Vendor in latest k8s.io changes
These changes allow for the container's pid namespace to be set to the same as the pod infra container's namespace if the pid namespace mode is set to POD Signed-off-by: umohnani8 <umohnani@redhat.com>
This commit is contained in:
umohnani8
parent
0b736bb43f
commit
e5fdb6bc9e
113 changed files with 11290 additions and 5289 deletions
91
vendor/k8s.io/kubernetes/pkg/serviceaccount/legacy.go
generated
vendored
91
vendor/k8s.io/kubernetes/pkg/serviceaccount/legacy.go
generated
vendored
|
|
@ -17,9 +17,14 @@ limitations under the License.
|
|||
package serviceaccount
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"k8s.io/api/core/v1"
|
||||
apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"gopkg.in/square/go-jose.v2/jwt"
|
||||
)
|
||||
|
||||
|
|
@ -42,3 +47,89 @@ type legacyPrivateClaims struct {
|
|||
SecretName string `json:"kubernetes.io/serviceaccount/secret.name"`
|
||||
Namespace string `json:"kubernetes.io/serviceaccount/namespace"`
|
||||
}
|
||||
|
||||
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter) Validator {
|
||||
return &legacyValidator{
|
||||
lookup: lookup,
|
||||
getter: getter,
|
||||
}
|
||||
}
|
||||
|
||||
type legacyValidator struct {
|
||||
lookup bool
|
||||
getter ServiceAccountTokenGetter
|
||||
}
|
||||
|
||||
var _ = Validator(&legacyValidator{})
|
||||
|
||||
func (v *legacyValidator) Validate(tokenData string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
|
||||
private, ok := privateObj.(*legacyPrivateClaims)
|
||||
if !ok {
|
||||
glog.Errorf("jwt validator expected private claim of type *legacyPrivateClaims but got: %T", privateObj)
|
||||
return "", "", "", errors.New("Token could not be validated.")
|
||||
}
|
||||
|
||||
// Make sure the claims we need exist
|
||||
if len(public.Subject) == 0 {
|
||||
return "", "", "", errors.New("sub claim is missing")
|
||||
}
|
||||
namespace := private.Namespace
|
||||
if len(namespace) == 0 {
|
||||
return "", "", "", errors.New("namespace claim is missing")
|
||||
}
|
||||
secretName := private.SecretName
|
||||
if len(secretName) == 0 {
|
||||
return "", "", "", errors.New("secretName claim is missing")
|
||||
}
|
||||
serviceAccountName := private.ServiceAccountName
|
||||
if len(serviceAccountName) == 0 {
|
||||
return "", "", "", errors.New("serviceAccountName claim is missing")
|
||||
}
|
||||
serviceAccountUID := private.ServiceAccountUID
|
||||
if len(serviceAccountUID) == 0 {
|
||||
return "", "", "", errors.New("serviceAccountUID claim is missing")
|
||||
}
|
||||
|
||||
subjectNamespace, subjectName, err := apiserverserviceaccount.SplitUsername(public.Subject)
|
||||
if err != nil || subjectNamespace != namespace || subjectName != serviceAccountName {
|
||||
return "", "", "", errors.New("sub claim is invalid")
|
||||
}
|
||||
|
||||
if v.lookup {
|
||||
// Make sure token hasn't been invalidated by deletion of the secret
|
||||
secret, err := v.getter.GetSecret(namespace, secretName)
|
||||
if err != nil {
|
||||
glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
|
||||
return "", "", "", errors.New("Token has been invalidated")
|
||||
}
|
||||
if secret.DeletionTimestamp != nil {
|
||||
glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
|
||||
return "", "", "", errors.New("Token has been invalidated")
|
||||
}
|
||||
if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(tokenData)) != 0 {
|
||||
glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
|
||||
return "", "", "", errors.New("Token does not match server's copy")
|
||||
}
|
||||
|
||||
// Make sure service account still exists (name and UID)
|
||||
serviceAccount, err := v.getter.GetServiceAccount(namespace, serviceAccountName)
|
||||
if err != nil {
|
||||
glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
|
||||
return "", "", "", err
|
||||
}
|
||||
if serviceAccount.DeletionTimestamp != nil {
|
||||
glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
|
||||
return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
|
||||
}
|
||||
if string(serviceAccount.UID) != serviceAccountUID {
|
||||
glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
|
||||
return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
|
||||
}
|
||||
}
|
||||
|
||||
return private.Namespace, private.ServiceAccountName, private.ServiceAccountUID, nil
|
||||
}
|
||||
|
||||
func (v *legacyValidator) NewPrivateClaims() interface{} {
|
||||
return &legacyPrivateClaims{}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue