KEP-4193: bound service account token improvements

Kubernetes-commit: 76463e21d4dec90b4d49975b182a13e1fdb6b20a
2023-09-19 15:23:28 +01:00 · 2023-09-19 15:23:28 +01:00 · f2ba735b90
parent 96ed0730bb
commit f2ba735b90
2 changed files with 100 additions and 3 deletions
--- a/pkg/authentication/serviceaccount/util.go
+++ b/pkg/authentication/serviceaccount/util.go
@ -36,12 +36,21 @@ const (
 	ServiceAccountUsernameSeparator = ":"
 	ServiceAccountGroupPrefix       = "system:serviceaccounts:"
 	AllServiceAccountsGroup         = "system:serviceaccounts"
+	// CredentialIDKey is the key used in a user's "extra" to specify the unique
+	// identifier for this identity document).
+	CredentialIDKey = "authentication.kubernetes.io/credential-id"
 	// PodNameKey is the key used in a user's "extra" to specify the pod name of
 	// the authenticating request.
 	PodNameKey = "authentication.kubernetes.io/pod-name"
 	// PodUIDKey is the key used in a user's "extra" to specify the pod UID of
 	// the authenticating request.
 	PodUIDKey = "authentication.kubernetes.io/pod-uid"
+	// NodeNameKey is the key used in a user's "extra" to specify the node name of
+	// the authenticating request.
+	NodeNameKey = "authentication.kubernetes.io/node-name"
+	// NodeUIDKey is the key used in a user's "extra" to specify the node UID of
+	// the authenticating request.
+	NodeUIDKey = "authentication.kubernetes.io/node-uid"
 )

 // MakeUsername generates a username from the given namespace and ServiceAccount name.
@ -119,6 +128,8 @@ func UserInfo(namespace, name, uid string) user.Info {
 type ServiceAccountInfo struct {
 	Name, Namespace, UID string
 	PodName, PodUID      string
+	CredentialID         string
+	NodeName, NodeUID    string
 }

 func (sa *ServiceAccountInfo) UserInfo() user.Info {
@ -127,15 +138,43 @@ func (sa *ServiceAccountInfo) UserInfo() user.Info {
 		UID:    sa.UID,
 		Groups: MakeGroupNames(sa.Namespace),
 	}
+
 	if sa.PodName != "" && sa.PodUID != "" {
-		info.Extra = map[string][]string{
-			PodNameKey: {sa.PodName},
-			PodUIDKey:  {sa.PodUID},
+		if info.Extra == nil {
+			info.Extra = make(map[string][]string)
+		}
+		info.Extra[PodNameKey] = []string{sa.PodName}
+		info.Extra[PodUIDKey] = []string{sa.PodUID}
+	}
+	if sa.CredentialID != "" {
+		if info.Extra == nil {
+			info.Extra = make(map[string][]string)
+		}
+		info.Extra[CredentialIDKey] = []string{sa.CredentialID}
+	}
+	if sa.NodeName != "" {
+		if info.Extra == nil {
+			info.Extra = make(map[string][]string)
+		}
+		info.Extra[NodeNameKey] = []string{sa.NodeName}
+		// node UID is optional and will only be set if the node name is set
+		if sa.NodeUID != "" {
+			info.Extra[NodeUIDKey] = []string{sa.NodeUID}
 		}
 	}
+
 	return info
 }

+// CredentialIDForJTI converts a given JTI string into a credential identifier for use in a
+// users 'extra' info.
+func CredentialIDForJTI(jti string) string {
+	if len(jti) == 0 {
+		return ""
+	}
+	return "JTI=" + jti
+}
+
 // IsServiceAccountToken returns true if the secret is a valid api token for the service account
 func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool {
 	if secret.Type != v1.SecretTypeServiceAccountToken {
--- a/pkg/authentication/serviceaccount/util_test.go
+++ b/pkg/authentication/serviceaccount/util_test.go
@ -17,12 +17,70 @@ limitations under the License.
 package serviceaccount

 import (
+	"reflect"
 	"testing"

 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/authentication/user"
 )

+func TestUserInfo(t *testing.T) {
+	tests := map[string]struct {
+		info             ServiceAccountInfo
+		expectedUserInfo *user.DefaultInfo
+	}{
+		"extracts pod name/uid": {
+			info: ServiceAccountInfo{Name: "name", Namespace: "ns", PodName: "test", PodUID: "uid"},
+			expectedUserInfo: &user.DefaultInfo{
+				Name:   "system:serviceaccount:ns:name",
+				Groups: []string{"system:serviceaccounts", "system:serviceaccounts:ns"},
+				Extra: map[string][]string{
+					"authentication.kubernetes.io/pod-name": {"test"},
+					"authentication.kubernetes.io/pod-uid":  {"uid"},
+				},
+			},
+		},
+		"extracts node name/uid": {
+			info: ServiceAccountInfo{Name: "name", Namespace: "ns", NodeName: "test", NodeUID: "uid"},
+			expectedUserInfo: &user.DefaultInfo{
+				Name:   "system:serviceaccount:ns:name",
+				Groups: []string{"system:serviceaccounts", "system:serviceaccounts:ns"},
+				Extra: map[string][]string{
+					"authentication.kubernetes.io/node-name": {"test"},
+					"authentication.kubernetes.io/node-uid":  {"uid"},
+				},
+			},
+		},
+		"extracts node name only": {
+			info: ServiceAccountInfo{Name: "name", Namespace: "ns", NodeName: "test"},
+			expectedUserInfo: &user.DefaultInfo{
+				Name:   "system:serviceaccount:ns:name",
+				Groups: []string{"system:serviceaccounts", "system:serviceaccounts:ns"},
+				Extra: map[string][]string{
+					"authentication.kubernetes.io/node-name": {"test"},
+				},
+			},
+		},
+		"does not extract node UID if name is not set": {
+			info: ServiceAccountInfo{Name: "name", Namespace: "ns", NodeUID: "test"},
+			expectedUserInfo: &user.DefaultInfo{
+				Name:   "system:serviceaccount:ns:name",
+				Groups: []string{"system:serviceaccounts", "system:serviceaccounts:ns"},
+			},
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			userInfo := test.info.UserInfo()
+			if !reflect.DeepEqual(userInfo, test.expectedUserInfo) {
+				t.Errorf("expected %#v but got %#v", test.expectedUserInfo, userInfo)
+			}
+		})
+	}
+}
+
 func TestMakeUsername(t *testing.T) {

 	testCases := map[string]struct {