kubernetes: k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap Index | Files

package bootstrap

import "k8s.io/kubernetes/plugin/pkg/auth/authenticator/token/bootstrap"

Package bootstrap provides a token authenticator for TLS bootstrap secrets.


Package Files


type TokenAuthenticator Uses

type TokenAuthenticator struct {
    // contains filtered or unexported fields

TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.

func NewTokenAuthenticator Uses

func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator

NewTokenAuthenticator initializes a bootstrap token authenticator.

Lister is expected to be for the "kube-system" namespace.

func (*TokenAuthenticator) AuthenticateToken Uses

func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)

AuthenticateToken tries to match the provided token to a bootstrap token secret in a given namespace. If found, it authenticates the token in the "system:bootstrappers" group and with the "system:bootstrap:(token-id)" username.

All secrets must be of type "bootstrap.kubernetes.io/token". An example secret:

apiVersion: v1
kind: Secret
  # Name MUST be of form "bootstrap-token-( token id )".
  name: bootstrap-token-( token id )
  namespace: kube-system
# Only secrets of this type will be evaluated.
type: bootstrap.kubernetes.io/token
  token-secret: ( private part of token )
  token-id: ( token id )
  # Required key usage.
  usage-bootstrap-authentication: true
  auth-extra-groups: "system:bootstrappers:custom-group1,system:bootstrappers:custom-group2"
  # May also contain an expiry.

Tokens are expected to be of the form:

( token-id ).( token-secret )

Package bootstrap imports 13 packages (graph) and is imported by 9 packages. Updated 2020-07-10. Refresh now. Tools for package owners.