Documentation ¶
Overview ¶
Package bootstrap provides a token authenticator for TLS bootstrap secrets.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type TokenAuthenticator ¶
type TokenAuthenticator struct {
// contains filtered or unexported fields
}
TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.
func NewTokenAuthenticator ¶
func NewTokenAuthenticator(lister internalversion.SecretNamespaceLister) *TokenAuthenticator
NewTokenAuthenticator initializes a bootstrap token authenticator.
Lister is expected to be for the "kube-system" namespace.
func (*TokenAuthenticator) AuthenticateToken ¶
func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)
AuthenticateToken tries to match the provided token to a bootstrap token secret in a given namespace. If found, it authenticates the token in the "system:bootstrappers" group and with the "system:bootstrap:(token-id)" username.
All secrets must be of type "bootstrap.kubernetes.io/token". An example secret:
apiVersion: v1 kind: Secret metadata: # Name MUST be of form "bootstrap-token-( token id )". name: bootstrap-token-( token id ) namespace: kube-system # Only secrets of this type will be evaluated. type: bootstrap.kubernetes.io/token data: token-secret: ( private part of token ) token-id: ( token id ) # Required key usage. usage-bootstrap-authentication: true auth-extra-groups: "system:bootstrappers:custom-group1,system:bootstrappers:custom-group2" # May also contain an expiry.
Tokens are expected to be of the form:
( token-id ).( token-secret )