Commit Graph

25 Commits

Author SHA1 Message Date
Jordan Liggitt
3c92eb75b3
Enable service account signing key rotation 2016-10-04 14:16:38 -04:00
Kubernetes Submit Queue
6a1622a723 Merge pull request #33785 from deads2k/api-16-pass-config-to-hook
Automatic merge from submit-queue

pass loopback config to poststart hooks

Updates post start hooks to take a clientconfig with the new loopback credentials for bootstrapping.

@ericchiang This is a little bit of plumbing, but mainly auth I think.
2016-10-01 10:27:04 -07:00
Kubernetes Submit Queue
30ca344361 Merge pull request #33565 from liggitt/ecdsa
Automatic merge from submit-queue

Add ECDSA support for service account tokens

Fixes #28180

```release-note
ECDSA keys can now be used for signing and verifying service account tokens.
```
2016-10-01 08:42:53 -07:00
deads2k
57039cfdfa make well-known users and groups into constants 2016-09-30 10:34:33 -04:00
deads2k
5080a575ad add anytoken authenticator 2016-09-29 14:14:06 -04:00
Jordan Liggitt
6333d8fd86
Add ECDSA support 2016-09-27 12:44:54 -04:00
Jordan Liggitt
5599ca3be5
Decorate authenticated users with system:authenticated group 2016-09-26 17:19:00 -04:00
Jordan Liggitt
0c36c5e556
Add anonymous auth to the auth chain 2016-09-26 17:19:00 -04:00
Kubernetes Submit Queue
5af04d1dd1 Merge pull request #32876 from errordeveloper/more-cert-utils
Automatic merge from submit-queue

Refactor cert utils into one pkg, add funcs from bootkube for kubeadm to use

**What this PR does / why we need it**:

We have ended-up with rather incomplete and fragmented collection of utils for handling certificates. It may be worse to consider using `cfssl` for doing all of these things, but for now there is some functionality that we need in `kubeadm` that we can borrow from bootkube. It makes sense to move the utils from bookube into core, as discussed in #31221.

**Special notes for your reviewer**: I've taken the opportunity to review names of existing funcs and tried to make some improvements in that area (with help from @peterbourgon).

**Release note**:

```release-note
NONE
```
2016-09-22 01:29:46 -07:00
Davanum Srinivas
25d4a70827 Allow secure access to apiserver from Admission Controllers
* Allow options.InsecurePort to be set to 0 to switch off insecure access
* In NewSelfClient, Set the TLSClientConfig to the cert and key files
  if InsecurePort is switched off
* Mint a bearer token that allows the client(s) created in NewSelfClient
  to talk to the api server
* Add a new authenticator that checks for this specific bearer token

Fixes #13598
2016-09-20 10:42:21 -04:00
Ilya Dmitrichenko
386fae4592
Refactor utils that deal with certs
- merge `pkg/util/{crypto,certificates}`
- add funcs from `github.com/kubernetes-incubator/bootkube/pkg/tlsutil`
- ensure naming of funcs is fairly consistent
2016-09-19 09:03:42 +01:00
Eric Chiang
9b5ce5218f pkg/apiserver/authenticator: move oidc after service accounts
Both plugins verify JWTs, but the OpenID Connect plugin performs
much worse when faced with cache misses. Reorder the plugins so
the service account plugin tries to authenticate a bearer token
first.
2016-08-11 09:41:50 -07:00
k8s-merge-robot
038ac428f4 Merge pull request #28036 from ericchiang/oidc-auth-plugin-dont-error-if-provider-is-unavailable
Automatic merge from submit-queue

oidc auth plugin: don't hard fail if provider is unavailable

When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.

cc @sym3tri @erictune @aaronlevy @kubernetes/sig-auth
2016-06-30 13:02:16 -07:00
Eric Chiang
2f6db37ff5 oidc auth plugin: don't hard fail if provider is unavailable
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.
2016-06-29 23:20:26 -07:00
David McMahon
ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
CJ Cullen
57f96a932f Add expiration LRU cache for webhook token authenticator. 2016-05-18 11:58:11 -07:00
k8s-merge-robot
0ef4c6407b Merge pull request #24902 from cjcullen/webhookAuthn
Automatic merge from submit-queue

Webhook Token Authenticator

Add a webhook token authenticator plugin to allow a remote service to make authentication decisions.
2016-05-11 22:08:58 -07:00
CJ Cullen
eb3b0e78b4 Add a webhook token authenticator plugin. 2016-05-10 14:54:35 -07:00
Manjunath A Kumatagi
00be597618 Rename a function parameter name in authn.go 2016-05-06 02:48:10 -04:00
Joe Finney
ae79677fd0
Remove global var for OIDC retry/backoff, and remove retries from unit tests. 2016-04-07 14:18:29 -07:00
zhouhaibing089
83248a9783 move keystone package to password since it is a password authenticator 2016-03-22 23:27:28 +08:00
Harry Zhang
a4d04095d0 Refactor crlf & crypto 2016-03-21 20:20:05 +08:00
Eric Chiang
92d37d5cc5 plugin/pkg/auth/authenticator/token/oidc: get groups from custom claim 2016-02-12 09:58:18 -08:00
Clayton Coleman
9dad7e624c Split the serviceaccount package into two parts
Public utility methods and JWT parsing, and controller specific logic.
Also remove the coupling between ServiceAccountTokenGetter and the
authenticator class.
2015-12-26 21:28:12 -05:00
Clayton Coleman
3d5ed379b0 authn.go doesn't belong in pkg/apiserver
apiserver does not need to know about specific authentication
mechanisms, and does not need to take dependencies on all the
authentication packages.
2015-12-26 21:22:22 -05:00