serviceaccount

package
v1.31.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 10, 2024 License: Apache-2.0 Imports: 36 Imported by: 1,050

Documentation

Index

Constants

View Source
const (
	// Injected bound service account token expiration which triggers monitoring of its time-bound feature.
	WarnOnlyBoundTokenExpirationSeconds = 60*60 + 7

	// Extended expiration for those modified tokens involved in safe rollout if time-bound feature.
	ExpirationExtensionSeconds = 24 * 365 * 60 * 60
)
View Source
const (
	LegacyIssuer     = "kubernetes/serviceaccount"
	LastUsedLabelKey = "kubernetes.io/legacy-token-last-used"
)
View Source
const (
	// OpenIDConfigPath is the URL path at which the API server serves
	// an OIDC Provider Configuration Information document, corresponding
	// to the Kubernetes Service Account key issuer.
	// https://openid.net/specs/openid-connect-discovery-1_0.html
	OpenIDConfigPath = "/.well-known/openid-configuration"

	// JWKSPath is the URL path at which the API server serves a JWKS
	// containing the public keys that may be used to sign Kubernetes
	// Service Account keys.
	JWKSPath = "/openid/v1/jwks"
)
View Source
const InvalidSinceLabelKey = "kubernetes.io/legacy-token-invalid-since"

Variables

This section is empty.

Functions

func Claims added in v1.10.0

func Claims(sa core.ServiceAccount, pod *core.Pod, secret *core.Secret, node *core.Node, expirationSeconds, warnafter int64, audience []string) (*jwt.Claims, interface{}, error)

func JWTTokenAuthenticator

func JWTTokenAuthenticator[PrivateClaims any](issuers []string, publicKeysGetter PublicKeysGetter, implicitAuds authenticator.Audiences, validator Validator[PrivateClaims]) authenticator.Token

JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator Token signatures are verified using each of the given public keys until one works (allowing key rotation) If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter

func LegacyClaims added in v1.10.0

func LegacyClaims(serviceAccount v1.ServiceAccount, secret v1.Secret) (*jwt.Claims, interface{})

func RegisterMetrics added in v1.19.0

func RegisterMetrics()

Types

type Listener added in v1.31.0

type Listener interface {
	// Enqueue should be called when an input may have changed
	Enqueue()
}

Listener is an interface to use to notify interested parties of a change.

type OpenIDMetadataProvider added in v1.31.0

type OpenIDMetadataProvider interface {
	GetConfigJSON() (json []byte, maxAge int)
	GetKeysetJSON() (json []byte, maxAge int)
}

OpenIDMetadataProvider returns pre-rendered responses for OIDC discovery endpoints.

func NewOpenIDMetadataProvider added in v1.31.0

func NewOpenIDMetadataProvider(issuerURL, jwksURI, defaultExternalAddress string, pubKeyGetter PublicKeysGetter) (OpenIDMetadataProvider, error)

NewOpenIDMetadataProvider returns a provider for the OIDC discovery endpoints, or an error if they could not be constructed. Callers should note that this function may perform additional validation on inputs that is not backwards-compatible with all command-line validation. The recommendation is to log the error and skip installing the OIDC discovery endpoints.

type PublicKey added in v1.31.0

type PublicKey struct {
	KeyID     string
	PublicKey interface{}
}

type PublicKeysGetter added in v1.31.0

type PublicKeysGetter interface {
	// AddListener is adds a listener to be notified of potential input changes.
	// This is a noop on static providers.
	AddListener(listener Listener)

	// GetCacheAgeMaxSeconds returns the seconds a call to GetPublicKeys() can be cached for.
	// If the results of GetPublicKeys() can be dynamic, this means a new key must be included in the results
	// for at least this long before it is used to sign new tokens.
	GetCacheAgeMaxSeconds() int

	// GetPublicKeys returns public keys to use for verifying a token with the given key id.
	// keyIDHint may be empty if the token did not have a kid header, or if all public keys are desired.
	GetPublicKeys(keyIDHint string) []PublicKey
}

PublicKeysGetter returns public keys for a given key id.

func StaticPublicKeysGetter added in v1.31.0

func StaticPublicKeysGetter(keys []interface{}) (PublicKeysGetter, error)

StaticPublicKeysGetter constructs an implementation of PublicKeysGetter which returns all public keys when key id is unspecified, and returns the public keys matching the keyIDFromPublicKey-derived key id when a key id is specified.

type ServiceAccountTokenGetter

type ServiceAccountTokenGetter interface {
	GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error)
	GetPod(namespace, name string) (*v1.Pod, error)
	GetSecret(namespace, name string) (*v1.Secret, error)
	GetNode(name string) (*v1.Node, error)
}

ServiceAccountTokenGetter defines functions to retrieve a named service account and secret

type TokenGenerator

type TokenGenerator interface {
	// GenerateToken generates a token which will identify the given
	// ServiceAccount. privateClaims is an interface that will be
	// serialized into the JWT payload JSON encoding at the root level of
	// the payload object. Public claims take precedent over private
	// claims i.e. if both claims and privateClaims have an "exp" field,
	// the value in claims will be used.
	GenerateToken(claims *jwt.Claims, privateClaims interface{}) (string, error)
}

func JWTTokenGenerator

func JWTTokenGenerator(iss string, privateKey interface{}) (TokenGenerator, error)

JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey. privateKey is a PEM-encoded byte array of a private RSA key.

type Validator added in v1.10.0

type Validator[PrivateClaims any] interface {
	// Validate validates a token and returns user information or an error.
	// Validator can assume that the issuer and signature of a token are already
	// verified when this function is called.
	Validate(ctx context.Context, tokenData string, public *jwt.Claims, private *PrivateClaims) (*apiserverserviceaccount.ServiceAccountInfo, error)
}

Validator is called by the JWT token authenticator to apply domain specific validation to a token and extract user information. PrivateClaims is the struct that the authenticator should deserialize the JWT payload into, thus it should contain fields for any private claims that the Validator requires to validate the JWT.

func NewLegacyValidator added in v1.10.0

func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator[legacyPrivateClaims], error)

func NewValidator added in v1.10.0

func NewValidator(getter ServiceAccountTokenGetter) Validator[privateClaims]

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL