Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
daedcb6d
Commit
daedcb6d
authored
Oct 08, 2018
by
Darren Shepherd
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Delete anonymous auth
parent
41a03920
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
1 addition
and
174 deletions
+1
-174
auth.go
cmd/kubelet/app/auth.go
+0
-1
config.go
pkg/kubeapiserver/authenticator/config.go
+0
-11
authentication.go
pkg/kubeapiserver/options/authentication.go
+1
-32
delegating.go
...ver/pkg/authentication/authenticatorfactory/delegating.go
+0
-9
BUILD
...s.io/apiserver/pkg/authentication/request/anonymous/BUILD
+0
-42
anonymous.go
...iserver/pkg/authentication/request/anonymous/anonymous.go
+0
-36
anonymous_test.go
...er/pkg/authentication/request/anonymous/anonymous_test.go
+0
-42
authentication.go
...src/k8s.io/apiserver/pkg/server/options/authentication.go
+0
-1
No files found.
cmd/kubelet/app/auth.go
View file @
daedcb6d
...
@@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
...
@@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
// BuildAuthn creates an authenticator compatible with the kubelet's needs
// BuildAuthn creates an authenticator compatible with the kubelet's needs
func
BuildAuthn
(
client
authenticationclient
.
TokenReviewInterface
,
authn
kubeletconfig
.
KubeletAuthentication
)
(
authenticator
.
Request
,
error
)
{
func
BuildAuthn
(
client
authenticationclient
.
TokenReviewInterface
,
authn
kubeletconfig
.
KubeletAuthentication
)
(
authenticator
.
Request
,
error
)
{
authenticatorConfig
:=
authenticatorfactory
.
DelegatingAuthenticatorConfig
{
authenticatorConfig
:=
authenticatorfactory
.
DelegatingAuthenticatorConfig
{
Anonymous
:
authn
.
Anonymous
.
Enabled
,
CacheTTL
:
authn
.
Webhook
.
CacheTTL
.
Duration
,
CacheTTL
:
authn
.
Webhook
.
CacheTTL
.
Duration
,
ClientCAFile
:
authn
.
X509
.
ClientCAFile
,
ClientCAFile
:
authn
.
X509
.
ClientCAFile
,
}
}
...
...
pkg/kubeapiserver/authenticator/config.go
View file @
daedcb6d
...
@@ -22,7 +22,6 @@ import (
...
@@ -22,7 +22,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/union"
...
@@ -42,7 +41,6 @@ import (
...
@@ -42,7 +41,6 @@ import (
)
)
type
AuthenticatorConfig
struct
{
type
AuthenticatorConfig
struct
{
Anonymous
bool
BasicAuthFile
string
BasicAuthFile
string
ClientCAFile
string
ClientCAFile
string
ServiceAccountKeyFiles
[]
string
ServiceAccountKeyFiles
[]
string
...
@@ -134,9 +132,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
...
@@ -134,9 +132,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
}
}
if
len
(
authenticators
)
==
0
{
if
len
(
authenticators
)
==
0
{
if
config
.
Anonymous
{
return
anonymous
.
NewAuthenticator
(),
nil
}
return
nil
,
nil
return
nil
,
nil
}
}
...
@@ -144,12 +139,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
...
@@ -144,12 +139,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
authenticator
=
group
.
NewAuthenticatedGroupAdder
(
authenticator
)
authenticator
=
group
.
NewAuthenticatedGroupAdder
(
authenticator
)
if
config
.
Anonymous
{
// If the authenticator chain returns an error, return an error (don't consider a bad bearer token
// or invalid username/password combination anonymous).
authenticator
=
union
.
NewFailOnError
(
authenticator
,
anonymous
.
NewAuthenticator
())
}
return
authenticator
,
nil
return
authenticator
,
nil
}
}
...
...
pkg/kubeapiserver/options/authentication.go
View file @
daedcb6d
...
@@ -25,14 +25,11 @@ import (
...
@@ -25,14 +25,11 @@ import (
"github.com/golang/glog"
"github.com/golang/glog"
"github.com/spf13/pflag"
"github.com/spf13/pflag"
"k8s.io/apimachinery/pkg/util/sets"
genericapiserver
"k8s.io/apiserver/pkg/server"
genericapiserver
"k8s.io/apiserver/pkg/server"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
)
type
BuiltInAuthenticationOptions
struct
{
type
BuiltInAuthenticationOptions
struct
{
Anonymous
*
AnonymousAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
PasswordFile
*
PasswordFileAuthenticationOptions
ServiceAccounts
*
ServiceAccountAuthenticationOptions
ServiceAccounts
*
ServiceAccountAuthenticationOptions
WebHook
*
WebHookAuthenticationOptions
WebHook
*
WebHookAuthenticationOptions
...
@@ -41,10 +38,6 @@ type BuiltInAuthenticationOptions struct {
...
@@ -41,10 +38,6 @@ type BuiltInAuthenticationOptions struct {
TokenFailureCacheTTL
time
.
Duration
TokenFailureCacheTTL
time
.
Duration
}
}
type
AnonymousAuthenticationOptions
struct
{
Allow
bool
}
type
PasswordFileAuthenticationOptions
struct
{
type
PasswordFileAuthenticationOptions
struct
{
BasicAuthFile
string
BasicAuthFile
string
}
}
...
@@ -71,17 +64,11 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
...
@@ -71,17 +64,11 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
func
(
s
*
BuiltInAuthenticationOptions
)
WithAll
()
*
BuiltInAuthenticationOptions
{
func
(
s
*
BuiltInAuthenticationOptions
)
WithAll
()
*
BuiltInAuthenticationOptions
{
return
s
.
return
s
.
WithAnonymous
()
.
WithPasswordFile
()
.
WithPasswordFile
()
.
WithServiceAccounts
()
.
WithServiceAccounts
()
.
WithWebHook
()
WithWebHook
()
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithAnonymous
()
*
BuiltInAuthenticationOptions
{
s
.
Anonymous
=
&
AnonymousAuthenticationOptions
{
Allow
:
true
}
return
s
}
func
(
s
*
BuiltInAuthenticationOptions
)
WithPasswordFile
()
*
BuiltInAuthenticationOptions
{
func
(
s
*
BuiltInAuthenticationOptions
)
WithPasswordFile
()
*
BuiltInAuthenticationOptions
{
s
.
PasswordFile
=
&
PasswordFileAuthenticationOptions
{}
s
.
PasswordFile
=
&
PasswordFileAuthenticationOptions
{}
return
s
return
s
...
@@ -113,13 +100,6 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
...
@@ -113,13 +100,6 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
}
}
func
(
s
*
BuiltInAuthenticationOptions
)
AddFlags
(
fs
*
pflag
.
FlagSet
)
{
func
(
s
*
BuiltInAuthenticationOptions
)
AddFlags
(
fs
*
pflag
.
FlagSet
)
{
if
s
.
Anonymous
!=
nil
{
fs
.
BoolVar
(
&
s
.
Anonymous
.
Allow
,
"anonymous-auth"
,
s
.
Anonymous
.
Allow
,
""
+
"Enables anonymous requests to the secure port of the API server. "
+
"Requests that are not rejected by another authentication method are treated as anonymous requests. "
+
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated."
)
}
if
s
.
PasswordFile
!=
nil
{
if
s
.
PasswordFile
!=
nil
{
fs
.
StringVar
(
&
s
.
PasswordFile
.
BasicAuthFile
,
"basic-auth-file"
,
s
.
PasswordFile
.
BasicAuthFile
,
""
+
fs
.
StringVar
(
&
s
.
PasswordFile
.
BasicAuthFile
,
"basic-auth-file"
,
s
.
PasswordFile
.
BasicAuthFile
,
""
+
"If set, the file that will be used to admit requests to the secure port of the API server "
+
"If set, the file that will be used to admit requests to the secure port of the API server "
+
...
@@ -166,10 +146,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
...
@@ -166,10 +146,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
TokenFailureCacheTTL
:
s
.
TokenFailureCacheTTL
,
TokenFailureCacheTTL
:
s
.
TokenFailureCacheTTL
,
}
}
if
s
.
Anonymous
!=
nil
{
ret
.
Anonymous
=
s
.
Anonymous
.
Allow
}
if
s
.
PasswordFile
!=
nil
{
if
s
.
PasswordFile
!=
nil
{
ret
.
BasicAuthFile
=
s
.
PasswordFile
.
BasicAuthFile
ret
.
BasicAuthFile
=
s
.
PasswordFile
.
BasicAuthFile
}
}
...
@@ -210,14 +186,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
...
@@ -210,14 +186,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
// ApplyAuthorization will conditionally modify the authentication options based on the authorization options
// ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func
(
o
*
BuiltInAuthenticationOptions
)
ApplyAuthorization
(
authorization
*
BuiltInAuthorizationOptions
)
{
func
(
o
*
BuiltInAuthenticationOptions
)
ApplyAuthorization
(
authorization
*
BuiltInAuthorizationOptions
)
{
if
o
==
nil
||
authorization
==
nil
||
o
.
Anonymous
==
nil
{
if
o
==
nil
||
authorization
==
nil
{
return
return
}
}
// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
// in such a case the AnonymousAuth is stomped to false and you get a message
if
o
.
Anonymous
.
Allow
&&
sets
.
NewString
(
authorization
.
Modes
...
)
.
Has
(
authzmodes
.
ModeAlwaysAllow
)
{
glog
.
Warningf
(
"AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer"
)
o
.
Anonymous
.
Allow
=
false
}
}
}
staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
View file @
daedcb6d
...
@@ -23,7 +23,6 @@ import (
...
@@ -23,7 +23,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
unionauth
"k8s.io/apiserver/pkg/authentication/request/union"
unionauth
"k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/x509"
"k8s.io/apiserver/pkg/authentication/request/x509"
...
@@ -34,8 +33,6 @@ import (
...
@@ -34,8 +33,6 @@ import (
// DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
// DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
// built to delegate authentication to a kube API server
// built to delegate authentication to a kube API server
type
DelegatingAuthenticatorConfig
struct
{
type
DelegatingAuthenticatorConfig
struct
{
Anonymous
bool
// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
TokenAccessReviewClient
authenticationclient
.
TokenReviewInterface
TokenAccessReviewClient
authenticationclient
.
TokenReviewInterface
...
@@ -79,15 +76,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) {
...
@@ -79,15 +76,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) {
}
}
if
len
(
authenticators
)
==
0
{
if
len
(
authenticators
)
==
0
{
if
c
.
Anonymous
{
return
anonymous
.
NewAuthenticator
(),
nil
}
return
nil
,
errors
.
New
(
"No authentication method configured"
)
return
nil
,
errors
.
New
(
"No authentication method configured"
)
}
}
authenticator
:=
group
.
NewAuthenticatedGroupAdder
(
unionauth
.
New
(
authenticators
...
))
authenticator
:=
group
.
NewAuthenticatedGroupAdder
(
unionauth
.
New
(
authenticators
...
))
if
c
.
Anonymous
{
authenticator
=
unionauth
.
NewFailOnError
(
authenticator
,
anonymous
.
NewAuthenticator
())
}
return
authenticator
,
nil
return
authenticator
,
nil
}
}
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
deleted
100644 → 0
View file @
41a03920
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_test(
name = "go_default_test",
srcs = ["anonymous_test.go"],
embed = [":go_default_library"],
deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
go_library(
name = "go_default_library",
srcs = ["anonymous.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous",
importpath = "k8s.io/apiserver/pkg/authentication/request/anonymous",
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
deleted
100644 → 0
View file @
41a03920
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
anonymous
import
(
"net/http"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
const
(
anonymousUser
=
user
.
Anonymous
unauthenticatedGroup
=
user
.
AllUnauthenticated
)
func
NewAuthenticator
()
authenticator
.
Request
{
return
authenticator
.
RequestFunc
(
func
(
req
*
http
.
Request
)
(
user
.
Info
,
bool
,
error
)
{
return
&
user
.
DefaultInfo
{
Name
:
anonymousUser
,
Groups
:
[]
string
{
unauthenticatedGroup
}},
true
,
nil
})
}
staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
deleted
100644 → 0
View file @
41a03920
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
anonymous
import
(
"testing"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
func
TestAnonymous
(
t
*
testing
.
T
)
{
var
a
authenticator
.
Request
=
NewAuthenticator
()
u
,
ok
,
err
:=
a
.
AuthenticateRequest
(
nil
)
if
err
!=
nil
{
t
.
Fatalf
(
"Unexpected error %v"
,
err
)
}
if
!
ok
{
t
.
Fatalf
(
"Unexpectedly unauthenticated"
)
}
if
u
.
GetName
()
!=
user
.
Anonymous
{
t
.
Fatalf
(
"Expected username %s, got %s"
,
user
.
Anonymous
,
u
.
GetName
())
}
if
!
sets
.
NewString
(
u
.
GetGroups
()
...
)
.
Equal
(
sets
.
NewString
(
user
.
AllUnauthenticated
))
{
t
.
Fatalf
(
"Expected group %s, got %v"
,
user
.
AllUnauthenticated
,
u
.
GetGroups
())
}
}
staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
View file @
daedcb6d
...
@@ -89,7 +89,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
...
@@ -89,7 +89,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
}
}
cfg
:=
authenticatorfactory
.
DelegatingAuthenticatorConfig
{
cfg
:=
authenticatorfactory
.
DelegatingAuthenticatorConfig
{
Anonymous
:
true
,
CacheTTL
:
s
.
CacheTTL
,
CacheTTL
:
s
.
CacheTTL
,
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment