Vendor in latest k8s.io changes

These changes allow for the container's pid namespace to be set to the same as the pod infra container's namespace if the pid namespace mode is set to POD Signed-off-by: umohnani8 <umohnani@redhat.com>
2018-03-01 15:50:10 -05:00 · 2018-03-01 15:50:10 -05:00 · e5fdb6bc9e
commit e5fdb6bc9e
parent 0b736bb43f
113 changed files with 11290 additions and 5289 deletions
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/claims.go
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/claims.go
@ -0,0 +1,186 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/golang/glog"
+	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/kubernetes/pkg/apis/core"
+
+	"gopkg.in/square/go-jose.v2/jwt"
+)
+
+// time.Now stubbed out to allow testing
+var now = time.Now
+
+type privateClaims struct {
+	Kubernetes kubernetes `json:"kubernetes.io,omitempty"`
+}
+
+type kubernetes struct {
+	Namespace string `json:"namespace,omitempty"`
+	Svcacct   ref    `json:"serviceaccount,omitempty"`
+	Pod       *ref   `json:"pod,omitempty"`
+	Secret    *ref   `json:"secret,omitempty"`
+}
+
+type ref struct {
+	Name string `json:"name,omitempty"`
+	UID  string `json:"uid,omitempty"`
+}
+
+func Claims(sa core.ServiceAccount, pod *core.Pod, secret *core.Secret, expirationSeconds int64, audience []string) (*jwt.Claims, interface{}) {
+	now := now()
+	sc := &jwt.Claims{
+		Subject:   apiserverserviceaccount.MakeUsername(sa.Namespace, sa.Name),
+		Audience:  jwt.Audience(audience),
+		IssuedAt:  jwt.NewNumericDate(now),
+		NotBefore: jwt.NewNumericDate(now),
+		Expiry:    jwt.NewNumericDate(now.Add(time.Duration(expirationSeconds) * time.Second)),
+	}
+	pc := &privateClaims{
+		Kubernetes: kubernetes{
+			Namespace: sa.Namespace,
+			Svcacct: ref{
+				Name: sa.Name,
+				UID:  string(sa.UID),
+			},
+		},
+	}
+	switch {
+	case pod != nil:
+		pc.Kubernetes.Pod = &ref{
+			Name: pod.Name,
+			UID:  string(pod.UID),
+		}
+	case secret != nil:
+		pc.Kubernetes.Secret = &ref{
+			Name: secret.Name,
+			UID:  string(secret.UID),
+		}
+	}
+	return sc, pc
+}
+
+func NewValidator(audiences []string, getter ServiceAccountTokenGetter) Validator {
+	return &validator{
+		auds:   audiences,
+		getter: getter,
+	}
+}
+
+type validator struct {
+	auds   []string
+	getter ServiceAccountTokenGetter
+}
+
+var _ = Validator(&validator{})
+
+func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
+	private, ok := privateObj.(*privateClaims)
+	if !ok {
+		glog.Errorf("jwt validator expected private claim of type *privateClaims but got: %T", privateObj)
+		return "", "", "", errors.New("Token could not be validated.")
+	}
+	err := public.Validate(jwt.Expected{
+		Time: now(),
+	})
+	switch {
+	case err == nil:
+	case err == jwt.ErrExpired:
+		return "", "", "", errors.New("Token has expired.")
+	default:
+		glog.Errorf("unexpected validation error: %T", err)
+		return "", "", "", errors.New("Token could not be validated.")
+	}
+
+	var audValid bool
+
+	for _, aud := range v.auds {
+		audValid = public.Audience.Contains(aud)
+		if audValid {
+			break
+		}
+	}
+
+	if !audValid {
+		return "", "", "", errors.New("Token is invalid for this audience.")
+	}
+
+	namespace := private.Kubernetes.Namespace
+	saref := private.Kubernetes.Svcacct
+	podref := private.Kubernetes.Pod
+	secref := private.Kubernetes.Secret
+	// Make sure service account still exists (name and UID)
+	serviceAccount, err := v.getter.GetServiceAccount(namespace, saref.Name)
+	if err != nil {
+		glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, saref.Name, err)
+		return "", "", "", err
+	}
+	if serviceAccount.DeletionTimestamp != nil {
+		glog.V(4).Infof("Service account has been deleted %s/%s", namespace, saref.Name)
+		return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, saref.Name)
+	}
+	if string(serviceAccount.UID) != saref.UID {
+		glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, saref.Name, string(serviceAccount.UID), saref.UID)
+		return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, saref.UID)
+	}
+
+	if secref != nil {
+		// Make sure token hasn't been invalidated by deletion of the secret
+		secret, err := v.getter.GetSecret(namespace, secref.Name)
+		if err != nil {
+			glog.V(4).Infof("Could not retrieve bound secret %s/%s for service account %s/%s: %v", namespace, secref.Name, namespace, saref.Name, err)
+			return "", "", "", errors.New("Token has been invalidated")
+		}
+		if secret.DeletionTimestamp != nil {
+			glog.V(4).Infof("Bound secret is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secref.Name, namespace, saref.Name)
+			return "", "", "", errors.New("Token has been invalidated")
+		}
+		if string(secref.UID) != secref.UID {
+			glog.V(4).Infof("Secret UID no longer matches %s/%s: %q != %q", namespace, secref.Name, string(serviceAccount.UID), secref.UID)
+			return "", "", "", fmt.Errorf("Secret UID (%s) does not match claim (%s)", secret.UID, secref.UID)
+		}
+	}
+
+	if podref != nil {
+		// Make sure token hasn't been invalidated by deletion of the pod
+		pod, err := v.getter.GetPod(namespace, podref.Name)
+		if err != nil {
+			glog.V(4).Infof("Could not retrieve bound secret %s/%s for service account %s/%s: %v", namespace, podref.Name, namespace, saref.Name, err)
+			return "", "", "", errors.New("Token has been invalidated")
+		}
+		if pod.DeletionTimestamp != nil {
+			glog.V(4).Infof("Bound pod is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, podref.Name, namespace, saref.Name)
+			return "", "", "", errors.New("Token has been invalidated")
+		}
+		if string(podref.UID) != podref.UID {
+			glog.V(4).Infof("Pod UID no longer matches %s/%s: %q != %q", namespace, podref.Name, string(serviceAccount.UID), podref.UID)
+			return "", "", "", fmt.Errorf("Pod UID (%s) does not match claim (%s)", pod.UID, podref.UID)
+		}
+	}
+
+	return private.Kubernetes.Namespace, private.Kubernetes.Svcacct.Name, private.Kubernetes.Svcacct.UID, nil
+}
+
+func (v *validator) NewPrivateClaims() interface{} {
+	return &privateClaims{}
+}
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/jwt.go
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/jwt.go
@ -17,7 +17,6 @@ limitations under the License.
 package serviceaccount

 import (
-	"bytes"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
@ -30,10 +29,8 @@ import (
 	"k8s.io/api/core/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
-	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"

-	"github.com/golang/glog"
 	jose "gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
@ -41,6 +38,7 @@ import (
 // ServiceAccountTokenGetter defines functions to retrieve a named service account and secret
 type ServiceAccountTokenGetter interface {
 	GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error)
+	GetPod(namespace, name string) (*v1.Pod, error)
 	GetSecret(namespace, name string) (*v1.Secret, error)
 }

@ -113,14 +111,11 @@ func (j *jwtTokenGenerator) GenerateToken(claims *jwt.Claims, privateClaims inte
 // JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator
 // Token signatures are verified using each of the given public keys until one works (allowing key rotation)
 // If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter
-func JWTTokenAuthenticator(iss string, keys []interface{}, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token {
+func JWTTokenAuthenticator(iss string, keys []interface{}, validator Validator) authenticator.Token {
 	return &jwtTokenAuthenticator{
-		iss:  iss,
-		keys: keys,
-		validator: &legacyValidator{
-			lookup: lookup,
-			getter: getter,
-		},
+		iss:       iss,
+		keys:      keys,
+		validator: validator,
 	}
 }

@ -130,8 +125,19 @@ type jwtTokenAuthenticator struct {
 	validator Validator
 }

+// Validator is called by the JWT token authentictaor to apply domain specific
+// validation to a token and extract user information.
 type Validator interface {
-	Validate(tokenData string, public *jwt.Claims, private *legacyPrivateClaims) error
+	// Validate validates a token and returns user information or an error.
+	// Validator can assume that the issuer and signature of a token are already
+	// verified when this function is called.
+	Validate(tokenData string, public *jwt.Claims, private interface{}) (namespace, name, uid string, err error)
+	// NewPrivateClaims returns a struct that the authenticator should
+	// deserialize the JWT payload into. The authenticator may then pass this
+	// struct back to the Validator as the 'private' argument to a Validate()
+	// call. This struct should contain fields for any private claims that the
+	// Validator requires to validate the JWT.
+	NewPrivateClaims() interface{}
 }

 var errMismatchedSigningMethod = errors.New("invalid signing method")
@ -147,7 +153,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,
 	}

 	public := &jwt.Claims{}
-	private := &legacyPrivateClaims{}
+	private := j.validator.NewPrivateClaims()

 	var (
 		found   bool
@ -168,12 +174,12 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(tokenData string) (user.Info,

 	// If we get here, we have a token with a recognized signature and
 	// issuer string.
-	if err := j.validator.Validate(tokenData, public, private); err != nil {
+	ns, name, uid, err := j.validator.Validate(tokenData, public, private)
+	if err != nil {
 		return nil, false, err
 	}

-	return UserInfo(private.Namespace, private.ServiceAccountName, private.ServiceAccountUID), true, nil
-
+	return UserInfo(ns, name, uid), true, nil
 }

 // hasCorrectIssuer returns true if tokenData is a valid JWT in compact
@ -204,71 +210,3 @@ func (j *jwtTokenAuthenticator) hasCorrectIssuer(tokenData string) bool {
 	return true

 }
-
-type legacyValidator struct {
-	lookup bool
-	getter ServiceAccountTokenGetter
-}
-
-func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, private *legacyPrivateClaims) error {
-
-	// Make sure the claims we need exist
-	if len(public.Subject) == 0 {
-		return errors.New("sub claim is missing")
-	}
-	namespace := private.Namespace
-	if len(namespace) == 0 {
-		return errors.New("namespace claim is missing")
-	}
-	secretName := private.SecretName
-	if len(secretName) == 0 {
-		return errors.New("secretName claim is missing")
-	}
-	serviceAccountName := private.ServiceAccountName
-	if len(serviceAccountName) == 0 {
-		return errors.New("serviceAccountName claim is missing")
-	}
-	serviceAccountUID := private.ServiceAccountUID
-	if len(serviceAccountUID) == 0 {
-		return errors.New("serviceAccountUID claim is missing")
-	}
-
-	subjectNamespace, subjectName, err := apiserverserviceaccount.SplitUsername(public.Subject)
-	if err != nil || subjectNamespace != namespace || subjectName != serviceAccountName {
-		return errors.New("sub claim is invalid")
-	}
-
-	if v.lookup {
-		// Make sure token hasn't been invalidated by deletion of the secret
-		secret, err := v.getter.GetSecret(namespace, secretName)
-		if err != nil {
-			glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
-			return errors.New("Token has been invalidated")
-		}
-		if secret.DeletionTimestamp != nil {
-			glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
-			return errors.New("Token has been invalidated")
-		}
-		if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) != 0 {
-			glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
-			return errors.New("Token does not match server's copy")
-		}
-
-		// Make sure service account still exists (name and UID)
-		serviceAccount, err := v.getter.GetServiceAccount(namespace, serviceAccountName)
-		if err != nil {
-			glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
-			return err
-		}
-		if serviceAccount.DeletionTimestamp != nil {
-			glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
-			return fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
-		}
-		if string(serviceAccount.UID) != serviceAccountUID {
-			glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
-			return fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
-		}
-	}
-
-	return nil
-}
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/legacy.go
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/legacy.go
@ -17,9 +17,14 @@ limitations under the License.
 package serviceaccount

 import (
+	"bytes"
+	"errors"
+	"fmt"
+
 	"k8s.io/api/core/v1"
 	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"

+	"github.com/golang/glog"
 	"gopkg.in/square/go-jose.v2/jwt"
 )

@ -42,3 +47,89 @@ type legacyPrivateClaims struct {
 	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name"`
 	Namespace          string `json:"kubernetes.io/serviceaccount/namespace"`
 }
+
+func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter) Validator {
+	return &legacyValidator{
+		lookup: lookup,
+		getter: getter,
+	}
+}
+
+type legacyValidator struct {
+	lookup bool
+	getter ServiceAccountTokenGetter
+}
+
+var _ = Validator(&legacyValidator{})
+
+func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
+	private, ok := privateObj.(*legacyPrivateClaims)
+	if !ok {
+		glog.Errorf("jwt validator expected private claim of type *legacyPrivateClaims but got: %T", privateObj)
+		return "", "", "", errors.New("Token could not be validated.")
+	}
+
+	// Make sure the claims we need exist
+	if len(public.Subject) == 0 {
+		return "", "", "", errors.New("sub claim is missing")
+	}
+	namespace := private.Namespace
+	if len(namespace) == 0 {
+		return "", "", "", errors.New("namespace claim is missing")
+	}
+	secretName := private.SecretName
+	if len(secretName) == 0 {
+		return "", "", "", errors.New("secretName claim is missing")
+	}
+	serviceAccountName := private.ServiceAccountName
+	if len(serviceAccountName) == 0 {
+		return "", "", "", errors.New("serviceAccountName claim is missing")
+	}
+	serviceAccountUID := private.ServiceAccountUID
+	if len(serviceAccountUID) == 0 {
+		return "", "", "", errors.New("serviceAccountUID claim is missing")
+	}
+
+	subjectNamespace, subjectName, err := apiserverserviceaccount.SplitUsername(public.Subject)
+	if err != nil || subjectNamespace != namespace || subjectName != serviceAccountName {
+		return "", "", "", errors.New("sub claim is invalid")
+	}
+
+	if v.lookup {
+		// Make sure token hasn't been invalidated by deletion of the secret
+		secret, err := v.getter.GetSecret(namespace, secretName)
+		if err != nil {
+			glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
+			return "", "", "", errors.New("Token has been invalidated")
+		}
+		if secret.DeletionTimestamp != nil {
+			glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
+			return "", "", "", errors.New("Token has been invalidated")
+		}
+		if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) != 0 {
+			glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
+			return "", "", "", errors.New("Token does not match server's copy")
+		}
+
+		// Make sure service account still exists (name and UID)
+		serviceAccount, err := v.getter.GetServiceAccount(namespace, serviceAccountName)
+		if err != nil {
+			glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
+			return "", "", "", err
+		}
+		if serviceAccount.DeletionTimestamp != nil {
+			glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
+			return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
+		}
+		if string(serviceAccount.UID) != serviceAccountUID {
+			glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
+			return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
+		}
+	}
+
+	return private.Namespace, private.ServiceAccountName, private.ServiceAccountUID, nil
+}
+
+func (v *legacyValidator) NewPrivateClaims() interface{} {
+	return &legacyPrivateClaims{}
+}