Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Webhook Token Authenticator #24902

Merged
merged 2 commits into from
May 12, 2016
Merged

Webhook Token Authenticator #24902

merged 2 commits into from
May 12, 2016

Conversation

cjcullen
Copy link
Member

Add a webhook token authenticator plugin to allow a remote service to make authentication decisions.

@cjcullen
Copy link
Member Author

@ericchiang @bobbyrullo @erictune @deads2k

Mostly in an RFC state right now. I want something exactly like the webhook authorizer, but for token authn.

@k8s-github-robot k8s-github-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/new-api size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 28, 2016
smarterclayton
smarterclayton reviewed Apr 28, 2016
View reviewed changes
plugin/pkg/webhook/webhook.go
if err != nil {
return nil, err
}
serializer := json.NewSerializer(json.DefaultMetaFactory, api.Scheme, runtime.ObjectTyperToTyper(api.Scheme), false)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

api.Codecs.LegacyCodec(groupVersions...) would be equivalent, unless you had a concrete reason to init your own

Copy link
Member Author

@cjcullen cjcullen Apr 28, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just pulled this over from the webhook authorizer. I can change it to use the LegacyCodec if that is a better approach.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, anyone doing json.NewSerializer like the should be using LegacyCodec

  • very few people should ever be using anything except a)
    NegotiatedSerializer or b) api.Codecs.LegacyCodec()

On Thu, Apr 28, 2016 at 5:58 PM, CJ Cullen notifications@github.com wrote:

In plugin/pkg/webhook/webhook.go
#24902 (comment)
:

+func NewGenericWebhook(kubeConfigFile string, groupVersions []unversioned.GroupVersion) (*GenericWebhook, error) {

  • for _, groupVersion := range groupVersions {
  •   if !registered.IsEnabledVersion(groupVersion) {

  •       return nil, fmt.Errorf("webhook plugin requires enabling extension resource: %s", groupVersion)

  •   }
  • }
  • loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
  • loadingRules.ExplicitPath = kubeConfigFile
  • loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
  • clientConfig, err := loader.ClientConfig()
  • if err != nil {
  •   return nil, err
  • }
  • serializer := json.NewSerializer(json.DefaultMetaFactory, api.Scheme, runtime.ObjectTyperToTyper(api.Scheme), false)

I just pulled this over from the webhook authorizer. I can change it to
use the LegacyCode if that is a better approach.


You are receiving this because you were assigned.
Reply to this email directly or view it on GitHub
https://github.com/kubernetes/kubernetes/pull/24902/files/765d75020629d41818092cba9da5d6a1c4ee3287#r61509591

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

deads2k
deads2k reviewed Apr 28, 2016
View reviewed changes
pkg/apis/authentication/register.go
)

// GroupName is the group name use in this package
const GroupName = "authentication.k8s.io"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to play nice with the client generators, I'm pretty sure you have to put it in a folder called pkg/apis/authentication.k8s.io I'm having to make that change for authorization.k8s.io in a different pull.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@deads2k
Copy link
Contributor

deads2k commented Apr 28, 2016

I like it, but I'd like to see some tests that actually set up the configuration and confirm it works in the same pull that adds the external option. I'm fine merging pulls working up to it without the full check as long as they don't add the option to commands.

@cjcullen
Copy link
Member Author

I'll add tests (including some sort of integration test) to this PR. I just wanted to make sure I'm on the right track first.

erictune
erictune reviewed Apr 29, 2016
View reviewed changes
plugin/pkg/webhook/webhook.go
limitations under the License.
*/

// Package webhook implements the authorizer.Authorizer interface using HTTP webhooks.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment needs update after refactor.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 29, 2016
@cjcullen cjcullen added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Apr 29, 2016
@cjcullen cjcullen force-pushed the webhookAuthn branch 3 times, most recently from e6228a5 to eaf367a Compare April 30, 2016 00:11
@cjcullen
Copy link
Member Author

Fixed up the first round of comments. Leaving the WIP tag on here until I add tests.

@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 30, 2016
@cjcullen cjcullen force-pushed the webhookAuthn branch 2 times, most recently from 8716b72 to bb79bf7 Compare May 4, 2016 00:56
@k8s-github-robot k8s-github-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels May 4, 2016
@cjcullen cjcullen changed the title WIP: Webhook Token Authenticator Webhook Token Authenticator May 4, 2016
@cjcullen cjcullen added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 9, 2016
@erictune erictune mentioned this pull request May 9, 2016
Closed
@cjcullen cjcullen mentioned this pull request May 9, 2016
Closed
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 10, 2016
@k8s-github-robot k8s-github-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 10, 2016
@cjcullen cjcullen added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 10, 2016
@k8s-github-robot k8s-github-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels May 10, 2016
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 10, 2016
@cjcullen
Copy link
Member Author

I changed TokenReview.User.Name to TokenReview.User.Username. Apparently "Name" should only be used for the actual name of the REST resource.

@k8s-bot
Copy link

k8s-bot commented May 10, 2016

GCE e2e build/test passed for commit eb3b0e7.

@cjcullen cjcullen added lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels May 10, 2016
@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-bot
Copy link

k8s-bot commented May 12, 2016

GCE e2e build/test passed for commit eb3b0e7.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 0ef4c64 into kubernetes:master May 12, 2016
@deads2k deads2k mentioned this pull request May 20, 2016
Closed
@liggitt liggitt mentioned this pull request May 20, 2016
Merged
@xiaochunyn
Copy link

Under what circumstance will invoke "webhook" to implements authorization and authentication, and where can I find it in source code? Thanks

@erictune
Copy link
Member

erictune commented Jul 7, 2016

@xiaochunyn http://kubernetes.io/docs/admin/authorization/ and https://github.com/kubernetes/kubernetes/blob/f2ddd60eb9e7e9e29f7a105a9a8fa020042e8e52/plugin/pkg/auth/authenticator/token/webhook/webhook.go

@erictune
Copy link
Member

erictune commented Jul 7, 2016

webhook authenticator is not yet documented here:
http://kubernetes.io/docs/admin/authentication/ but between that and the source code you should be able to figure out how to use it.

@deads2k deads2k mentioned this pull request Jul 12, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@deads2k deads2k

Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@cjcullen @deads2k @k8s-github-robot @k8s-bot @xiaochunyn @erictune @lavalamp @smarterclayton @googlebot