Delete anonymous auth

55c43461 · Darren Shepherd · Erik Wilson · 0f6eeb05 · 55c43461 · 55c43461
Commit 55c43461 authored 6 years ago by Darren Shepherd Committed by Erik Wilson 5 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 1 addition and 182 deletions
+1 -182
--- a/cmd/kubelet/app/auth.go
+++ b/cmd/kubelet/app/auth.go
@@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
 // BuildAuthn creates an authenticator compatible with the kubelet's needs
 func BuildAuthn(client authenticationclient.TokenReviewInterface, authn kubeletconfig.KubeletAuthentication) (authenticator.Request, error) {
 	authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
-		Anonymous:    authn.Anonymous.Enabled,
 		CacheTTL:     authn.Webhook.CacheTTL.Duration,
 		ClientCAFile: authn.X509.ClientCAFile,
 	}

--- a/pkg/kubeapiserver/authenticator/config.go
+++ b/pkg/kubeapiserver/authenticator/config.go
@@ -22,7 +22,6 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	"k8s.io/apiserver/pkg/authentication/group"
-	"k8s.io/apiserver/pkg/authentication/request/anonymous"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	"k8s.io/apiserver/pkg/authentication/request/headerrequest"
 	"k8s.io/apiserver/pkg/authentication/request/union"
@@ -46,7 +45,6 @@ import (

 // Config contains the data on how to authenticate a request to the Kube API Server
 type Config struct {
-	Anonymous                   bool
 	BasicAuthFile               string
 	ClientCAFile                string
 	TokenAuthFile               string
@@ -147,9 +145,6 @@ func (config Config) New() (authenticator.Request, error) {
 	}

 	if len(authenticators) == 0 {
-		if config.Anonymous {
-			return anonymous.NewAuthenticator(), nil
-		}
 		return nil, nil
 	}

@@ -157,12 +152,6 @@ func (config Config) New() (authenticator.Request, error) {

 	authenticator = group.NewAuthenticatedGroupAdder(authenticator)

-	if config.Anonymous {
-		// If the authenticator chain returns an error, return an error (don't consider a bad bearer token
-		// or invalid username/password combination anonymous).
-		authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())
-	}
-
 	return authenticator, nil
 }


--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@@ -25,17 +25,14 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/klog"

-	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
-	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 )

 type BuiltInAuthenticationOptions struct {
 	APIAudiences    []string
-	Anonymous       *AnonymousAuthenticationOptions
 	ClientCert      *genericoptions.ClientCertAuthenticationOptions
 	PasswordFile    *PasswordFileAuthenticationOptions
 	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
@@ -47,10 +44,6 @@ type BuiltInAuthenticationOptions struct {
 	TokenFailureCacheTTL time.Duration
 }

-type AnonymousAuthenticationOptions struct {
-	Allow bool
-}
-
 type PasswordFileAuthenticationOptions struct {
 	BasicAuthFile string
 }
@@ -80,7 +73,6 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {

 func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
 	return s.
-		WithAnonymous().
 		WithClientCert().
 		WithPasswordFile().
 		WithRequestHeader().
@@ -89,11 +81,6 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
 		WithWebHook()
 }

-func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions {
-	s.Anonymous = &AnonymousAuthenticationOptions{Allow: true}
-	return s
-}
-
 func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
 	s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
 	return s
@@ -146,13 +133,6 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 		"--service-account-issuer flag is configured and this flag is not, this field "+
 		"defaults to a single element list containing the issuer URL .")

-	if s.Anonymous != nil {
-		fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
-			"Enables anonymous requests to the secure port of the API server. "+
-			"Requests that are not rejected by another authentication method are treated as anonymous requests. "+
-			"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.")
-	}
-
 	if s.ClientCert != nil {
 		s.ClientCert.AddFlags(fs)
 	}
@@ -215,10 +195,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
 		TokenFailureCacheTTL: s.TokenFailureCacheTTL,
 	}

-	if s.Anonymous != nil {
-		ret.Anonymous = s.Anonymous.Allow
-	}
-
 	if s.ClientCert != nil {
 		ret.ClientCAFile = s.ClientCert.ClientCA
 	}
@@ -291,14 +267,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error

 // ApplyAuthorization will conditionally modify the authentication options based on the authorization options
 func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) {
-	if o == nil || authorization == nil || o.Anonymous == nil {
+	if o == nil || authorization == nil {
 		return
 	}
-
-	// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
-	// in such a case the AnonymousAuth is stomped to false and you get a message
-	if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
-		klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
-		o.Anonymous.Allow = false
-	}
 }
--- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
@@ -23,7 +23,6 @@ import (

 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/group"
-	"k8s.io/apiserver/pkg/authentication/request/anonymous"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	"k8s.io/apiserver/pkg/authentication/request/headerrequest"
 	unionauth "k8s.io/apiserver/pkg/authentication/request/union"
@@ -38,8 +37,6 @@ import (
 // DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
 // built to delegate authentication to a kube API server
 type DelegatingAuthenticatorConfig struct {
-	Anonymous bool
-
 	// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
 	TokenAccessReviewClient authenticationclient.TokenReviewInterface

@@ -94,15 +91,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) {
 	}

 	if len(authenticators) == 0 {
-		if c.Anonymous {
-			return anonymous.NewAuthenticator(), nil
-		}
 		return nil, errors.New("No authentication method configured")
 	}

 	authenticator := group.NewAuthenticatedGroupAdder(unionauth.New(authenticators...))
-	if c.Anonymous {
-		authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator())
-	}
 	return authenticator, nil
 }
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
-package(default_visibility = ["//visibility:public"])
-
-load(
-    "@io_bazel_rules_go//go:def.bzl",
-    "go_library",
-    "go_test",
-)
-
-go_test(
-    name = "go_default_test",
-    srcs = ["anonymous_test.go"],
-    embed = [":go_default_library"],
-    deps = [
-        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-    ],
-)
-
-go_library(
-    name = "go_default_library",
-    srcs = ["anonymous.go"],
-    importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous",
-    importpath = "k8s.io/apiserver/pkg/authentication/request/anonymous",
-    deps = [
-        "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
-    ],
-)
-
-filegroup(
-    name = "package-srcs",
-    srcs = glob(["**"]),
-    tags = ["automanaged"],
-    visibility = ["//visibility:private"],
-)
-
-filegroup(
-    name = "all-srcs",
-    srcs = [":package-srcs"],
-    tags = ["automanaged"],
-)
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package anonymous
-
-import (
-	"net/http"
-
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-const (
-	anonymousUser = user.Anonymous
-
-	unauthenticatedGroup = user.AllUnauthenticated
-)
-
-func NewAuthenticator() authenticator.Request {
-	return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
-		auds, _ := authenticator.AudiencesFrom(req.Context())
-		return &authenticator.Response{
-			User: &user.DefaultInfo{
-				Name:   anonymousUser,
-				Groups: []string{unauthenticatedGroup},
-			},
-			Audiences: auds,
-		}, true, nil
-	})
-}
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package anonymous
-
-import (
-	"net/http"
-	"testing"
-
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-func TestAnonymous(t *testing.T) {
-	var a authenticator.Request = NewAuthenticator()
-	r, ok, err := a.AuthenticateRequest(&http.Request{})
-	if err != nil {
-		t.Fatalf("Unexpected error %v", err)
-	}
-	if !ok {
-		t.Fatalf("Unexpectedly unauthenticated")
-	}
-	if r.User.GetName() != user.Anonymous {
-		t.Fatalf("Expected username %s, got %s", user.Anonymous, r.User.GetName())
-	}
-	if !sets.NewString(r.User.GetGroups()...).Equal(sets.NewString(user.AllUnauthenticated)) {
-		t.Fatalf("Expected group %s, got %v", user.AllUnauthenticated, r.User.GetGroups())
-	}
-}
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
@@ -176,7 +176,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
 	}

 	cfg := authenticatorfactory.DelegatingAuthenticatorConfig{
-		Anonymous: true,
 		CacheTTL:  s.CacheTTL,
 	}