Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for /token subresource in serviceaccount registry #58111

Merged
merged 1 commit into from
Feb 22, 2018
Merged

add support for /token subresource in serviceaccount registry #58111

merged 1 commit into from
Feb 22, 2018

Conversation

mikedanese
Copy link
Member

@mikedanese mikedanese commented Jan 10, 2018
edited
Loading

I'm planning on implementing the registry bits (this) in one PR and followup with an authenticator that supports new id tokens.

#58790

@kubernetes/sig-auth-pr-reviews

NONE

@mikedanese mikedanese self-assigned this Jan 10, 2018
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 10, 2018
@k8s-github-robot k8s-github-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/new-api labels Jan 10, 2018
@mikedanese mikedanese force-pushed the id-registry branch 3 times, most recently from 926c2c6 to 31e072f Compare January 17, 2018 01:09
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 17, 2018
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 19, 2018
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Feb 1, 2018
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 6, 2018
@k8s-github-robot k8s-github-robot removed kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/new-api labels Feb 6, 2018
@mikedanese mikedanese force-pushed the id-registry branch 3 times, most recently from 9c2abbe to bdfe771 Compare February 6, 2018 23:23
@mikedanese mikedanese changed the title WIP: implement registry stuff for TokenRequest add support for /token subresource in serviceaccount registry Feb 6, 2018
@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Feb 6, 2018
@mikedanese mikedanese force-pushed the id-registry branch 2 times, most recently from 092dcb9 to 07729d4 Compare February 7, 2018 05:29
liggitt
liggitt reviewed Feb 15, 2018
View reviewed changes
pkg/registry/core/rest/storage_core.go Outdated
@@ -224,6 +230,9 @@ func (c LegacyRESTStorageProvider) NewLegacyRESTStorage(restOptionsGetter generi
if legacyscheme.Registry.IsEnabledVersion(schema.GroupVersion{Group: "policy", Version: "v1beta1"}) {
restStorageMap["pods/eviction"] = podStorage.Eviction
}
if c.IDTokenIssuer != nil && utilfeature.DefaultFeatureGate.Enabled(features.TokenRequest) {
Copy link
Member

@liggitt liggitt Feb 15, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would prefer checking if serviceAccountStorage.Token is non-nil here (and making it be nil if you pass in a nil IDTokenIssuer to REST construction)

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 18, 2018
liggitt
liggitt reviewed Feb 19, 2018
View reviewed changes
pkg/kubeapiserver/options/authentication.go Outdated
@@ -228,6 +229,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {

fs.BoolVar(&s.ServiceAccounts.Lookup, "service-account-lookup", s.ServiceAccounts.Lookup,
"If true, validate ServiceAccount tokens exist in etcd as part of authentication.")

fs.StringVar(&s.ServiceAccounts.IssuerID, "service-account-issuer-id", s.ServiceAccounts.IssuerID, ""+
Copy link
Member

@liggitt liggitt Feb 19, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably just call this service-account-issuer, and apply StringOrURI validation (if contains :, require to be a valid URI, otherwise any value is allowed)

liggitt
liggitt reviewed Feb 19, 2018
View reviewed changes
cmd/kube-apiserver/app/options/options.go
@@ -231,4 +233,7 @@ func (s *ServerRunOptions) AddFlags(fs *pflag.FlagSet) {
fs.BoolVar(&s.EnableAggregatorRouting, "enable-aggregator-routing", s.EnableAggregatorRouting,
"Turns on aggregator routing requests to endoints IP rather than cluster IP.")

fs.StringVar(&s.ServiceAccountSigningKeyFile, "service-account-signing-key-file", s.ServiceAccountSigningKeyFile, ""+
"Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. (Ignored unless alpha TokenRequest is enabled")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to ignore this unless the feature gate is on, or require the feature gate to be on to specify this (I'd prefer the latter... it's confusing to set flags that have no effect)

Copy link
Member Author

@mikedanese mikedanese Feb 20, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you want this to work? The feature gates are passed as flags, and at this point we haven't called flag.Parse. We could error if these are passed but the feature is not enabled. Note this is already mentioned in the flag doc.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, check at point of use against feature enablement. I think I commented there as well

liggitt
liggitt reviewed Feb 19, 2018
View reviewed changes
cmd/kube-apiserver/app/server.go Outdated
@@ -319,6 +322,18 @@ func CreateKubeAPIServerConfig(s *options.ServerRunOptions, nodeTunneler tunnele
return nil, nil, nil, nil, nil, err
}

var issuer serviceaccount.TokenGenerator
if s.ServiceAccountSigningKeyFile != "" && s.Authentication.ServiceAccounts.IssuerID != "" {
Copy link
Member

@liggitt liggitt Feb 19, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setting either of these without enabling TokenRequest should be an error, and when the feature gate is enabled, setting one without the other should be an error

liggitt
liggitt reviewed Feb 19, 2018
View reviewed changes
pkg/kubeapiserver/options/authentication.go Outdated
@@ -70,6 +70,7 @@ type PasswordFileAuthenticationOptions struct {
type ServiceAccountAuthenticationOptions struct {
KeyFiles []string
Lookup bool
IssuerID string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: just call this Issuer?

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 20, 2018
@mikedanese
Copy link
Member Author

@liggitt fixed.

@mikedanese mikedanese added this to the v1.10 milestone Feb 21, 2018
@ericchiang ericchiang added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Feb 21, 2018
liggitt
liggitt reviewed Feb 21, 2018
View reviewed changes
test/integration/auth/svcaccttoken_test.go Outdated

func TestServiceAccountTokenCreate(t *testing.T) {
defer utilfeaturetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.TokenRequest, true)()
// Start the server so we know the address
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be able to drop most of this MasterHolder/custom authenticator stuff and just use:

... set feature gate
masterConfig := framework.NewIntegrationTestMasterConfig()
... set signing key, issuer id
master, s, closeFn := framework.RunAMaster(masterConfig)
defer closeFn()

c, err := clientset.NewForConfig(master.GenericAPIServer.LoopbackClientConfig)

@liggitt
Copy link
Member

liggitt commented Feb 21, 2018
edited
Loading

just the suggestion for simplifying the integration test, needs squash, lgtm
/approve

@mikedanese
Copy link
Member Author

@liggitt done.

@mikedanese
Copy link
Member Author

For approval:

/assign @smarterclayton

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 21, 2018
edited
Loading

@mikedanese: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-gke 25b05a53707fc44db088ebd424d977a538cf516b link /test pull-kubernetes-e2e-gke

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@mikedanese
Copy link
Member Author

/retest

@smarterclayton
Copy link
Contributor

/approve

SIG sign off

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 21, 2018
@cjcullen
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 21, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cjcullen, liggitt, mikedanese, smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 60158, 60156, 58111, 57583, 60055). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 8b94ae8 into kubernetes:master Feb 22, 2018
@mikedanese mikedanese deleted the id-registry branch February 22, 2018 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@php-coder php-coder php-coder left review comments

@liggitt liggitt liggitt left review comments

@ericchiang ericchiang ericchiang left review comments

@cjcullen cjcullen cjcullen left review comments

Assignees

@liggitt liggitt

@smarterclayton smarterclayton

@cjcullen cjcullen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.10
Development

Successfully merging this pull request may close these issues.
8 participants
@mikedanese @cjcullen @liggitt @k8s-ci-robot @smarterclayton @k8s-github-robot @php-coder @ericchiang