Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
48c6d1ab
Unverified
Commit
48c6d1ab
authored
Jan 19, 2018
by
Eric Chiang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
oidc authentication: switch to v2 of coreos/go-oidc
parent
9586cd06
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
46 additions
and
10 deletions
+46
-10
options_test.go
cmd/kube-apiserver/app/options/options_test.go
+1
-0
config.go
pkg/kubeapiserver/authenticator/config.go
+12
-10
authentication.go
pkg/kubeapiserver/options/authentication.go
+6
-0
oidc.go
....io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
+0
-0
oidc_test.go
...piserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
+0
-0
gen.sh
...erver/plugin/pkg/authenticator/token/oidc/testdata/gen.sh
+27
-0
No files found.
cmd/kube-apiserver/app/options/options_test.go
View file @
48c6d1ab
...
@@ -210,6 +210,7 @@ func TestAddFlags(t *testing.T) {
...
@@ -210,6 +210,7 @@ func TestAddFlags(t *testing.T) {
BootstrapToken
:
&
kubeoptions
.
BootstrapTokenAuthenticationOptions
{},
BootstrapToken
:
&
kubeoptions
.
BootstrapTokenAuthenticationOptions
{},
OIDC
:
&
kubeoptions
.
OIDCAuthenticationOptions
{
OIDC
:
&
kubeoptions
.
OIDCAuthenticationOptions
{
UsernameClaim
:
"sub"
,
UsernameClaim
:
"sub"
,
SigningAlgs
:
[]
string
{
"RS256"
},
},
},
PasswordFile
:
&
kubeoptions
.
PasswordFileAuthenticationOptions
{},
PasswordFile
:
&
kubeoptions
.
PasswordFileAuthenticationOptions
{},
RequestHeader
:
&
apiserveroptions
.
RequestHeaderAuthenticationOptions
{},
RequestHeader
:
&
apiserveroptions
.
RequestHeaderAuthenticationOptions
{},
...
...
pkg/kubeapiserver/authenticator/config.go
View file @
48c6d1ab
...
@@ -58,6 +58,7 @@ type AuthenticatorConfig struct {
...
@@ -58,6 +58,7 @@ type AuthenticatorConfig struct {
OIDCUsernamePrefix
string
OIDCUsernamePrefix
string
OIDCGroupsClaim
string
OIDCGroupsClaim
string
OIDCGroupsPrefix
string
OIDCGroupsPrefix
string
OIDCSigningAlgs
[]
string
ServiceAccountKeyFiles
[]
string
ServiceAccountKeyFiles
[]
string
ServiceAccountLookup
bool
ServiceAccountLookup
bool
WebhookTokenAuthnConfigFile
string
WebhookTokenAuthnConfigFile
string
...
@@ -143,7 +144,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
...
@@ -143,7 +144,7 @@ func (config AuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDe
// simply returns an error, the OpenID Connect plugin may query the provider to
// simply returns an error, the OpenID Connect plugin may query the provider to
// update the keys, causing performance hits.
// update the keys, causing performance hits.
if
len
(
config
.
OIDCIssuerURL
)
>
0
&&
len
(
config
.
OIDCClientID
)
>
0
{
if
len
(
config
.
OIDCIssuerURL
)
>
0
&&
len
(
config
.
OIDCClientID
)
>
0
{
oidcAuth
,
err
:=
newAuthenticatorFromOIDCIssuerURL
(
config
.
OIDCIssuerURL
,
config
.
OIDCClientID
,
config
.
OIDCCAFile
,
config
.
OIDCUsernameClaim
,
config
.
OIDCUsernamePrefix
,
config
.
OIDCGroupsClaim
,
config
.
OIDCGroupsPrefix
)
oidcAuth
,
err
:=
newAuthenticatorFromOIDCIssuerURL
(
config
.
OIDCIssuerURL
,
config
.
OIDCClientID
,
config
.
OIDCCAFile
,
config
.
OIDCUsernameClaim
,
config
.
OIDCUsernamePrefix
,
config
.
OIDCGroupsClaim
,
config
.
OIDCGroupsPrefix
,
config
.
OIDCSigningAlgs
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
err
return
nil
,
nil
,
err
}
}
...
@@ -235,7 +236,7 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, e
...
@@ -235,7 +236,7 @@ func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, e
}
}
// newAuthenticatorFromOIDCIssuerURL returns an authenticator.Token or an error.
// newAuthenticatorFromOIDCIssuerURL returns an authenticator.Token or an error.
func
newAuthenticatorFromOIDCIssuerURL
(
issuerURL
,
clientID
,
caFile
,
usernameClaim
,
usernamePrefix
,
groupsClaim
,
groupsPrefix
string
)
(
authenticator
.
Token
,
error
)
{
func
newAuthenticatorFromOIDCIssuerURL
(
issuerURL
,
clientID
,
caFile
,
usernameClaim
,
usernamePrefix
,
groupsClaim
,
groupsPrefix
string
,
signingAlgs
[]
string
)
(
authenticator
.
Token
,
error
)
{
const
noUsernamePrefix
=
"-"
const
noUsernamePrefix
=
"-"
if
usernamePrefix
==
""
&&
usernameClaim
!=
"email"
{
if
usernamePrefix
==
""
&&
usernameClaim
!=
"email"
{
...
@@ -251,14 +252,15 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai
...
@@ -251,14 +252,15 @@ func newAuthenticatorFromOIDCIssuerURL(issuerURL, clientID, caFile, usernameClai
usernamePrefix
=
""
usernamePrefix
=
""
}
}
tokenAuthenticator
,
err
:=
oidc
.
New
(
oidc
.
OIDCOptions
{
tokenAuthenticator
,
err
:=
oidc
.
New
(
oidc
.
Options
{
IssuerURL
:
issuerURL
,
IssuerURL
:
issuerURL
,
ClientID
:
clientID
,
ClientID
:
clientID
,
CAFile
:
caFile
,
CAFile
:
caFile
,
UsernameClaim
:
usernameClaim
,
UsernameClaim
:
usernameClaim
,
UsernamePrefix
:
usernamePrefix
,
UsernamePrefix
:
usernamePrefix
,
GroupsClaim
:
groupsClaim
,
GroupsClaim
:
groupsClaim
,
GroupsPrefix
:
groupsPrefix
,
GroupsPrefix
:
groupsPrefix
,
SupportedSigningAlgs
:
signingAlgs
,
})
})
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
...
...
pkg/kubeapiserver/options/authentication.go
View file @
48c6d1ab
...
@@ -61,6 +61,7 @@ type OIDCAuthenticationOptions struct {
...
@@ -61,6 +61,7 @@ type OIDCAuthenticationOptions struct {
UsernamePrefix
string
UsernamePrefix
string
GroupsClaim
string
GroupsClaim
string
GroupsPrefix
string
GroupsPrefix
string
SigningAlgs
[]
string
}
}
type
PasswordFileAuthenticationOptions
struct
{
type
PasswordFileAuthenticationOptions
struct
{
...
@@ -208,6 +209,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -208,6 +209,10 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
"If provided, all groups will be prefixed with this value to prevent conflicts with "
+
"If provided, all groups will be prefixed with this value to prevent conflicts with "
+
"other authentication strategies."
)
"other authentication strategies."
)
fs
.
StringSliceVar
(
&
s
.
OIDC
.
SigningAlgs
,
"oidc-signing-algs"
,
[]
string
{
"RS256"
},
""
+
"Comma-separated list of allowed JOSE asymmetric signing algorithms. JWTs with a "
+
"'alg' header value not in this list will be rejected. "
+
"Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1."
)
}
}
if
s
.
PasswordFile
!=
nil
{
if
s
.
PasswordFile
!=
nil
{
...
@@ -272,6 +277,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
...
@@ -272,6 +277,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
ret
.
OIDCIssuerURL
=
s
.
OIDC
.
IssuerURL
ret
.
OIDCIssuerURL
=
s
.
OIDC
.
IssuerURL
ret
.
OIDCUsernameClaim
=
s
.
OIDC
.
UsernameClaim
ret
.
OIDCUsernameClaim
=
s
.
OIDC
.
UsernameClaim
ret
.
OIDCUsernamePrefix
=
s
.
OIDC
.
UsernamePrefix
ret
.
OIDCUsernamePrefix
=
s
.
OIDC
.
UsernamePrefix
ret
.
OIDCSigningAlgs
=
s
.
OIDC
.
SigningAlgs
}
}
if
s
.
PasswordFile
!=
nil
{
if
s
.
PasswordFile
!=
nil
{
...
...
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc.go
View file @
48c6d1ab
This diff is collapsed.
Click to expand it.
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go
View file @
48c6d1ab
This diff is collapsed.
Click to expand it.
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/testdata/gen.sh
0 → 100755
View file @
48c6d1ab
#!/bin/bash -e
# Copyright 2018 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
rm
*
.pem
for
N
in
`
seq
1 3
`
;
do
ssh-keygen
-t
rsa
-b
2048
-f
rsa_
$N
.pem
-N
''
done
for
N
in
`
seq
1 3
`
;
do
ssh-keygen
-t
ecdsa
-b
521
-f
ecdsa_
$N
.pem
-N
''
done
rm
*
.pub
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment