Documentation ¶
Index ¶
- Constants
- func Claims(sa core.ServiceAccount, pod *core.Pod, secret *core.Secret, node *core.Node, ...) (*jwt.Claims, interface{}, error)
- func GenerateToken(signer jose.Signer, iss string, claims *jwt.Claims, privateClaims interface{}) (string, error)
- func JWTTokenAuthenticator[PrivateClaims any](issuers []string, publicKeysGetter PublicKeysGetter, ...) authenticator.Token
- func LegacyClaims(serviceAccount v1.ServiceAccount, secret v1.Secret) (*jwt.Claims, interface{})
- func RegisterMetrics()
- type Listener
- type OpenIDMetadataProvider
- type PublicKey
- type PublicKeysGetter
- type ServiceAccountTokenGetter
- type TokenGenerator
- type Validator
Constants ¶
const ( // Injected bound service account token expiration which triggers monitoring of its time-bound feature. WarnOnlyBoundTokenExpirationSeconds = 60*60 + 7 // Extended expiration for those modified tokens involved in safe rollout if time-bound feature. ExpirationExtensionSeconds = 24 * 365 * 60 * 60 )
const ( LegacyIssuer = "kubernetes/serviceaccount" LastUsedLabelKey = "kubernetes.io/legacy-token-last-used" )
const ( // OpenIDConfigPath is the URL path at which the API server serves // an OIDC Provider Configuration Information document, corresponding // to the Kubernetes Service Account key issuer. // https://openid.net/specs/openid-connect-discovery-1_0.html OpenIDConfigPath = "/.well-known/openid-configuration" // JWKSPath is the URL path at which the API server serves a JWKS // containing the public keys that may be used to sign Kubernetes // Service Account keys. JWKSPath = "/openid/v1/jwks" )
const InvalidSinceLabelKey = "kubernetes.io/legacy-token-invalid-since"
Variables ¶
This section is empty.
Functions ¶
func GenerateToken ¶ added in v1.32.0
func GenerateToken(signer jose.Signer, iss string, claims *jwt.Claims, privateClaims interface{}) (string, error)
GenerateToken is shared between internal and external signer code to ensure that claim merging logic remains consistent between them.
func JWTTokenAuthenticator ¶
func JWTTokenAuthenticator[PrivateClaims any](issuers []string, publicKeysGetter PublicKeysGetter, implicitAuds authenticator.Audiences, validator Validator[PrivateClaims]) authenticator.Token
JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator Token signatures are verified using each of the given public keys until one works (allowing key rotation) If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter
func LegacyClaims ¶ added in v1.10.0
func RegisterMetrics ¶ added in v1.19.0
func RegisterMetrics()
Types ¶
type Listener ¶ added in v1.31.0
type Listener interface {
// Enqueue should be called when an input may have changed
Enqueue()
}
Listener is an interface to use to notify interested parties of a change.
type OpenIDMetadataProvider ¶ added in v1.31.0
type OpenIDMetadataProvider interface { GetConfigJSON() (json []byte, maxAge int) GetKeysetJSON() (json []byte, maxAge int) }
OpenIDMetadataProvider returns pre-rendered responses for OIDC discovery endpoints.
func NewOpenIDMetadataProvider ¶ added in v1.31.0
func NewOpenIDMetadataProvider(issuerURL, jwksURI, defaultExternalAddress string, pubKeyGetter PublicKeysGetter) (OpenIDMetadataProvider, error)
NewOpenIDMetadataProvider returns a provider for the OIDC discovery endpoints, or an error if they could not be constructed. Callers should note that this function may perform additional validation on inputs that is not backwards-compatible with all command-line validation. The recommendation is to log the error and skip installing the OIDC discovery endpoints.
type PublicKeysGetter ¶ added in v1.31.0
type PublicKeysGetter interface { // AddListener is adds a listener to be notified of potential input changes. // This is a noop on static providers. AddListener(listener Listener) // GetCacheAgeMaxSeconds returns the seconds a call to GetPublicKeys() can be cached for. // If the results of GetPublicKeys() can be dynamic, this means a new key must be included in the results // for at least this long before it is used to sign new tokens. GetCacheAgeMaxSeconds() int // GetPublicKeys returns public keys to use for verifying a token with the given key id. // keyIDHint may be empty if the token did not have a kid header, or if all public keys are desired. GetPublicKeys(ctx context.Context, keyIDHint string) []PublicKey }
PublicKeysGetter returns public keys for a given key id.
func StaticPublicKeysGetter ¶ added in v1.31.0
func StaticPublicKeysGetter(keys []interface{}) (PublicKeysGetter, error)
StaticPublicKeysGetter constructs an implementation of PublicKeysGetter which returns all public keys when key id is unspecified, and returns the public keys matching the keyIDFromPublicKey-derived key id when a key id is specified.
type ServiceAccountTokenGetter ¶
type ServiceAccountTokenGetter interface { GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error) GetPod(namespace, name string) (*v1.Pod, error) GetSecret(namespace, name string) (*v1.Secret, error) GetNode(name string) (*v1.Node, error) }
ServiceAccountTokenGetter defines functions to retrieve a named service account and secret
type TokenGenerator ¶
type TokenGenerator interface { // GenerateToken generates a token which will identify the given // ServiceAccount. privateClaims is an interface that will be // serialized into the JWT payload JSON encoding at the root level of // the payload object. Public claims take precedent over private // claims i.e. if both claims and privateClaims have an "exp" field, // the value in claims will be used. GenerateToken(ctx context.Context, claims *jwt.Claims, privateClaims interface{}) (string, error) }
func JWTTokenGenerator ¶
func JWTTokenGenerator(iss string, privateKey interface{}) (TokenGenerator, error)
JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey. privateKey is a PEM-encoded byte array of a private RSA key.
type Validator ¶ added in v1.10.0
type Validator[PrivateClaims any] interface { // Validate validates a token and returns user information or an error. // Validator can assume that the issuer and signature of a token are already // verified when this function is called. Validate(ctx context.Context, tokenData string, public *jwt.Claims, private *PrivateClaims) (*apiserverserviceaccount.ServiceAccountInfo, error) }
Validator is called by the JWT token authenticator to apply domain specific validation to a token and extract user information. PrivateClaims is the struct that the authenticator should deserialize the JWT payload into, thus it should contain fields for any private claims that the Validator requires to validate the JWT.
func NewLegacyValidator ¶ added in v1.10.0
func NewLegacyValidator(lookup bool, getter ServiceAccountTokenGetter, secretsWriter typedv1core.SecretsGetter) (Validator[legacyPrivateClaims], error)
func NewValidator ¶ added in v1.10.0
func NewValidator(getter ServiceAccountTokenGetter) Validator[privateClaims]