernetes/typed/core/v1" + + "k8s.io/klog/v2" ) const ( @@ -28,6 +36,12 @@ const ( ServiceAccountUsernameSeparator = ":" ServiceAccountGroupPrefix = "system:serviceaccounts:" AllServiceAccountsGroup = "system:serviceaccounts" + // PodNameKey is the key used in a user's "extra" to specify the pod name of + // the authenticating request. + PodNameKey = "authentication.kubernetes.io/pod-name" + // PodUIDKey is the key used in a user's "extra" to specify the pod UID of + // the authenticating request. + PodUIDKey = "authentication.kubernetes.io/pod-uid" ) // MakeUsername generates a username from the given namespace and ServiceAccount name. @@ -92,3 +106,78 @@ func MakeGroupNames(namespace string) []string { func MakeNamespaceGroupName(namespace string) string { return ServiceAccountGroupPrefix + namespace } + +// UserInfo returns a user.Info interface for the given namespace, service account name and UID +func UserInfo(namespace, name, uid string) user.Info { + return (&ServiceAccountInfo{ + Name: name, + Namespace: namespace, + UID: uid, + }).UserInfo() +} + +type ServiceAccountInfo struct { + Name, Namespace, UID string + PodName, PodUID string +} + +func (sa *ServiceAccountInfo) UserInfo() user.Info { + info := &user.DefaultInfo{ + Name: MakeUsername(sa.Namespace, sa.Name), + UID: sa.UID, + Groups: MakeGroupNames(sa.Namespace), + } + if sa.PodName != "" && sa.PodUID != "" { + info.Extra = map[string][]string{ + PodNameKey: {sa.PodName}, + PodUIDKey: {sa.PodUID}, + } + } + return info +} + +// IsServiceAccountToken returns true if the secret is a valid api token for the service account +func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool { + if secret.Type != v1.SecretTypeServiceAccountToken { + return false + } + + name := secret.Annotations[v1.ServiceAccountNameKey] + uid := secret.Annotations[v1.ServiceAccountUIDKey] + if name != sa.Name { + // Name must match + return false + } + if len(uid) > 0 && uid != string(sa.UID) { + // If UID is specified, it must match + return false + } + + return true +} + +func GetOrCreateServiceAccount(coreClient v1core.CoreV1Interface, namespace, name string) (*v1.ServiceAccount, error) { + sa, err := coreClient.ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{}) + if err == nil { + return sa, nil + } + if !apierrors.IsNotFound(err) { + return nil, err + } + + // Create the namespace if we can't verify it exists. + // Tolerate errors, since we don't know whether this component has namespace creation permissions. + if _, err := coreClient.Namespaces().Get(context.TODO(), namespace, metav1.GetOptions{}); apierrors.IsNotFound(err) { + if _, err = coreClient.Namespaces().Create(context.TODO(), &v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}}, metav1.CreateOptions{}); err != nil && !apierrors.IsAlreadyExists(err) { + klog.Warningf("create non-exist namespace %s failed:%v", namespace, err) + } + } + + // Create the service account + sa, err = coreClient.ServiceAccounts(namespace).Create(context.TODO(), &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: namespace, Name: name}}, metav1.CreateOptions{}) + if apierrors.IsAlreadyExists(err) { + // If we're racing to init and someone else already created it, re-fetch + return coreClient.ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{}) + } + return sa, err +} diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util_test.go index 91c8cb0ddd8..50a7eb97b1f 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount/util_test.go @@ -16,7 +16,12 @@ limitations under the License. package serviceaccount -import "testing" +import ( + "testing" + + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) func TestMakeUsername(t *testing.T) { @@ -118,3 +123,101 @@ func TestMatchUsername(t *testing.T) { }) } } + +func TestIsServiceAccountToken(t *testing.T) { + + secretIns := &v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "token-secret-1", + Namespace: "default", + UID: "23456", + ResourceVersion: "1", + Annotations: map[string]string{ + v1.ServiceAccountNameKey: "default", + v1.ServiceAccountUIDKey: "12345", + }, + }, + Type: v1.SecretTypeServiceAccountToken, + Data: map[string][]byte{ + "token": []byte("ABC"), + "ca.crt": []byte("CA Data"), + "namespace": []byte("default"), + }, + } + + secretTypeMistmatch := &v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "token-secret-2", + Namespace: "default", + UID: "23456", + ResourceVersion: "1", + Annotations: map[string]string{ + v1.ServiceAccountNameKey: "default", + v1.ServiceAccountUIDKey: "12345", + }, + }, + Type: v1.SecretTypeOpaque, + } + + saIns := &v1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + UID: "12345", + Namespace: "default", + ResourceVersion: "1", + }, + } + + saInsNameNotEqual := &v1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: "non-default", + UID: "12345", + Namespace: "default", + ResourceVersion: "1", + }, + } + + saInsUIDNotEqual := &v1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default", + UID: "67890", + Namespace: "default", + ResourceVersion: "1", + }, + } + + tests := map[string]struct { + secret *v1.Secret + sa *v1.ServiceAccount + expect bool + }{ + "correct service account": { + secret: secretIns, + sa: saIns, + expect: true, + }, + "service account name not equal": { + secret: secretIns, + sa: saInsNameNotEqual, + expect: false, + }, + "service account uid not equal": { + secret: secretIns, + sa: saInsUIDNotEqual, + expect: false, + }, + "service account type not equal": { + secret: secretTypeMistmatch, + sa: saIns, + expect: false, + }, + } + + for k, v := range tests { + actual := IsServiceAccountToken(v.secret, v.sa) + if actual != v.expect { + t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual) + } + } + +} diff --git a/staging/src/k8s.io/cli-runtime/go.sum b/staging/src/k8s.io/cli-runtime/go.sum index 3d4268ea334..d9f339706a4 100644 --- a/staging/src/k8s.io/cli-runtime/go.sum +++ b/staging/src/k8s.io/cli-runtime/go.sum @@ -97,6 +97,7 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -130,6 +131,7 @@ github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OI github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -142,6 +144,7 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmg github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= diff --git a/staging/src/k8s.io/controller-manager/BUILD b/staging/src/k8s.io/controller-manager/BUILD index 2c60d6ad161..18496298452 100644 --- a/staging/src/k8s.io/controller-manager/BUILD +++ b/staging/src/k8s.io/controller-manager/BUILD @@ -26,6 +26,7 @@ filegroup( "//staging/src/k8s.io/controller-manager/app:all-srcs", "//staging/src/k8s.io/controller-manager/config:all-srcs", "//staging/src/k8s.io/controller-manager/options:all-srcs", + "//staging/src/k8s.io/controller-manager/pkg/clientbuilder:all-srcs", "//staging/src/k8s.io/controller-manager/pkg/features:all-srcs", ], tags = ["automanaged"], diff --git a/staging/src/k8s.io/controller-manager/go.mod b/staging/src/k8s.io/controller-manager/go.mod index f4d84300504..320b88026f9 100644 --- a/staging/src/k8s.io/controller-manager/go.mod +++ b/staging/src/k8s.io/controller-manager/go.mod @@ -7,6 +7,7 @@ go 1.15 require ( github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.4.0 + k8s.io/api v0.0.0 k8s.io/apimachinery v0.0.0 k8s.io/apiserver v0.0.0 k8s.io/client-go v0.0.0 diff --git a/staging/src/k8s.io/controller-manager/pkg/clientbuilder/BUILD b/staging/src/k8s.io/controller-manager/pkg/clientbuilder/BUILD new file mode 100644 index 00000000000..f774b3c2caf --- /dev/null +++ b/staging/src/k8s.io/controller-manager/pkg/clientbuilder/BUILD @@ -0,0 +1,41 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["client_builder.go"], + importmap = "k8s.io/kubernetes/vendor/k8s.io/controller-manager/pkg/clientbuilder", + importpath = "k8s.io/controller-manager/pkg/clientbuilder", + visibility = ["//visibility:public"], + deps = [ + "//staging/src/k8s.io/api/authentication/v1:go_default_library", + "//staging/src/k8s.io/api/core/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/fields:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/watch:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/scheme:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/typed/authentication/v1:go_default_library", + "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", + "//staging/src/k8s.io/client-go/rest:go_default_library", + "//staging/src/k8s.io/client-go/tools/cache:go_default_library", + "//staging/src/k8s.io/client-go/tools/watch:go_default_library", + "//vendor/k8s.io/klog/v2:go_default_library", + ], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/pkg/controller/client_builder.go b/staging/src/k8s.io/controller-manager/pkg/clientbuilder/client_builder.go similarity index 85% rename from pkg/controller/client_builder.go rename to staging/src/k8s.io/controller-manager/pkg/clientbuilder/client_builder.go index c2e1718d31a..add180c7046 100644 --- a/pkg/controller/client_builder.go +++ b/staging/src/k8s.io/controller-manager/pkg/clientbuilder/client_builder.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package controller +package clientbuilder import ( "context" @@ -30,15 +30,18 @@ import ( "k8s.io/apimachinery/pkg/watch" apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" clientset "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/scheme" v1authentication "k8s.io/client-go/kubernetes/typed/authentication/v1" v1core "k8s.io/client-go/kubernetes/typed/core/v1" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/cache" watchtools "k8s.io/client-go/tools/watch" "k8s.io/klog/v2" - "k8s.io/kubernetes/pkg/api/legacyscheme" - api "k8s.io/kubernetes/pkg/apis/core" - "k8s.io/kubernetes/pkg/serviceaccount" +) + +const ( + // SecretTypeField is copied from pkg/apis/cores/field_constants.go + SecretTypeField = "type" ) // ControllerClientBuilder allows you to get clients and configs for controllers @@ -57,11 +60,14 @@ type SimpleControllerClientBuilder struct { ClientConfig *restclient.Config } +// Config returns a client config for a fixed client func (b SimpleControllerClientBuilder) Config(name string) (*restclient.Config, error) { clientConfig := *b.ClientConfig return restclient.AddUserAgent(&clientConfig, name), nil } +// ConfigOrDie returns a client config if no error from previous config func. +// If it gets an error getting the client, it will log the error and kill the process it's running in. func (b SimpleControllerClientBuilder) ConfigOrDie(name string) *restclient.Config { clientConfig, err := b.Config(name) if err != nil { @@ -70,6 +76,7 @@ func (b SimpleControllerClientBuilder) ConfigOrDie(name string) *restclient.Conf return clientConfig } +// Client returns a clientset.Interface built from the ClientBuilder func (b SimpleControllerClientBuilder) Client(name string) (clientset.Interface, error) { clientConfig, err := b.Config(name) if err != nil { @@ -78,6 +85,8 @@ func (b SimpleControllerClientBuilder) Client(name string) (clientset.Interface, return clientset.NewForConfig(clientConfig) } +// ClientOrDie returns a clientset.interface built from the ClientBuilder with no error. +// If it gets an error getting the client, it will log the error and kill the process it's running in. func (b SimpleControllerClientBuilder) ClientOrDie(name string) clientset.Interface { client, err := b.Client(name) if err != nil { @@ -105,17 +114,17 @@ type SAControllerClientBuilder struct { Namespace string } -// config returns a complete clientConfig for constructing clients. This is separate in anticipation of composition +// Config returns a complete clientConfig for constructing clients. This is separate in anticipation of composition // which means that not all clientsets are known here func (b SAControllerClientBuilder) Config(name string) (*restclient.Config, error) { - sa, err := getOrCreateServiceAccount(b.CoreClient, b.Namespace, name) + sa, err := apiserverserviceaccount.GetOrCreateServiceAccount(b.CoreClient, b.Namespace, name) if err != nil { return nil, err } var clientConfig *restclient.Config fieldSelector := fields.SelectorFromSet(map[string]string{ - api.SecretTypeField: string(v1.SecretTypeServiceAccountToken), + SecretTypeField: string(v1.SecretTypeServiceAccountToken), }).String() lw := &cache.ListWatch{ ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { @@ -142,7 +151,7 @@ func (b SAControllerClientBuilder) Config(name string) (*restclient.Config, erro if !ok { return false, fmt.Errorf("unexpected object type: %T", event.Object) } - if !serviceaccount.IsServiceAccountToken(secret, sa) { + if !apiserverserviceaccount.IsServiceAccountToken(secret, sa) { return false, nil } if len(secret.Data[v1.ServiceAccountTokenKey]) == 0 { @@ -202,7 +211,7 @@ func (b SAControllerClientBuilder) getAuthenticatedConfig(sa *v1.ServiceAccount, // If we couldn't run the token review, the API might be disabled or we might not have permission. // Try to make a request to /apis with the token. If we get a 401 we should consider the token invalid. clientConfigCopy := *clientConfig - clientConfigCopy.NegotiatedSerializer = legacyscheme.Codecs + clientConfigCopy.NegotiatedSerializer = scheme.Codecs client, err := restclient.UnversionedRESTClientFor(&clientConfigCopy) if err != nil { return nil, false, err @@ -216,6 +225,8 @@ func (b SAControllerClientBuilder) getAuthenticatedConfig(sa *v1.ServiceAccount, return clientConfig, true, nil } +// ConfigOrDie returns clientConfig for constructing clients. +// If it gets an error, it will log the error and kill the process it's running in. func (b SAControllerClientBuilder) ConfigOrDie(name string) *restclient.Config { clientConfig, err := b.Config(name) if err != nil { @@ -224,6 +235,7 @@ func (b SAControllerClientBuilder) ConfigOrDie(name string) *restclient.Config { return clientConfig } +// Client returns clientset.Interface built from ClientBuilder func (b SAControllerClientBuilder) Client(name string) (clientset.Interface, error) { clientConfig, err := b.Config(name) if err != nil { @@ -232,6 +244,8 @@ func (b SAControllerClientBuilder) Client(name string) (clientset.Interface, err return clientset.NewForConfig(clientConfig) } +// ClientOrDie will return clientset.Interface built from ClientBuilder. +// If it gets an error getting the client, it will log the error and kill the process it's running in. func (b SAControllerClientBuilder) ClientOrDie(name string) clientset.Interface { client, err := b.Client(name) if err != nil { diff --git a/staging/src/k8s.io/sample-cli-plugin/go.sum b/staging/src/k8s.io/sample-cli-plugin/go.sum index 3d4268ea334..d9f339706a4 100644 --- a/staging/src/k8s.io/sample-cli-plugin/go.sum +++ b/staging/src/k8s.io/sample-cli-plugin/go.sum @@ -97,6 +97,7 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -130,6 +131,7 @@ github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OI github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= @@ -142,6 +144,7 @@ github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmg github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= diff --git a/vendor/modules.txt b/vendor/modules.txt index bbd9c599cb7..30af14b6f34 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2195,6 +2195,7 @@ k8s.io/controller-manager/app k8s.io/controller-manager/config k8s.io/controller-manager/config/v1alpha1 k8s.io/controller-manager/options +k8s.io/controller-manager/pkg/clientbuilder k8s.io/controller-manager/pkg/features k8s.io/controller-manager/pkg/features/register # k8s.io/cri-api v0.0.0 => ./staging/src/k8s.io/cri-api