From 7b63db277da5d0d23ac78f9aad1b7866c4b5b9ba Mon Sep 17 00:00:00 2001 From: Shihang Zhang Date: Mon, 21 Mar 2022 14:21:41 -0700 Subject: [PATCH] track legacy service account tokens Kubernetes-commit: 569cd70a52359a294a608fb256693445a89a9dab --- .../token/cache/cached_token_authenticator.go | 34 +++++++++++++++++++ pkg/warning/context.go | 3 +- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/pkg/authentication/token/cache/cached_token_authenticator.go b/pkg/authentication/token/cache/cached_token_authenticator.go index 787d926b4..467e7dcc9 100644 --- a/pkg/authentication/token/cache/cached_token_authenticator.go +++ b/pkg/authentication/token/cache/cached_token_authenticator.go @@ -36,6 +36,7 @@ import ( auditinternal "k8s.io/apiserver/pkg/apis/audit" "k8s.io/apiserver/pkg/audit" "k8s.io/apiserver/pkg/authentication/authenticator" + "k8s.io/apiserver/pkg/warning" "k8s.io/klog/v2" "k8s.io/utils/clock" ) @@ -59,6 +60,12 @@ type cacheRecord struct { // based on the current time, but that may be okay since cache TTLs are generally // small (seconds). annotations map[string]string + warnings []*cacheWarning +} + +type cacheWarning struct { + agent string + text string } type cachedTokenAuthenticator struct { @@ -128,6 +135,9 @@ func (a *cachedTokenAuthenticator) AuthenticateToken(ctx context.Context, token for key, value := range record.annotations { audit.AddAuditAnnotation(ctx, key, value) } + for _, w := range record.warnings { + warning.AddWarning(ctx, w.agent, w.text) + } return record.resp, true, nil } @@ -184,6 +194,8 @@ func (a *cachedTokenAuthenticator) doAuthenticateToken(ctx context.Context, toke if audsOk { ctx = authenticator.WithAudiences(ctx, auds) } + recorder := &recorder{} + ctx = warning.WithWarningRecorder(ctx, recorder) // since this is shared work between multiple requests, we have no way of knowing if any // particular request supports audit annotations. thus we always attempt to record them. @@ -192,6 +204,7 @@ func (a *cachedTokenAuthenticator) doAuthenticateToken(ctx context.Context, toke record.resp, record.ok, record.err = a.authenticator.AuthenticateToken(ctx, token) record.annotations = ev.Annotations + record.warnings = recorder.extractWarnings() if !a.cacheErrs && record.err != nil { return record, nil @@ -269,3 +282,24 @@ func toBytes(s string) []byte { func toString(b []byte) string { return *(*string)(unsafe.Pointer(&b)) } + +// simple recorder that only appends warning +type recorder struct { + mu sync.Mutex + warnings []*cacheWarning +} + +// AddWarning adds a warning to recorder. +func (r *recorder) AddWarning(agent, text string) { + r.mu.Lock() + defer r.mu.Unlock() + r.warnings = append(r.warnings, &cacheWarning{agent: agent, text: text}) +} + +func (r *recorder) extractWarnings() []*cacheWarning { + r.mu.Lock() + defer r.mu.Unlock() + warnings := r.warnings + r.warnings = nil + return warnings +} diff --git a/pkg/warning/context.go b/pkg/warning/context.go index 1b9dd54df..200922545 100644 --- a/pkg/warning/context.go +++ b/pkg/warning/context.go @@ -24,7 +24,7 @@ import ( type key int const ( - // auditAnnotationsKey is the context key for the audit annotations. + // warningRecorderKey is the context key for the warning recorder. warningRecorderKey key = iota ) @@ -41,6 +41,7 @@ type Recorder interface { func WithWarningRecorder(ctx context.Context, recorder Recorder) context.Context { return context.WithValue(ctx, warningRecorderKey, recorder) } + func warningRecorderFrom(ctx context.Context) (Recorder, bool) { recorder, ok := ctx.Value(warningRecorderKey).(Recorder) return recorder, ok