Documentation

Overview

    Package bootstrap provides a token authenticator for TLS bootstrap secrets.

    Index

    Constants

    This section is empty.

    Variables

    This section is empty.

    Functions

    This section is empty.

    Types

    type TokenAuthenticator

    type TokenAuthenticator struct {
    	// contains filtered or unexported fields
    }

      TokenAuthenticator authenticates bootstrap tokens from secrets in the API server.

      func NewTokenAuthenticator

      func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator

        NewTokenAuthenticator initializes a bootstrap token authenticator.

        Lister is expected to be for the "kube-system" namespace.

        func (*TokenAuthenticator) AuthenticateToken

        func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error)

          AuthenticateToken tries to match the provided token to a bootstrap token secret in a given namespace. If found, it authenticates the token in the "system:bootstrappers" group and with the "system:bootstrap:(token-id)" username.

          All secrets must be of type "bootstrap.kubernetes.io/token". An example secret:

          apiVersion: v1
          kind: Secret
          metadata:
            # Name MUST be of form "bootstrap-token-( token id )".
            name: bootstrap-token-( token id )
            namespace: kube-system
          # Only secrets of this type will be evaluated.
          type: bootstrap.kubernetes.io/token
          data:
            token-secret: ( private part of token )
            token-id: ( token id )
            # Required key usage.
            usage-bootstrap-authentication: true
            auth-extra-groups: "system:bootstrappers:custom-group1,system:bootstrappers:custom-group2"
            # May also contain an expiry.
          

          Tokens are expected to be of the form:

          ( token-id ).( token-secret )
          

          Source Files