From 55c4346120919b583c43d83354fd8c07f384cd1a Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Mon, 8 Oct 2018 00:27:37 -0700
Subject: [PATCH] Delete anonymous auth
---
cmd/kubelet/app/auth.go | 1 -
pkg/kubeapiserver/authenticator/config.go | 11 -----
pkg/kubeapiserver/options/authentication.go | 33 +-------------
.../authenticatorfactory/delegating.go | 9 ----
.../authentication/request/anonymous/BUILD | 42 ------------------
.../request/anonymous/anonymous.go | 43 -------------------
.../request/anonymous/anonymous_test.go | 43 -------------------
.../pkg/server/options/authentication.go | 1 -
8 files changed, 1 insertion(+), 182 deletions(-)
delete mode 100644 staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
delete mode 100644 staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
delete mode 100644 staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
diff --git a/cmd/kubelet/app/auth.go b/cmd/kubelet/app/auth.go
index d882c212af..374b3c03cc 100644
--- a/cmd/kubelet/app/auth.go
+++ b/cmd/kubelet/app/auth.go
@@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
// BuildAuthn creates an authenticator compatible with the kubelet's needs
func BuildAuthn(client authenticationclient.TokenReviewInterface, authn kubeletconfig.KubeletAuthentication) (authenticator.Request, error) {
authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
- Anonymous: authn.Anonymous.Enabled,
CacheTTL: authn.Webhook.CacheTTL.Duration,
ClientCAFile: authn.X509.ClientCAFile,
}
diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go
index a9ecdc47e7..8450e379f3 100644
--- a/pkg/kubeapiserver/authenticator/config.go
+++ b/pkg/kubeapiserver/authenticator/config.go
@@ -22,7 +22,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/group"
- "k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/union"
@@ -46,7 +45,6 @@ import (
// Config contains the data on how to authenticate a request to the Kube API Server
type Config struct {
- Anonymous bool
BasicAuthFile string
ClientCAFile string
TokenAuthFile string
@@ -147,9 +145,6 @@ func (config Config) New() (authenticator.Request, error) {
}
if len(authenticators) == 0 {
- if config.Anonymous {
- return anonymous.NewAuthenticator(), nil
- }
return nil, nil
}
@@ -157,12 +152,6 @@ func (config Config) New() (authenticator.Request, error) {
authenticator = group.NewAuthenticatedGroupAdder(authenticator)
- if config.Anonymous {
- // If the authenticator chain returns an error, return an error (don't consider a bad bearer token
- // or invalid username/password combination anonymous).
- authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())
- }
-
return authenticator, nil
}
diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go
index 096305421e..3b6d003752 100644
--- a/pkg/kubeapiserver/options/authentication.go
+++ b/pkg/kubeapiserver/options/authentication.go
@@ -25,17 +25,14 @@ import (
"github.com/spf13/pflag"
"k8s.io/klog"
- "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
genericapiserver "k8s.io/apiserver/pkg/server"
genericoptions "k8s.io/apiserver/pkg/server/options"
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
- authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
)
type BuiltInAuthenticationOptions struct {
APIAudiences []string
- Anonymous *AnonymousAuthenticationOptions
ClientCert *genericoptions.ClientCertAuthenticationOptions
PasswordFile *PasswordFileAuthenticationOptions
RequestHeader *genericoptions.RequestHeaderAuthenticationOptions
@@ -47,10 +44,6 @@ type BuiltInAuthenticationOptions struct {
TokenFailureCacheTTL time.Duration
}
-type AnonymousAuthenticationOptions struct {
- Allow bool
-}
-
type PasswordFileAuthenticationOptions struct {
BasicAuthFile string
}
@@ -80,7 +73,6 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
return s.
- WithAnonymous().
WithClientCert().
WithPasswordFile().
WithRequestHeader().
@@ -89,11 +81,6 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
WithWebHook()
}
-func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions {
- s.Anonymous = &AnonymousAuthenticationOptions{Allow: true}
- return s
-}
-
func (s *BuiltInAuthenticationOptions) WithClientCert() *BuiltInAuthenticationOptions {
s.ClientCert = &genericoptions.ClientCertAuthenticationOptions{}
return s
@@ -146,13 +133,6 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
"--service-account-issuer flag is configured and this flag is not, this field "+
"defaults to a single element list containing the issuer URL .")
- if s.Anonymous != nil {
- fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
- "Enables anonymous requests to the secure port of the API server. "+
- "Requests that are not rejected by another authentication method are treated as anonymous requests. "+
- "Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.")
- }
-
if s.ClientCert != nil {
s.ClientCert.AddFlags(fs)
}
@@ -215,10 +195,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() kubeauthenticato
TokenFailureCacheTTL: s.TokenFailureCacheTTL,
}
- if s.Anonymous != nil {
- ret.Anonymous = s.Anonymous.Allow
- }
-
if s.ClientCert != nil {
ret.ClientCAFile = s.ClientCert.ClientCA
}
@@ -291,14 +267,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
// ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) {
- if o == nil || authorization == nil || o.Anonymous == nil {
+ if o == nil || authorization == nil {
return
}
-
- // authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
- // in such a case the AnonymousAuth is stomped to false and you get a message
- if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
- klog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
- o.Anonymous.Allow = false
- }
}
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
index 1c281d5562..4fa4c11cde 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go
@@ -23,7 +23,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group"
- "k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest"
unionauth "k8s.io/apiserver/pkg/authentication/request/union"
@@ -38,8 +37,6 @@ import (
// DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
// built to delegate authentication to a kube API server
type DelegatingAuthenticatorConfig struct {
- Anonymous bool
-
// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
TokenAccessReviewClient authenticationclient.TokenReviewInterface
@@ -94,15 +91,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) {
}
if len(authenticators) == 0 {
- if c.Anonymous {
- return anonymous.NewAuthenticator(), nil
- }
return nil, errors.New("No authentication method configured")
}
authenticator := group.NewAuthenticatedGroupAdder(unionauth.New(authenticators...))
- if c.Anonymous {
- authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator())
- }
return authenticator, nil
}
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
deleted file mode 100644
index 329b92ecc5..0000000000
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/BUILD
+++ /dev/null
@@ -1,42 +0,0 @@
-package(default_visibility = ["//visibility:public"])
-
-load(
- "@io_bazel_rules_go//go:def.bzl",
- "go_library",
- "go_test",
-)
-
-go_test(
- name = "go_default_test",
- srcs = ["anonymous_test.go"],
- embed = [":go_default_library"],
- deps = [
- "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
- "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
- "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
- ],
-)
-
-go_library(
- name = "go_default_library",
- srcs = ["anonymous.go"],
- importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous",
- importpath = "k8s.io/apiserver/pkg/authentication/request/anonymous",
- deps = [
- "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
- "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
- ],
-)
-
-filegroup(
- name = "package-srcs",
- srcs = glob(["**"]),
- tags = ["automanaged"],
- visibility = ["//visibility:private"],
-)
-
-filegroup(
- name = "all-srcs",
- srcs = [":package-srcs"],
- tags = ["automanaged"],
-)
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
deleted file mode 100644
index f9177d1513..0000000000
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous.go
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package anonymous
-
-import (
- "net/http"
-
- "k8s.io/apiserver/pkg/authentication/authenticator"
- "k8s.io/apiserver/pkg/authentication/user"
-)
-
-const (
- anonymousUser = user.Anonymous
-
- unauthenticatedGroup = user.AllUnauthenticated
-)
-
-func NewAuthenticator() authenticator.Request {
- return authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
- auds, _ := authenticator.AudiencesFrom(req.Context())
- return &authenticator.Response{
- User: &user.DefaultInfo{
- Name: anonymousUser,
- Groups: []string{unauthenticatedGroup},
- },
- Audiences: auds,
- }, true, nil
- })
-}
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
deleted file mode 100644
index 494ab60974..0000000000
--- a/staging/src/k8s.io/apiserver/pkg/authentication/request/anonymous/anonymous_test.go
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
-Copyright 2016 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package anonymous
-
-import (
- "net/http"
- "testing"
-
- "k8s.io/apimachinery/pkg/util/sets"
- "k8s.io/apiserver/pkg/authentication/authenticator"
- "k8s.io/apiserver/pkg/authentication/user"
-)
-
-func TestAnonymous(t *testing.T) {
- var a authenticator.Request = NewAuthenticator()
- r, ok, err := a.AuthenticateRequest(&http.Request{})
- if err != nil {
- t.Fatalf("Unexpected error %v", err)
- }
- if !ok {
- t.Fatalf("Unexpectedly unauthenticated")
- }
- if r.User.GetName() != user.Anonymous {
- t.Fatalf("Expected username %s, got %s", user.Anonymous, r.User.GetName())
- }
- if !sets.NewString(r.User.GetGroups()...).Equal(sets.NewString(user.AllUnauthenticated)) {
- t.Fatalf("Expected group %s, got %v", user.AllUnauthenticated, r.User.GetGroups())
- }
-}
diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
index 3204fb0705..9dfeec8c4c 100644
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
@@ -176,7 +176,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
}
cfg := authenticatorfactory.DelegatingAuthenticatorConfig{
- Anonymous: true,
CacheTTL: s.CacheTTL,
}
--
GitLab