github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

default api audiences to service account token issuer if available

Browse Source 
This is a sane default that users can choose to migrate away from later.
This commit is contained in:
Mike Danese
2018-10-26 15:11:41 -07:00
parent a8934ff6fb
commit a13b48de94
3 changed files with 20 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/kubeapiserver/options/authentication.go
View File

@@ -26,6 +26,7 @@ import (
"github.com/spf13/pflag"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapiserver "k8s.io/apiserver/pkg/server"
genericoptions "k8s.io/apiserver/pkg/server/options"
"k8s.io/apiserver/pkg/util/flag"
@@ -176,7 +177,9 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringSliceVar(&s.APIAudiences, "api-audiences", s.APIAudiences, ""+
"Identifiers of the API. The service account token authenticator will validate that "+
"tokens used against the API are bound to at least one of these audiences.")
"tokens used against the API are bound to at least one of these audiences. If the "+
"--service-account-issuer flag is configured and this flag is not, this field "+
"defaults to a single element list containing the issuer URL .")
if s.Anonymous != nil {
fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
@@ -327,11 +330,14 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
}
ret.APIAudiences = s.APIAudiences
if s.ServiceAccounts != nil {
if s.ServiceAccounts.Issuer != "" && len(s.APIAudiences) == 0 {
ret.APIAudiences = authenticator.Audiences{s.ServiceAccounts.Issuer}
}
ret.ServiceAccountKeyFiles = s.ServiceAccounts.KeyFiles
ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
ret.ServiceAccountIssuer = s.ServiceAccounts.Issuer
ret.APIAudiences = s.APIAudiences
ret.ServiceAccountLookup = s.ServiceAccounts.Lookup
}
if s.TokenFile != nil {
@@ -373,7 +379,11 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
}
c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
c.Authentication.APIAudiences = o.APIAudiences
if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
c.Authentication.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}
}
return nil
}