KEP-4193: bound service account token improvements

Kubernetes-commit: 76463e21d4dec90b4d49975b182a13e1fdb6b20a
2023-09-19 15:23:28 +01:00 · 2023-09-19 15:23:28 +01:00 · 468fb1fd0c
parent 5a39ea02a1
commit 468fb1fd0c
2 changed files with 50 additions and 6 deletions
--- a/pkg/cmd/create/create_token.go
+++ b/pkg/cmd/create/create_token.go
@ -19,6 +19,7 @@ package create
 import (
 	"context"
 	"fmt"
+	"os"
 	"strings"
 	"time"

@ -96,12 +97,18 @@ var (
 		# Request a token bound to an instance of a Secret object with a specific UID
 		kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc
 `)
+)

-	boundObjectKindToAPIVersion = map[string]string{
+func boundObjectKindToAPIVersions() map[string]string {
+	kinds := map[string]string{
 		"Pod":    "v1",
 		"Secret": "v1",
 	}
-)
+	if os.Getenv("KUBECTL_NODE_BOUND_TOKENS") == "true" {
+		kinds["Node"] = "v1"
+	}
+	return kinds
+}

 func NewTokenOpts(ioStreams genericiooptions.IOStreams) *TokenOptions {
 	return &TokenOptions{
@ -144,7 +151,7 @@ func NewCmdCreateToken(f cmdutil.Factory, ioStreams genericiooptions.IOStreams)
 	cmd.Flags().DurationVar(&o.Duration, "duration", o.Duration, "Requested lifetime of the issued token. If not set, the lifetime will be determined by the server automatically. The server may return a token with a longer or shorter lifetime.")

 	cmd.Flags().StringVar(&o.BoundObjectKind, "bound-object-kind", o.BoundObjectKind, "Kind of an object to bind the token to. "+
-		"Supported kinds are "+strings.Join(sets.StringKeySet(boundObjectKindToAPIVersion).List(), ", ")+". "+
+		"Supported kinds are "+strings.Join(sets.StringKeySet(boundObjectKindToAPIVersions()).List(), ", ")+". "+
 		"If set, --bound-object-name must be provided.")
 	cmd.Flags().StringVar(&o.BoundObjectName, "bound-object-name", o.BoundObjectName, "Name of an object to bind the token to. "+
 		"The token will expire when the object is deleted. "+
@ -221,8 +228,8 @@ func (o *TokenOptions) Validate() error {
 			return fmt.Errorf("--bound-object-uid can only be set if --bound-object-kind is provided")
 		}
 	} else {
-		if _, ok := boundObjectKindToAPIVersion[o.BoundObjectKind]; !ok {
-			return fmt.Errorf("supported --bound-object-kind values are %s", strings.Join(sets.StringKeySet(boundObjectKindToAPIVersion).List(), ", "))
+		if _, ok := boundObjectKindToAPIVersions()[o.BoundObjectKind]; !ok {
+			return fmt.Errorf("supported --bound-object-kind values are %s", strings.Join(sets.StringKeySet(boundObjectKindToAPIVersions()).List(), ", "))
 		}
 		if len(o.BoundObjectName) == 0 {
 			return fmt.Errorf("--bound-object-name is required if --bound-object-kind is provided")
@ -245,7 +252,7 @@ func (o *TokenOptions) Run() error {
 	if len(o.BoundObjectKind) > 0 {
 		request.Spec.BoundObjectRef = &authenticationv1.BoundObjectReference{
 			Kind:       o.BoundObjectKind,
-			APIVersion: boundObjectKindToAPIVersion[o.BoundObjectKind],
+			APIVersion: boundObjectKindToAPIVersions()[o.BoundObjectKind],
 			Name:       o.BoundObjectName,
 			UID:        types.UID(o.BoundObjectUID),
 		}
--- a/pkg/cmd/create/create_token_test.go
+++ b/pkg/cmd/create/create_token_test.go
@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"os"
 	"reflect"
 	"testing"
 	"time"
@ -53,6 +54,8 @@ func TestCreateToken(t *testing.T) {
 		audiences       []string
 		duration        time.Duration

+		enableNodeBindingFeature bool
+
 		serverResponseToken string
 		serverResponseError string

@ -117,6 +120,13 @@ status:
 			boundObjectKind: "Foo",
 			expectStderr:    `error: supported --bound-object-kind values are Pod, Secret`,
 		},
+		{
+			test:                     "bad bound object kind (node feature enabled)",
+			name:                     "mysa",
+			enableNodeBindingFeature: true,
+			boundObjectKind:          "Foo",
+			expectStderr:             `error: supported --bound-object-kind values are Node, Pod, Secret`,
+		},
 		{
 			test:            "missing bound object name",
 			name:            "mysa",
@ -158,7 +168,30 @@ status:
 			serverResponseToken: "abc",
 			expectStdout:        "abc",
 		},
+		{
+			test: "valid bound object (Node)",
+			name: "mysa",

+			enableNodeBindingFeature: true,
+			boundObjectKind:          "Node",
+			boundObjectName:          "mynode",
+			boundObjectUID:           "myuid",
+
+			expectRequestPath: "/api/v1/namespaces/test/serviceaccounts/mysa/token",
+			expectTokenRequest: &authenticationv1.TokenRequest{
+				TypeMeta: metav1.TypeMeta{APIVersion: "authentication.k8s.io/v1", Kind: "TokenRequest"},
+				Spec: authenticationv1.TokenRequestSpec{
+					BoundObjectRef: &authenticationv1.BoundObjectReference{
+						Kind:       "Node",
+						APIVersion: "v1",
+						Name:       "mynode",
+						UID:        "myuid",
+					},
+				},
+			},
+			serverResponseToken: "abc",
+			expectStdout:        "abc",
+		},
 		{
 			test:         "invalid audience",
 			name:         "mysa",
@ -319,6 +352,10 @@ status:
 			if test.duration != 0 {
 				cmd.Flags().Set("duration", test.duration.String())
 			}
+			if test.enableNodeBindingFeature {
+				os.Setenv("KUBECTL_NODE_BOUND_TOKENS", "true")
+				defer os.Unsetenv("KUBECTL_NODE_BOUND_TOKENS")
+			}
 			cmd.Run(cmd, []string{test.name})

 			if !reflect.DeepEqual(tokenRequest, test.expectTokenRequest) {