Merge pull request #129081 from stlaz/fg_remote_uid
featuregate UID in RequestHeader authenticator Kubernetes-commit: 1504f10e7946f95a8b1da35e28e4c7453ff62775
This commit is contained in:
Kubernetes Publisher
commit
99abadede2
2
go.mod
2
go.mod
|
|
@ -57,7 +57,7 @@ require (
|
|||
k8s.io/api v0.0.0-20241204221923-645453f0621f
|
||||
k8s.io/apimachinery v0.0.0-20241204221643-a0ca8148bde6
|
||||
k8s.io/client-go v0.0.0-20241204222315-f118320d13f9
|
||||
k8s.io/component-base v0.0.0-20241204223417-d3f16c547313
|
||||
k8s.io/component-base v0.0.0-20241205024112-a640eabb28ec
|
||||
k8s.io/klog/v2 v2.130.1
|
||||
k8s.io/kms v0.0.0-20241204223706-b70fce8f5bd9
|
||||
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -371,8 +371,8 @@ k8s.io/apimachinery v0.0.0-20241204221643-a0ca8148bde6 h1:bM/A2IkGxt7mdSf1dbQTPf
|
|||
k8s.io/apimachinery v0.0.0-20241204221643-a0ca8148bde6/go.mod h1:pfmi1Ug6+bq/azoo9WveGhYBCQ0b+Wm4IgxWGFZ7wRc=
|
||||
k8s.io/client-go v0.0.0-20241204222315-f118320d13f9 h1:mciZXJ1DYTefAEO+yEWWL+UbNvmwKkoqJw507y7OCu0=
|
||||
k8s.io/client-go v0.0.0-20241204222315-f118320d13f9/go.mod h1:dhTNZ5ZUZp9Mp1ox9NaSLfoe5Bhs5v3YPqFlt29JOLg=
|
||||
k8s.io/component-base v0.0.0-20241204223417-d3f16c547313 h1:i175Z7RqeEpMN7XLqMspLlpzZZR9yDo4WhpbIxQN7Qc=
|
||||
k8s.io/component-base v0.0.0-20241204223417-d3f16c547313/go.mod h1:DrjEbiemJFlIUXov3W8I1W+WmRqNEzlz7Ry+gUSKCBw=
|
||||
k8s.io/component-base v0.0.0-20241205024112-a640eabb28ec h1:xRIcGY13OhIEohoQJqC0GjQ1y7IcgW00pGC8J5iTcJY=
|
||||
k8s.io/component-base v0.0.0-20241205024112-a640eabb28ec/go.mod h1:DrjEbiemJFlIUXov3W8I1W+WmRqNEzlz7Ry+gUSKCBw=
|
||||
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
|
||||
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
|
||||
k8s.io/kms v0.0.0-20241204223706-b70fce8f5bd9 h1:QrQAylbTdX8fhbYj93Oe49wSB0vIZ5tHEtAn3gt9QKE=
|
||||
|
|
|
|||
|
|
@ -149,6 +149,13 @@ const (
|
|||
// to a chunking list request.
|
||||
RemainingItemCount featuregate.Feature = "RemainingItemCount"
|
||||
|
||||
// owner: @stlaz
|
||||
//
|
||||
// Enable kube-apiserver to accept UIDs via request header authentication.
|
||||
// This will also make the kube-apiserver's API aggregator add UIDs via standard
|
||||
// headers when forwarding requests to the servers serving the aggregated API.
|
||||
RemoteRequestHeaderUID featuregate.Feature = "RemoteRequestHeaderUID"
|
||||
|
||||
// owner: @wojtek-t
|
||||
//
|
||||
// Enables resilient watchcache initialization to avoid controlplane
|
||||
|
|
@ -359,6 +366,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
|||
{Version: version.MustParse("1.29"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||
},
|
||||
|
||||
RemoteRequestHeaderUID: {
|
||||
{Version: version.MustParse("1.32"), Default: false, PreRelease: featuregate.Alpha},
|
||||
},
|
||||
|
||||
ResilientWatchCacheInitialization: {
|
||||
{Version: version.MustParse("1.31"), Default: true, PreRelease: featuregate.Beta},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -29,8 +29,10 @@ import (
|
|||
"k8s.io/apiserver/pkg/apis/apiserver"
|
||||
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
|
||||
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
|
||||
"k8s.io/apiserver/pkg/features"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
"k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/rest"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
|
|
@ -68,9 +70,6 @@ func (s *RequestHeaderAuthenticationOptions) Validate() []error {
|
|||
if err := checkForWhiteSpaceOnly("requestheader-username-headers", s.UsernameHeaders...); err != nil {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
if err := checkForWhiteSpaceOnly("requestheader-uid-headers", s.UIDHeaders...); err != nil {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
if err := checkForWhiteSpaceOnly("requestheader-group-headers", s.GroupHeaders...); err != nil {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
|
|
@ -84,10 +83,6 @@ func (s *RequestHeaderAuthenticationOptions) Validate() []error {
|
|||
if len(s.UsernameHeaders) > 0 && !caseInsensitiveHas(s.UsernameHeaders, "X-Remote-User") {
|
||||
klog.Warningf("--requestheader-username-headers is set without specifying the standard X-Remote-User header - API aggregation will not work")
|
||||
}
|
||||
if len(s.UIDHeaders) > 0 && !caseInsensitiveHas(s.UIDHeaders, "X-Remote-Uid") {
|
||||
// this was added later and so we are able to error out
|
||||
allErrors = append(allErrors, fmt.Errorf("--requestheader-uid-headers is set without specifying the standard X-Remote-Uid header - API aggregation will not work"))
|
||||
}
|
||||
if len(s.GroupHeaders) > 0 && !caseInsensitiveHas(s.GroupHeaders, "X-Remote-Group") {
|
||||
klog.Warningf("--requestheader-group-headers is set without specifying the standard X-Remote-Group header - API aggregation will not work")
|
||||
}
|
||||
|
|
@ -95,6 +90,20 @@ func (s *RequestHeaderAuthenticationOptions) Validate() []error {
|
|||
klog.Warningf("--requestheader-extra-headers-prefix is set without specifying the standard X-Remote-Extra- header prefix - API aggregation will not work")
|
||||
}
|
||||
|
||||
if !utilfeature.DefaultFeatureGate.Enabled(features.RemoteRequestHeaderUID) {
|
||||
if len(s.UIDHeaders) > 0 {
|
||||
allErrors = append(allErrors, fmt.Errorf("--requestheader-uid-headers requires the %q feature to be enabled", features.RemoteRequestHeaderUID))
|
||||
}
|
||||
} else {
|
||||
if err := checkForWhiteSpaceOnly("requestheader-uid-headers", s.UIDHeaders...); err != nil {
|
||||
allErrors = append(allErrors, err)
|
||||
}
|
||||
if len(s.UIDHeaders) > 0 && !caseInsensitiveHas(s.UIDHeaders, "X-Remote-Uid") {
|
||||
// this was added later and so we are able to error out
|
||||
allErrors = append(allErrors, fmt.Errorf("--requestheader-uid-headers is set without specifying the standard X-Remote-Uid header - API aggregation will not work"))
|
||||
}
|
||||
}
|
||||
|
||||
return allErrors
|
||||
}
|
||||
|
||||
|
|
@ -126,7 +135,7 @@ func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
|
|||
"List of request headers to inspect for usernames. X-Remote-User is common.")
|
||||
|
||||
fs.StringSliceVar(&s.UIDHeaders, "requestheader-uid-headers", s.UIDHeaders, ""+
|
||||
"List of request headers to inspect for UIDs. X-Remote-Uid is suggested.")
|
||||
"List of request headers to inspect for UIDs. X-Remote-Uid is suggested. Requires the RemoteRequestHeaderUID feature to be enabled.")
|
||||
|
||||
fs.StringSliceVar(&s.GroupHeaders, "requestheader-group-headers", s.GroupHeaders, ""+
|
||||
"List of request headers to inspect for groups. X-Remote-Group is suggested.")
|
||||
|
|
|
|||
Loading…
Reference in New Issue