Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
bd2cb5a7
Unverified
Commit
bd2cb5a7
authored
Nov 13, 2018
by
k8s-ci-robot
Committed by
GitHub
Nov 13, 2018
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #70831 from mikedanese/securesvcacct
add BoundServiceAccountTokenVolume feature
parents
67b7d977
f4ff2667
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
25 additions
and
1 deletion
+25
-1
certificates.go
cmd/kube-controller-manager/app/certificates.go
+1
-1
kube_features.go
pkg/features/kube_features.go
+9
-0
authentication.go
pkg/kubeapiserver/options/authentication.go
+15
-0
No files found.
cmd/kube-controller-manager/app/certificates.go
View file @
bd2cb5a7
...
...
@@ -125,7 +125,7 @@ func startCSRCleanerController(ctx ControllerContext) (http.Handler, bool, error
}
func
startRootCACertPublisher
(
ctx
ControllerContext
)
(
http
.
Handler
,
bool
,
error
)
{
if
!
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
TokenRequest
)
{
if
!
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
BoundServiceAccountTokenVolume
)
{
return
nil
,
false
,
nil
}
...
...
pkg/features/kube_features.go
View file @
bd2cb5a7
...
...
@@ -269,6 +269,14 @@ const (
// Enable ServiceAccountTokenVolumeProjection support in ProjectedVolumes.
TokenRequestProjection
utilfeature
.
Feature
=
"TokenRequestProjection"
// owner: @mikedanese
// alpha: v1.13
//
// Migrate ServiceAccount volumes to use a projected volume consisting of a
// ServiceAccountTokenVolumeProjection. This feature adds new required flags
// to the API server.
BoundServiceAccountTokenVolume
utilfeature
.
Feature
=
"BoundServiceAccountTokenVolume"
// owner: @Random-Liu
// beta: v1.11
//
...
...
@@ -428,6 +436,7 @@ var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureS
ScheduleDaemonSetPods
:
{
Default
:
true
,
PreRelease
:
utilfeature
.
Beta
},
TokenRequest
:
{
Default
:
true
,
PreRelease
:
utilfeature
.
Beta
},
TokenRequestProjection
:
{
Default
:
true
,
PreRelease
:
utilfeature
.
Beta
},
BoundServiceAccountTokenVolume
:
{
Default
:
false
,
PreRelease
:
utilfeature
.
Alpha
},
CRIContainerLogRotation
:
{
Default
:
true
,
PreRelease
:
utilfeature
.
Beta
},
GCERegionalPersistentDisk
:
{
Default
:
true
,
PreRelease
:
utilfeature
.
GA
},
RunAsGroup
:
{
Default
:
false
,
PreRelease
:
utilfeature
.
Alpha
},
...
...
pkg/kubeapiserver/options/authentication.go
View file @
bd2cb5a7
...
...
@@ -17,6 +17,7 @@ limitations under the License.
package
options
import
(
"errors"
"fmt"
"net/url"
"strings"
...
...
@@ -29,7 +30,9 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapiserver
"k8s.io/apiserver/pkg/server"
genericoptions
"k8s.io/apiserver/pkg/server/options"
utilfeature
"k8s.io/apiserver/pkg/util/feature"
"k8s.io/apiserver/pkg/util/flag"
"k8s.io/kubernetes/pkg/features"
kubeauthenticator
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
...
...
@@ -170,6 +173,18 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
allErrors
=
append
(
allErrors
,
fmt
.
Errorf
(
"service-account-issuer contained a ':' but was not a valid URL: %v"
,
err
))
}
}
if
s
.
ServiceAccounts
!=
nil
&&
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
BoundServiceAccountTokenVolume
)
{
if
!
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
TokenRequest
)
||
!
utilfeature
.
DefaultFeatureGate
.
Enabled
(
features
.
TokenRequestProjection
)
{
allErrors
=
append
(
allErrors
,
errors
.
New
(
"If the BoundServiceAccountTokenVolume feature is enabled,"
+
" the TokenRequest and TokenRequestProjection features must also be enabled"
))
}
if
len
(
s
.
ServiceAccounts
.
Issuer
)
==
0
{
allErrors
=
append
(
allErrors
,
errors
.
New
(
"service-account-issuer is a required flag when BoundServiceAccountTokenVolume is enabled"
))
}
if
len
(
s
.
ServiceAccounts
.
KeyFiles
)
==
0
{
allErrors
=
append
(
allErrors
,
errors
.
New
(
"service-account-key-file is a required flag when BoundServiceAccountTokenVolume is enabled"
))
}
}
return
allErrors
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment