diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go index 0347628101b54..309ad824aa16e 100644 --- a/pkg/apis/kops/componentconfig.go +++ b/pkg/apis/kops/componentconfig.go @@ -172,6 +172,10 @@ type KubeletConfigSpec struct { DockerDisableSharedPID *bool `json:"dockerDisableSharedPID,omitempty" flag:"docker-disable-shared-pid"` // RootDir is the directory path for managing kubelet files (volume mounts,etc) RootDir string `json:"rootDir,omitempty" flag:"root-dir"` + // AuthenticationTokenWebhook uses the TokenReview API to determine authentication for bearer tokens. + AuthenticationTokenWebhook *bool `json:"authenticationTokenWebhook,omitempty" flag:"authentication-token-webhook"` + // AuthenticationTokenWebhook sets the duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) + AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"` } // KubeProxyConfig defines the configuration for a proxy @@ -316,8 +320,6 @@ type KubeAPIServerConfig struct { AuditLogMaxSize *int32 `json:"auditLogMaxSize,omitempty" flag:"audit-log-maxsize"` // AuditPolicyFile is the full path to a advanced audit configuration file a.g. /srv/kubernetes/audit.conf AuditPolicyFile string `json:"auditPolicyFile,omitempty" flag:"audit-policy-file"` - // AuthenticationTokenWebhook enables bearer token authentication on kubelet. - AuthenticationTokenWebhook *bool `json:"authenticationTokenWebhook,omitempty" flag:"authentication-token-webhook"` // File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens. AuthenticationTokenWebhookConfigFile *string `json:"authenticationTokenWebhookConfigFile,omitempty" flag:"authentication-token-webhook-config-file"` // The duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) diff --git a/pkg/apis/kops/v1alpha1/componentconfig.go b/pkg/apis/kops/v1alpha1/componentconfig.go index a544f08f98a01..7a3848f90348c 100644 --- a/pkg/apis/kops/v1alpha1/componentconfig.go +++ b/pkg/apis/kops/v1alpha1/componentconfig.go @@ -172,6 +172,10 @@ type KubeletConfigSpec struct { DockerDisableSharedPID *bool `json:"dockerDisableSharedPID,omitempty" flag:"docker-disable-shared-pid"` // RootDir is the directory path for managing kubelet files (volume mounts,etc) RootDir string `json:"rootDir,omitempty" flag:"root-dir"` + // AuthenticationTokenWebhook uses the TokenReview API to determine authentication for bearer tokens. + AuthenticationTokenWebhook *bool `json:"authenticationTokenWebhook,omitempty" flag:"authentication-token-webhook"` + // AuthenticationTokenWebhook sets the duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) + AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"` } // KubeProxyConfig defines the configuration for a proxy @@ -316,8 +320,6 @@ type KubeAPIServerConfig struct { AuditLogMaxSize *int32 `json:"auditLogMaxSize,omitempty" flag:"audit-log-maxsize"` // AuditPolicyFile is the full path to a advanced audit configuration file a.g. /srv/kubernetes/audit.conf AuditPolicyFile string `json:"auditPolicyFile,omitempty" flag:"audit-policy-file"` - // AuthenticationTokenWebhook enables bearer token authentication on kubelet. - AuthenticationTokenWebhook *bool `json:"authenticationTokenWebhook,omitempty" flag:"authentication-token-webhook"` // File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens. AuthenticationTokenWebhookConfigFile *string `json:"authenticationTokenWebhookConfigFile,omitempty" flag:"authentication-token-webhook-config-file"` // The duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go index fde5f0376ee24..99690ff71914e 100644 --- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go @@ -2200,7 +2200,6 @@ func autoConvert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku out.AuditLogMaxBackups = in.AuditLogMaxBackups out.AuditLogMaxSize = in.AuditLogMaxSize out.AuditPolicyFile = in.AuditPolicyFile - out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL out.AuthorizationMode = in.AuthorizationMode @@ -2272,7 +2271,6 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha1_KubeAPIServerConfig(in *ko out.AuditLogMaxBackups = in.AuditLogMaxBackups out.AuditLogMaxSize = in.AuditLogMaxSize out.AuditPolicyFile = in.AuditPolicyFile - out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL out.AuthorizationMode = in.AuthorizationMode @@ -2571,6 +2569,8 @@ func autoConvert_v1alpha1_KubeletConfigSpec_To_kops_KubeletConfigSpec(in *Kubele out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout out.DockerDisableSharedPID = in.DockerDisableSharedPID out.RootDir = in.RootDir + out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook + out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL return nil } @@ -2645,6 +2645,8 @@ func autoConvert_kops_KubeletConfigSpec_To_v1alpha1_KubeletConfigSpec(in *kops.K out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout out.DockerDisableSharedPID = in.DockerDisableSharedPID out.RootDir = in.RootDir + out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook + out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL return nil } diff --git a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go index f9a3075441140..3d1cf927f030f 100644 --- a/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha1/zz_generated.deepcopy.go @@ -2064,15 +2064,6 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) { **out = **in } } - if in.AuthenticationTokenWebhook != nil { - in, out := &in.AuthenticationTokenWebhook, &out.AuthenticationTokenWebhook - if *in == nil { - *out = nil - } else { - *out = new(bool) - **out = **in - } - } if in.AuthenticationTokenWebhookConfigFile != nil { in, out := &in.AuthenticationTokenWebhookConfigFile, &out.AuthenticationTokenWebhookConfigFile if *in == nil { @@ -2742,6 +2733,24 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) { **out = **in } } + if in.AuthenticationTokenWebhook != nil { + in, out := &in.AuthenticationTokenWebhook, &out.AuthenticationTokenWebhook + if *in == nil { + *out = nil + } else { + *out = new(bool) + **out = **in + } + } + if in.AuthenticationTokenWebhookCacheTTL != nil { + in, out := &in.AuthenticationTokenWebhookCacheTTL, &out.AuthenticationTokenWebhookCacheTTL + if *in == nil { + *out = nil + } else { + *out = new(v1.Duration) + **out = **in + } + } return } diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go index f4c2e305c58f8..b963658007432 100644 --- a/pkg/apis/kops/v1alpha2/componentconfig.go +++ b/pkg/apis/kops/v1alpha2/componentconfig.go @@ -172,6 +172,10 @@ type KubeletConfigSpec struct { DockerDisableSharedPID *bool `json:"dockerDisableSharedPID,omitempty" flag:"docker-disable-shared-pid"` // RootDir is the directory path for managing kubelet files (volume mounts,etc) RootDir string `json:"rootDir,omitempty" flag:"root-dir"` + // AuthenticationTokenWebhook uses the TokenReview API to determine authentication for bearer tokens. + AuthenticationTokenWebhook *bool `json:"authenticationTokenWebhook,omitempty" flag:"authentication-token-webhook"` + // AuthenticationTokenWebhook sets the duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) + AuthenticationTokenWebhookCacheTTL *metav1.Duration `json:"authenticationTokenWebhookCacheTtl,omitempty" flag:"authentication-token-webhook-cache-ttl"` } // KubeProxyConfig defines the configuration for a proxy @@ -316,8 +320,6 @@ type KubeAPIServerConfig struct { AuditLogMaxSize *int32 `json:"auditLogMaxSize,omitempty" flag:"audit-log-maxsize"` // AuditPolicyFile is the full path to a advanced audit configuration file a.g. /srv/kubernetes/audit.conf AuditPolicyFile string `json:"auditPolicyFile,omitempty" flag:"audit-policy-file"` - // AuthenticationTokenWebhook enables bearer token authentication on kubelet. - AuthenticationTokenWebhook *bool `json:"authenticationTokenWebhook,omitempty" flag:"authentication-token-webhook"` // File with webhook configuration for token authentication in kubeconfig format. The API server will query the remote service to determine authentication for bearer tokens. AuthenticationTokenWebhookConfigFile *string `json:"authenticationTokenWebhookConfigFile,omitempty" flag:"authentication-token-webhook-config-file"` // The duration to cache responses from the webhook token authenticator. Default is 2m. (default 2m0s) diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index 7f700cc3b675c..7390fcb373143 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -2464,7 +2464,6 @@ func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku out.AuditLogMaxBackups = in.AuditLogMaxBackups out.AuditLogMaxSize = in.AuditLogMaxSize out.AuditPolicyFile = in.AuditPolicyFile - out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL out.AuthorizationMode = in.AuthorizationMode @@ -2536,7 +2535,6 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha2_KubeAPIServerConfig(in *ko out.AuditLogMaxBackups = in.AuditLogMaxBackups out.AuditLogMaxSize = in.AuditLogMaxSize out.AuditPolicyFile = in.AuditPolicyFile - out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook out.AuthenticationTokenWebhookConfigFile = in.AuthenticationTokenWebhookConfigFile out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL out.AuthorizationMode = in.AuthorizationMode @@ -2835,6 +2833,8 @@ func autoConvert_v1alpha2_KubeletConfigSpec_To_kops_KubeletConfigSpec(in *Kubele out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout out.DockerDisableSharedPID = in.DockerDisableSharedPID out.RootDir = in.RootDir + out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook + out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL return nil } @@ -2909,6 +2909,8 @@ func autoConvert_kops_KubeletConfigSpec_To_v1alpha2_KubeletConfigSpec(in *kops.K out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout out.DockerDisableSharedPID = in.DockerDisableSharedPID out.RootDir = in.RootDir + out.AuthenticationTokenWebhook = in.AuthenticationTokenWebhook + out.AuthenticationTokenWebhookCacheTTL = in.AuthenticationTokenWebhookCacheTTL return nil } diff --git a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go index 266605ffe283e..17852c07d204f 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go @@ -2145,15 +2145,6 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) { **out = **in } } - if in.AuthenticationTokenWebhook != nil { - in, out := &in.AuthenticationTokenWebhook, &out.AuthenticationTokenWebhook - if *in == nil { - *out = nil - } else { - *out = new(bool) - **out = **in - } - } if in.AuthenticationTokenWebhookConfigFile != nil { in, out := &in.AuthenticationTokenWebhookConfigFile, &out.AuthenticationTokenWebhookConfigFile if *in == nil { @@ -2823,6 +2814,24 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) { **out = **in } } + if in.AuthenticationTokenWebhook != nil { + in, out := &in.AuthenticationTokenWebhook, &out.AuthenticationTokenWebhook + if *in == nil { + *out = nil + } else { + *out = new(bool) + **out = **in + } + } + if in.AuthenticationTokenWebhookCacheTTL != nil { + in, out := &in.AuthenticationTokenWebhookCacheTTL, &out.AuthenticationTokenWebhookCacheTTL + if *in == nil { + *out = nil + } else { + *out = new(v1.Duration) + **out = **in + } + } return } diff --git a/pkg/apis/kops/zz_generated.deepcopy.go b/pkg/apis/kops/zz_generated.deepcopy.go index 9e93222ded4ec..5723463d64b4d 100644 --- a/pkg/apis/kops/zz_generated.deepcopy.go +++ b/pkg/apis/kops/zz_generated.deepcopy.go @@ -2333,15 +2333,6 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) { **out = **in } } - if in.AuthenticationTokenWebhook != nil { - in, out := &in.AuthenticationTokenWebhook, &out.AuthenticationTokenWebhook - if *in == nil { - *out = nil - } else { - *out = new(bool) - **out = **in - } - } if in.AuthenticationTokenWebhookConfigFile != nil { in, out := &in.AuthenticationTokenWebhookConfigFile, &out.AuthenticationTokenWebhookConfigFile if *in == nil { @@ -3011,6 +3002,24 @@ func (in *KubeletConfigSpec) DeepCopyInto(out *KubeletConfigSpec) { **out = **in } } + if in.AuthenticationTokenWebhook != nil { + in, out := &in.AuthenticationTokenWebhook, &out.AuthenticationTokenWebhook + if *in == nil { + *out = nil + } else { + *out = new(bool) + **out = **in + } + } + if in.AuthenticationTokenWebhookCacheTTL != nil { + in, out := &in.AuthenticationTokenWebhookCacheTTL, &out.AuthenticationTokenWebhookCacheTTL + if *in == nil { + *out = nil + } else { + *out = new(v1.Duration) + **out = **in + } + } return }