From 893742fb323184a34cf1b636a90dc5f6d3a96c9f Mon Sep 17 00:00:00 2001 From: Jeremy Mathevet Date: Thu, 7 Feb 2019 18:00:18 +0000 Subject: [PATCH] kube-apiserver: Add oidc-required-claim flag --- docs/cluster_spec.md | 3 ++- pkg/apis/kops/componentconfig.go | 4 ++++ pkg/apis/kops/v1alpha1/componentconfig.go | 4 ++++ pkg/apis/kops/v1alpha1/zz_generated.conversion.go | 2 ++ pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go | 5 +++++ pkg/apis/kops/v1alpha2/componentconfig.go | 4 ++++ pkg/apis/kops/v1alpha2/zz_generated.conversion.go | 2 ++ pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go | 5 +++++ pkg/apis/kops/zz_generated.deepcopy.go | 5 +++++ 9 files changed, 33 insertions(+), 1 deletion(-) diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index fea8a8c8ff..10d43206af 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -198,7 +198,8 @@ spec: oidcGroupsClaim: user_roles oidcGroupsPrefix: "oidc:" oidcCAFile: /etc/kubernetes/ssl/kc-ca.pem - + oidcRequiredClaim: + - "key=value" ``` #### audit logging diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go index 3dc00694b3..02b3dedfd7 100644 --- a/pkg/apis/kops/componentconfig.go +++ b/pkg/apis/kops/componentconfig.go @@ -318,6 +318,10 @@ type KubeAPIServerConfig struct { // OIDCClientID is the client ID for the OpenID Connect client, must be set // if oidc-issuer-url is set. OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"` + // A key=value pair that describes a required claim in the ID Token. + // If set, the claim is verified to be present in the ID Token with a matching value. + // Repeat this flag to specify multiple claims. + OIDCRequiredClaim []string `json:"oidcRequiredClaim,omitempty" flag:"oidc-required-claim,repeat"` // OIDCCAFile if set, the OpenID server's certificate will be verified by one // of the authorities in the oidc-ca-file OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"` diff --git a/pkg/apis/kops/v1alpha1/componentconfig.go b/pkg/apis/kops/v1alpha1/componentconfig.go index 9e987a893b..a546672e80 100644 --- a/pkg/apis/kops/v1alpha1/componentconfig.go +++ b/pkg/apis/kops/v1alpha1/componentconfig.go @@ -318,6 +318,10 @@ type KubeAPIServerConfig struct { // OIDCClientID is the client ID for the OpenID Connect client, must be set // if oidc-issuer-url is set. OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"` + // A key=value pair that describes a required claim in the ID Token. + // If set, the claim is verified to be present in the ID Token with a matching value. + // Repeat this flag to specify multiple claims. + OIDCRequiredClaim []string `json:"oidcRequiredClaim,omitempty" flag:"oidc-required-claim,repeat"` // OIDCCAFile if set, the OpenID server's certificate will be verified by one // of the authorities in the oidc-ca-file OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"` diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go index 2b1d0500d3..696084f56f 100644 --- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go @@ -2909,6 +2909,7 @@ func autoConvert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku out.OIDCGroupsPrefix = in.OIDCGroupsPrefix out.OIDCIssuerURL = in.OIDCIssuerURL out.OIDCClientID = in.OIDCClientID + out.OIDCRequiredClaim = in.OIDCRequiredClaim out.OIDCCAFile = in.OIDCCAFile out.ProxyClientCertFile = in.ProxyClientCertFile out.ProxyClientKeyFile = in.ProxyClientKeyFile @@ -2983,6 +2984,7 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha1_KubeAPIServerConfig(in *ko out.OIDCGroupsPrefix = in.OIDCGroupsPrefix out.OIDCIssuerURL = in.OIDCIssuerURL out.OIDCClientID = in.OIDCClientID + out.OIDCRequiredClaim = in.OIDCRequiredClaim out.OIDCCAFile = in.OIDCCAFile out.ProxyClientCertFile = in.ProxyClientCertFile out.ProxyClientKeyFile = in.ProxyClientKeyFile diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go index 7ea7a686af..0c9189a6a0 100644 --- a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go @@ -1644,6 +1644,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) { *out = new(string) **out = **in } + if in.OIDCRequiredClaim != nil { + in, out := &in.OIDCRequiredClaim, &out.OIDCRequiredClaim + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.OIDCCAFile != nil { in, out := &in.OIDCCAFile, &out.OIDCCAFile *out = new(string) diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go index ccd79a3df8..a85ec07593 100644 --- a/pkg/apis/kops/v1alpha2/componentconfig.go +++ b/pkg/apis/kops/v1alpha2/componentconfig.go @@ -318,6 +318,10 @@ type KubeAPIServerConfig struct { // OIDCClientID is the client ID for the OpenID Connect client, must be set // if oidc-issuer-url is set. OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"` + // A key=value pair that describes a required claim in the ID Token. + // If set, the claim is verified to be present in the ID Token with a matching value. + // Repeat this flag to specify multiple claims. + OIDCRequiredClaim []string `json:"oidcRequiredClaim,omitempty" flag:"oidc-required-claim,repeat"` // OIDCCAFile if set, the OpenID server's certificate will be verified by one // of the authorities in the oidc-ca-file OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"` diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index a7c228abcb..e1e27d477b 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -3179,6 +3179,7 @@ func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku out.OIDCGroupsPrefix = in.OIDCGroupsPrefix out.OIDCIssuerURL = in.OIDCIssuerURL out.OIDCClientID = in.OIDCClientID + out.OIDCRequiredClaim = in.OIDCRequiredClaim out.OIDCCAFile = in.OIDCCAFile out.ProxyClientCertFile = in.ProxyClientCertFile out.ProxyClientKeyFile = in.ProxyClientKeyFile @@ -3253,6 +3254,7 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha2_KubeAPIServerConfig(in *ko out.OIDCGroupsPrefix = in.OIDCGroupsPrefix out.OIDCIssuerURL = in.OIDCIssuerURL out.OIDCClientID = in.OIDCClientID + out.OIDCRequiredClaim = in.OIDCRequiredClaim out.OIDCCAFile = in.OIDCCAFile out.ProxyClientCertFile = in.ProxyClientCertFile out.ProxyClientKeyFile = in.ProxyClientKeyFile diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index 7aef11a77e..ab22da88e6 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -1715,6 +1715,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) { *out = new(string) **out = **in } + if in.OIDCRequiredClaim != nil { + in, out := &in.OIDCRequiredClaim, &out.OIDCRequiredClaim + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.OIDCCAFile != nil { in, out := &in.OIDCCAFile, &out.OIDCCAFile *out = new(string) diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index baaf8f7380..5045fe4a4b 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -1897,6 +1897,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) { *out = new(string) **out = **in } + if in.OIDCRequiredClaim != nil { + in, out := &in.OIDCRequiredClaim, &out.OIDCRequiredClaim + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.OIDCCAFile != nil { in, out := &in.OIDCCAFile, &out.OIDCCAFile *out = new(string)