kubernetes: k8s.io/kubernetes/pkg/kubeapiserver/authenticator Index | Files

package authenticator

import "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"


Package Files


func IsValidServiceAccountKeyFile Uses

func IsValidServiceAccountKeyFile(file string) bool

IsValidServiceAccountKeyFile returns true if a valid public RSA key can be read from the given file

type Config Uses

type Config struct {
    Anonymous      bool
    BootstrapToken bool

    TokenAuthFile               string
    OIDCIssuerURL               string
    OIDCClientID                string
    OIDCCAFile                  string
    OIDCUsernameClaim           string
    OIDCUsernamePrefix          string
    OIDCGroupsClaim             string
    OIDCGroupsPrefix            string
    OIDCSigningAlgs             []string
    OIDCRequiredClaims          map[string]string
    ServiceAccountKeyFiles      []string
    ServiceAccountLookup        bool
    ServiceAccountIssuer        string
    APIAudiences                authenticator.Audiences
    WebhookTokenAuthnConfigFile string
    WebhookTokenAuthnVersion    string
    WebhookTokenAuthnCacheTTL   time.Duration
    // WebhookRetryBackoff specifies the backoff parameters for the authentication webhook retry logic.
    // This allows us to configure the sleep time at each iteration and the maximum number of retries allowed
    // before we fail the webhook call in order to limit the fan out that ensues when the system is degraded.
    WebhookRetryBackoff *wait.Backoff

    TokenSuccessCacheTTL time.Duration
    TokenFailureCacheTTL time.Duration

    RequestHeaderConfig *authenticatorfactory.RequestHeaderConfig

    // TODO, this is the only non-serializable part of the entire config.  Factor it out into a clientconfig
    ServiceAccountTokenGetter   serviceaccount.ServiceAccountTokenGetter
    BootstrapTokenAuthenticator authenticator.Token
    // ClientCAContentProvider are the options for verifying incoming connections using mTLS and directly assigning to users.
    // Generally this is the CA bundle file used to authenticate client certificates
    // If this value is nil, then mutual TLS is disabled.
    ClientCAContentProvider dynamiccertificates.CAContentProvider

    // Optional field, custom dial function used to connect to webhook
    CustomDial utilnet.DialFunc

Config contains the data on how to authenticate a request to the Kube API Server

func (Config) New Uses

func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, error)

New returns an authenticator.Request or an error that supports the standard Kubernetes authentication mechanisms.

Package authenticator imports 23 packages (graph) and is imported by 125 packages. Updated 2020-11-04. Refresh now. Tools for package owners.