upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-04-15 14:26:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/pkg
History
Monis Khan 9b23f22472
Make oidc authenticator audience agnostic 
This change removes the audience logic from the oidc authenticator
and collapses it onto the same logic used by other audience unaware
authenticators.

oidc is audience unaware in the sense that it does not know or
understand the API server's audience.  As before, the authenticator
will continue to check that the token audience matches the
configured client ID.

The reasoning for this simplification is:

1. The previous code tries to make the client ID on the oidc token
a valid audience.  But by not returning any audience, the token is
not valid when used via token review on a server that is configured
to honor audiences (the token works against the Kube API because the
audience check is skipped).

2. It is unclear what functionality would be gained by allowing
token review to check the client ID as a valid audience.  It could
serve as a proxy to know that the token was honored by the oidc
authenticator, but that does not seem like a valid use case.

3. It has never been possible to use the client ID as an audience
with token review as it would have always failed the audience
intersection check.  Thus this change is backwards compatible.

It is strange that the oidc authenticator would be considered
audience unaware when oidc tokens have an audience claim, but from
the perspective of the Kube API (and for backwards compatibility),
these tokens are only valid for the API server's audience.

This change seems to be the least magical and most consistent way to
honor backwards compatibility and to allow oidc tokens to be used
via token review when audience support in enabled.

Signed-off-by: Monis Khan <mok@vmware.com>
2020-02-04 13:24:49 -08:00
..
api Clean up commented assertions in tests 2020-01-15 11:34:27 +02:00
apis Merge pull request #87706 from liggitt/fix-statefulset-conversion 2020-01-31 20:08:16 -08:00
auth [pkg/auth/nodeidentifier/default_test.go]: fix testing error message typo 2019-11-19 23:35:04 +08:00
capabilities
client Require client / server protocols 2020-01-06 08:50:04 -08:00
cloudprovider update existing import-restrictions files 2020-01-28 10:51:45 +01:00
controller Merge pull request #86793 from prameshj/gce-finalizer 2020-01-30 21:20:32 -08:00
credentialprovider Whitelisting *.pkg.dev for the GCP credential provider 2020-01-24 10:19:19 -08:00
features Remove deprecated GA feature gates 2020-01-23 13:44:21 -05:00
fieldpath
generated
kubeapiserver Make oidc authenticator audience agnostic 2020-02-04 13:24:49 -08:00
kubectl [auth]Change example in can-i to apps instead of extensions 2019-12-13 13:36:48 -05:00
kubelet Merge pull request #85472 from dcbw/kubelet-network-approvers 2020-02-01 12:55:19 -08:00
kubemark fix kubemark use fake CRI 2020-01-07 11:39:58 +08:00
master refactor 2020-01-29 08:50:45 -08:00
printers update existing import-restrictions files 2020-01-28 10:51:45 +01:00
probe
proxy Merge pull request #87710 from alena1108/jan30proxy 2020-02-02 19:09:20 -08:00
quota Prune inactive owners from pkg/* misc api-machinery related OWNERS files. 2019-10-13 08:46:12 -04:00
registry Add support for pre-allocated hugepages with 2 sizes 2020-01-23 17:38:22 +01:00
routes
scheduler Adds more unit test on Bind extension for the scheduler 2020-01-31 22:37:22 +01:00
security SafeSysctlWhitelist: add net.ipv4.ping_group_range 2019-11-20 07:26:02 +09:00
securitycontext
serviceaccount
ssh
util Merge pull request #87377 from gavinfish/pkg-util-netsh 2020-01-21 22:02:35 -08:00
volume Merge pull request #87713 from kkmsft/filepath-fixes-windows 2020-02-03 17:07:25 -08:00
watch/json
windows/service
.import-restrictions
BUILD Remove testapi 2019-12-13 11:56:29 -05:00
OWNERS