Add manual opt-in for legacy service account tokens #357
Conversation
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
ffdc6c1 to
a9c2ea9
Compare
kramaranya
changed the title
|
/lgtm |
|
@kramaranya, I think we have an audience token test, right? we might be able to drop it, if we do not have any tests without audience set, right? Maybe we could have a negative test case then, that the server fails if it isn't set? |
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
b11a610 to
f44889c
Compare
@ibihim If I understood you correctly, I've already added a negative test for this scenario (empty audiences when legacy tokens are not allowed) -- https://github.com/brancz/kube-rbac-proxy/pull/357/files#diff-770d985644314c26e2d1c0e8fb70e4714408a9888a4e2749a633144697201bacR191-R203 |
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
f44889c to
a8e9da6
Compare
test/e2e/basics.go
Outdated
| ), | ||
| ), | ||
| Then: kubetest.Actions( | ||
| kubetest.ClientSucceeds( |
There was a problem hiding this comment.
You're attempting to use a legacy token but the proxy does is not supposed to accept these in this case. This should fail.
test/e2e/basics.go
Outdated
| kubetest.ClientSucceeds( | ||
| client, | ||
| legacyCommand, | ||
| &kubetest.RunOptions{TokenAudience: "kube-rbac-proxy"}, |
There was a problem hiding this comment.
we don't need the options in this case, right?
test/e2e/basics.go
Outdated
| kubetest.ClientSucceeds( | ||
| client, | ||
| command, | ||
| &kubetest.RunOptions{TokenAudience: ""}, |
There was a problem hiding this comment.
This is equal to it being nil, right?
test/e2e/basics.go
Outdated
|
|
||
| func testLegacyTokenFlag(client kubernetes.Interface) kubetest.TestSuite { | ||
| return func(t *testing.T) { | ||
| legacyCommand := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/tokens/requestedtoken)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` |
There was a problem hiding this comment.
/var/run/secrets/tokens/requestedtoken does not actually house the legacy tokens. The below code appears to be creating such tokens:
kube-rbac-proxy/test/kubetest/kubernetes.go
Lines 524 to 544 in 670377f
We may actually want to rename the directory from /var/run/secrets/tokens to something else, like /var/run/projected/tokens, I personally find it a bit confusing.
You'll have to follow https://kubernetes.io/docs/concepts/configuration/secret/#serviceaccount-token-secrets to create a token secret along with your other manifests. Use a different directory than for the short-lived SA tokens so that we can distinguish these two in tests.
| func testLegacyTokenFlag(client kubernetes.Interface) kubetest.TestSuite { | ||
| return func(t *testing.T) { | ||
| legacyCommand := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/tokens/requestedtoken)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` | ||
| command := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` |
There was a problem hiding this comment.
I think this command should actually have /var/run/secrets/tokens/requestedtoken as an input for the token
There was a problem hiding this comment.
The LegacyAllowedNoAudience test checks a scenario with no audience set. But /var/run/secrets/tokens/requestedtoken sets an audience, so it wouldn't match our no-audience case.
kube-rbac-proxy/test/kubetest/kubernetes.go
Lines 524 to 532 in 670377f
That's why I use the default token
/var/run/secrets/kubernetes.io/serviceaccount/token instead.
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
2 times, most recently
from
dcf81c3 to
37debda
Compare
Signed-off-by: kramaranya <[email protected]>
Signed-off-by: kramaranya <[email protected]>
Signed-off-by: kramaranya <[email protected]>
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
37debda to
6d1f5e5
Compare
Fixes #336