add tokenreviews endpoint to implement webhook #28788
Conversation
deads2k
force-pushed
the
wire-authentication
branch
2 times, most recently
from
e8fa1dc to
40fee80
Compare
k8s-github-robot
added
kind/api-change
deads2k
force-pushed
the
wire-authentication
branch
from
40fee80 to
9689774
Compare
|
The package had to move to make client generation work, which need to be generate to have kubectl available to call create. |
k8s-github-robot
added
kind/api-change
| ) | ||
|
|
||
| type REST struct { | ||
| tokenAuthenticator authenticator.Request |
There was a problem hiding this comment.
@kubernetes/kube-iam I was torn about this. We have an unknown number of token authenticators that are included in the Authentication chain. I could plumb through a set of union token authentications down through the masterconfig that are required to operate the same way as the authentication chain or I could create a fake request that only has a bearer token and count on the existing chain to do the right thing.
I chose to make the fake request, figuring it was easier to get right. My only concern is about whether some authenticator does weird things with requests it doesn't recognize.
deads2k
force-pushed
the
wire-authentication
branch
from
9689774 to
45fae76
Compare
|
Out of curiosity, why odes this one API have "k8s.io" in the name? |
API groups were supposed to dns names so that they'd namespace nicely (like a java package) with prioritized completion for the CLI tooling. We have The package folders were going to follow that, but there were some generator problems that were easier to resolve by eliminating the dots. |
deads2k
force-pushed
the
wire-authentication
branch
3 times, most recently
from
75f4f59 to
28ca5b1
Compare
k8s-github-robot
added
size/XXL
|
@kubernetes/sig-cluster-federation |
deads2k
force-pushed
the
wire-authentication
branch
from
28ca5b1 to
91a13dd
Compare
|
@smarterclayton I need help with protobuf, tests complained about not having it, but the generator seems decidedly unhappy about |
|
Yes there's an issue open. The optional protobuf work supports it - we On Tue, Jul 12, 2016 at 3:02 PM, Kubernetes Bot notifications@github.com
|
k8s-github-robot
added
the
needs-rebase
|
comments addressed, now with happy generated code. |
|
CJ okayed via side channel. |
|
API looks good. LGTM |
erictune
added
the
lgtm
|
@stts thank you for the careful code review. |
k8s-github-robot
removed
the
lgtm
liggitt
added
release-note
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit 2256c6e. |
|
Automatic merge from submit-queue |
|
It seems that this PR broke GKE. After this PR was merged, I'm seeing a bunch of logs like these: I'm going to revert this one to fix the merge-queue. Link to failure: |
|
The interesting thing here is that GKE smoke tests passed. There might be some issue with testing infrastructure. @kubernetes/test-infra-maintainers |
|
FYI - reverting the PR helped. It seems to me that GKE smoke tests are not catching what they are supposed to catch. What are they actually doing? |
|
@kubernetes/test-infra-maintainers @kubernetes/goog-gke - since it was failing in verify-cluster, it clearly means that GKE smoke tests are configured differently than all other suites. This should be fixed. |
| // TokenReview attempts to authenticate a token to a known user. | ||
| type TokenReview struct { | ||
| unversioned.TypeMeta | ||
| // ObjectMeta fulfills the meta.ObjectMetaAccessor interface so that the stock | ||
| // REST handler paths work | ||
| api.ObjectMeta |
There was a problem hiding this comment.
I don't have the logs to prove it, but I think that these additional fields are choking up our deserialization on the GKE server side. I'll see what we can do about that.
There was a problem hiding this comment.
I don't have the logs to prove it, but I think that these additional fields are choking up our deserialization on the GKE server side. I'll see what we can do about that.
Thanks, let me know?
There was a problem hiding this comment.
Confirmed that we do strict field checking on our side. I either need to figure out if we can turn that off, or add all of the fields from ObjectMeta to our server-side TokenReview representation.
Why does this PR add api.ObjectMeta to the TokenReview, but #20573 doesn't add it to SubjectAccessReview?
There was a problem hiding this comment.
Why does this PR add api.ObjectMeta to the TokenReview, but #20573 doesn't add it to SubjectAccessReview?
When I did the SAR long ago it wasn't used. I'll probably have to add it there too.
There was a problem hiding this comment.
@cjcullen any word on making the token review more tolerant?
Automatic merge from submit-queue Token review endpoint Unrevert of #28788, which was rolled back because of #29375 @cjcullen @wojtek-t I'd like to remerge if possible. Have we gotten the field checking mentioned here relaxed? #28788 (comment)
Automatic merge from submit-queue Token review endpoint Unrevert of #28788, which was rolled back because of kubernetes/kubernetes#29375 @cjcullen @wojtek-t I'd like to remerge if possible. Have we gotten the field checking mentioned here relaxed? kubernetes/kubernetes#28788 (comment)
|
@deads2k not every file under
Or is there another command besides |
|
@lavalamp @wojtek-t @caesarxuchao any thoughts on that? I noticed there are other files that were hand-crafted. Or at least I could not find any template for them under
I can open an issue on that if it makes sense or there is not already one for "not every file under clientset_generated is generated". |
The expansions are there for the specific purpose of being hand crafted. |
|
Right. Will comments in expansion files and doc.go be enough to make clear these are not generated? I can send a PR to do that. |
|
@deads2k thanks. I can confirm that by observation. Found 21 files under @caesarxuchao that would be great. Could the generator ( |
Wires up an API resource under
apis/authentication.k8s.io/v1beta1to expose the webhook token authentication API as an API resource. This allows one API server to use another for authentication and uses existing policy engines for the "authoritative" API server to controller access to the endpoint.@cjcullen you wrote the initial type