bootstrap

Documentation

Overview

Package bootstrap provides a token authenticator for TLS bootstrap secrets.

Index

• type TokenAuthenticator
  • func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator
  • func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)

Types

type TokenAuthenticator

type TokenAuthenticator struct {
	// contains filtered or unexported fields
}

TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.

func NewTokenAuthenticator

func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator

NewTokenAuthenticator initializes a bootstrap token authenticator.

Lister is expected to be for the "kube-system" namespace.

func (*TokenAuthenticator) AuthenticateToken

func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)

AuthenticateToken tries to match the provided token to a bootstrap token secret in a given namespace. If found, it authenticates the token in the "system:bootstrappers" group and with the "system:bootstrap:(token-id)" username.

All secrets must be of type "bootstrap.kubernetes.io/token". An example secret:

apiVersion: v1
kind: Secret
metadata:
  # Name MUST be of form "bootstrap-token-( token id )".
  name: bootstrap-token-( token id )
  namespace: kube-system
# Only secrets of this type will be evaluated.
type: bootstrap.kubernetes.io/token
data:
  token-secret: ( private part of token )
  token-id: ( token id )
  # Required key usage.
  usage-bootstrap-authentication: true
  auth-extra-groups: "system:bootstrappers:custom-group1,system:bootstrappers:custom-group2"
  # May also contain an expiry.

Tokens are expected to be of the form:

( token-id ).( token-secret )