kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Search client auth with and without port 

Kubernetes-commit: 2f5dde7672eaf90c7086f86a5a4ee190559f3bb2
This commit is contained in:
Jordan Liggitt 2019-09-02 22:38:55 -04:00 committed by Kubernetes Publisher
parent fa157b05a9
commit 2de636a948
2 changed files with 101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/util/webhook/authentication.go
View File

@ -136,6 +136,23 @@ func (c *defaultAuthenticationInfoResolver) clientConfig(target string) (*rest.C
}
}
// If target included the default https port (443), search again without the port
if target, port, err := net.SplitHostPort(target); err == nil && port == "443" {
// exact match without port
if authConfig, ok := c.kubeconfig.AuthInfos[target]; ok {
return restConfigFromKubeconfig(authConfig)
}
// star prefixed match without port
serverSteps := strings.Split(target, ".")
for i := 1; i < len(serverSteps); i++ {
nickName := "*." + strings.Join(serverSteps[i:], ".")
if authConfig, ok := c.kubeconfig.AuthInfos[nickName]; ok {
return restConfigFromKubeconfig(authConfig)
}
}
}
// if we're trying to hit the kube-apiserver and there wasn't an explicit config, use the in-cluster config
if target == "kubernetes.default.svc" {
// if we can find an in-cluster-config use that. If we can't, fall through.

84
pkg/util/webhook/authentication_test.go
View File

@ -109,6 +109,90 @@ func TestAuthenticationDetection(t *testing.T) {
},
expected: rest.Config{BearerToken: "first"},
},
{
name: "exact match with default https port",
serverName: "one.two.three.com:443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"one.two.three.com:443": {Token: "exact"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "exact"},
},
{
name: "wildcard match with default https port",
serverName: "one.two.three.com:443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"*.two.three.com:443": {Token: "first-with-port"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "first-with-port"},
},
{
name: "wildcard match without default https port",
serverName: "one.two.three.com:443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "first"},
},
{
name: "exact match with non-default https port",
serverName: "one.two.three.com:8443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"one.two.three.com:8443": {Token: "exact"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "exact"},
},
{
name: "wildcard match with non-default https port",
serverName: "one.two.three.com:8443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"*.two.three.com:8443": {Token: "first-with-port"},
"one.two.three.com": {Token: "first-without-port"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "first-with-port"},
},
{
name: "wildcard match without non-default https port",
serverName: "one.two.three.com:8443",
kubeconfig: clientcmdapi.Config{
AuthInfos: map[string]*clientcmdapi.AuthInfo{
"one.two.three.com": {Token: "first-without-port"},
"*.two.three.com": {Token: "first"},
"*.three.com": {Token: "second"},
"*.com": {Token: "third"},
"*": {Token: "fallback"},
},
},
expected: rest.Config{BearerToken: "fallback"},
},
}
for _, tc := range tests {