Commit Graph

87 Commits

Author SHA1 Message Date
Eric Chiang
f719b2670c bootstrap token auth: don't accept deleted tokens 2017-07-17 15:22:18 -07:00
Eric Chiang
f5fa115536 kube-apiserver: improve bootstrap token authentication error messages 2017-04-25 12:59:48 -07:00
Mike Danese
a05c3c0efd autogenerated 2017-04-14 10:40:57 -07:00
Joe Beda
c46d6bb825
Use constant time compare for bootstrap tokens
Signed-off-by: Joe Beda <joe.github@bedafamily.com>
2017-03-14 14:06:33 +00:00
Eric Chiang
a0df658b20 kube-apiserver: add a bootstrap token authenticator for TLS bootstrapping 2017-02-21 08:43:55 -08:00
Dr. Stefan Schimanski
4077e0bba7 genericapiserver: move authn plugins into k8s.io/apiserver 2017-01-24 20:56:03 +01:00
deads2k
5a8f075197 move authoritative client-go utils out of pkg 2017-01-24 08:59:18 -05:00
Antoine Pelisse
62af7dd33d OWNERS: Update latest OWNERS files
These files have been created lately, so we don't have much information
about them anyway, so let's just:
- Remove assignees and make them approvers
- Copy approves as reviewers
2017-01-23 10:05:48 -08:00
deads2k
ee6752ef20 find and replace 2017-01-20 08:04:53 -05:00
Kubernetes Submit Queue
ac857a5ade Merge pull request #40106 from deads2k/client-09-switch
Automatic merge from submit-queue

make client-go more authoritative

Builds on https://github.com/kubernetes/kubernetes/pull/40103

This moves a few more support package to client-go for origination.  
 1. restclient/watch - nodep
 1. util/flowcontrol - used interface
 1. util/integer, util/clock - used in controllers and in support of util/flowcontrol
2017-01-19 06:34:49 -08:00
deads2k
cdb2934bbc remove kubernetes copy of clientcmd types 2017-01-19 07:39:19 -05:00
Dr. Stefan Schimanski
3d9449a353 genericapiserver: fix imports 2017-01-19 13:06:47 +01:00
deads2k
31b6ba4e94 mechanicals 2017-01-13 16:33:09 -05:00
deads2k
633e9d98fc use apimachinery packages instead of client-go packages 2017-01-13 14:04:54 -05:00
deads2k
f1176d9c5c mechanical repercussions 2017-01-13 08:27:14 -05:00
deads2k
c4fae4e690 mechanical repercussions 2017-01-11 15:20:36 -05:00
deads2k
5280c8d3ac moves of genericapiserver packages without dependencies 2017-01-11 15:06:38 -05:00
deads2k
6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
deads2k
1df5b658f2 switch webhook to clientgo 2017-01-09 16:53:24 -05:00
Jeff Grafton
20d221f75c Enable auto-generating sources rules 2017-01-05 14:14:13 -08:00
deads2k
4d7fcae85a mechanicals 2017-01-05 11:14:27 -05:00
deads2k
ca58ec0237 mechanical changes for move 2017-01-04 10:27:05 -05:00
Kubernetes Submit Queue
016133cf7d Merge pull request #36087 from ericchiang/plugin-auth-oidc-verify-email
Automatic merge from submit-queue

oidc auth-n plugin: enforce email_verified claim

This change causes the OpenID Connect authenticator to start
enforcing the 'email_verified' claim.

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

If the OIDC authenticator uses the 'email' claim as a user's username
and the 'email_verified' is not set to `true`, reject that authentication attempt.

cc @erictune @kubernetes/sig-auth @mlbiam

```release-note
When using OIDC authentication and specifying --oidc-username-claim=email, an `"email_verified":true` claim must be returned from the identity provider.
```
2017-01-04 00:50:31 -08:00
Mike Danese
161c391f44 autogenerated 2016-12-29 13:04:10 -08:00
Chao Xu
03d8820edc rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
Mike Danese
c87de85347 autoupdate BUILD files 2016-12-12 13:30:07 -08:00
Eric Chiang
778812f63b oidc auth-n plugin: enforce email_verified claim
This change causes the OpenID Connect authenticator to start
enforcing the 'email_verified' claim.

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

If the OIDC authenticator uses the 'email' claim as a user's password
and the 'email_verified' holds the value false, reject that
authentication attempt.

If 'email_verified' is true or not present, continue as before.
2016-12-09 14:22:17 -08:00
xilabao
79b525e5a4 auth duplicate detect, add warning message 2016-12-07 09:06:39 +08:00
Clayton Coleman
3454a8d52c
refactor: update bazel, codec, and gofmt 2016-12-03 19:10:53 -05:00
Clayton Coleman
5df8cc39c9
refactor: generated 2016-12-03 19:10:46 -05:00
Clayton Coleman
35a6bfbcee
generated: refactor 2016-11-23 22:30:47 -06:00
Chao Xu
bcc783c594 run hack/update-all.sh 2016-11-23 15:53:09 -08:00
Chao Xu
b9e3ffb515 misc 2016-11-23 15:53:09 -08:00
Chao Xu
850729bfaf include multiple versions in clientset
update client-gen to use the term "internalversion" rather than "unversioned";
leave internal one unqualified;
cleanup client-gen
2016-10-29 13:30:47 -07:00
Mike Danese
3b6a067afc autogenerated 2016-10-21 17:32:32 -07:00
Jedrzej Nowak
d2161c21d7 Fix typos and englishify plugin/pkg 2016-10-04 17:51:14 +02:00
deads2k
5080a575ad add anytoken authenticator 2016-09-29 14:14:06 -04:00
Eric Chiang
065ddab5d1 oidc authenticator: allow string value as groups claim
Allow the group claim to be a single string instead of an array of
strings. This means the following claim

    {
      "role": "admin"
    }

Will be mapped to the groups

   ["admin"]
2016-09-22 14:23:56 -07:00
Kubernetes Submit Queue
5af04d1dd1 Merge pull request #32876 from errordeveloper/more-cert-utils
Automatic merge from submit-queue

Refactor cert utils into one pkg, add funcs from bootkube for kubeadm to use

**What this PR does / why we need it**:

We have ended-up with rather incomplete and fragmented collection of utils for handling certificates. It may be worse to consider using `cfssl` for doing all of these things, but for now there is some functionality that we need in `kubeadm` that we can borrow from bootkube. It makes sense to move the utils from bookube into core, as discussed in #31221.

**Special notes for your reviewer**: I've taken the opportunity to review names of existing funcs and tried to make some improvements in that area (with help from @peterbourgon).

**Release note**:

```release-note
NONE
```
2016-09-22 01:29:46 -07:00
Davanum Srinivas
25d4a70827 Allow secure access to apiserver from Admission Controllers
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
  if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
  to talk to the api server
* Add a new authenticator that checks for this specific bearer token

Fixes #13598
2016-09-20 10:42:21 -04:00
Ilya Dmitrichenko
386fae4592
Refactor utils that deal with certs
- merge `pkg/util/{crypto,certificates}`
- add funcs from `github.com/kubernetes-incubator/bootkube/pkg/tlsutil`
- ensure naming of funcs is fairly consistent
2016-09-19 09:03:42 +01:00
Kubernetes Submit Queue
dbdaf2c22b Merge pull request #32597 from liggitt/webhook-re-refactor
Automatic merge from submit-queue

Revert "Revert "Allow webhook authenticator to use TokenReviewsInterface""

Reverts https://github.com/kubernetes/kubernetes/pull/32591 (commit 0a02c8275d)
Readds https://github.com/kubernetes/kubernetes/pull/32547

Holding until GKE webhook authenticator is updated by @cjcullen
2016-09-15 03:56:10 -07:00
Kubernetes Submit Queue
4135988880 Merge pull request #32589 from ericchiang/add-ericchiang-to-owners
Automatic merge from submit-queue

plugin/pkg: add ericchiang to owners for OpenID Connect plugins

On the CoreOS side I'm taking over these components.

@erictune has suggested `pkg/registry/{cluster}role{binding}s/OWNERS` as well but I'd feel more comfortable as a reviewer for those specific parts of RBAC for a couple more cycles since @liggitt and @deads2k have had way more experience in the registry code.

Beyond that the only existing OWNERS files for auth are `pkg/auth/OWNERS` and `plugin/pkg/auth/OWNERS` both of which include @liggitt and @erictune. There's also nothing in the `plugin/pkg/client` path. I'm a little unclear on the implications for future PRs that are assigned to me (e.g. webhook or RBAC reviews).

cc @kubernetes/sig-auth
2016-09-14 13:10:33 -07:00
Jordan Liggitt
52c3081f6f
Revert "Revert "Allow webhook authenticator to use TokenReviewsInterface""
This reverts commit 0a02c8275d.
2016-09-13 16:23:17 -04:00
Joe Finney
0a02c8275d Revert "Allow webhook authenticator to use TokenReviewsInterface"
This reverts commit e9914f2c4a.
2016-09-13 11:48:43 -07:00
Eric Chiang
26830b8db9 plugin/pkg: add ericchiang to owners for OpenID Connect plugins 2016-09-13 11:14:16 -07:00
Jordan Liggitt
e9914f2c4a
Allow webhook authenticator to use TokenReviewsInterface 2016-09-13 00:42:02 -04:00
Kubernetes Submit Queue
5230bb7a8e Merge pull request #29860 from ericchiang/fix-openid-connect-provider-with-trailing-slash
Automatic merge from submit-queue

oidc authentication plugin: don't trim issuer URLs with trailing slashes

The issuer URL passed to the plugin must identically match the issuer
URL returned by OpenID Connect discovery. However, the plugin currently
trims all trailing slashes from issuer URLs, causing a mismatch. Since
the go-oidc client already handles this case correctly, don't trim the
path.

Closes #29749

cc @hanikesn @kubernetes/sig-auth
2016-08-04 16:25:49 -07:00
deads2k
60dd4a5d26 interesting changes to add tokenreviews endpoint to implement webhook 2016-08-03 08:37:45 -04:00
Eric Chiang
bc3dc12203 oidc authentication plugin: don't trim issuer URLs with trailing slashes
The issuer URL passed to the plugin must identically match the issuer
URL returned by OpenID Connect discovery. However, the plugin currently
trims all trailing slashes from issuer URLs, causing a mismatch. Since
the go-oidc client already handles this case correctly, don't trim the
path.
2016-08-01 11:23:05 -07:00