vendor files

2025-06-13 10:33:35 +00:00 · 2018-01-09 13:57:14 -05:00
parent 558bc6c02a
commit 7b24313bd6
16547 changed files with 4527373 additions and 0 deletions
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/BUILD
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/BUILD
@ -0,0 +1,54 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "jwt.go",
+        "util.go",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/serviceaccount",
+    deps = [
+        "//pkg/apis/core:go_default_library",
+        "//vendor/github.com/dgrijalva/jwt-go:go_default_library",
+        "//vendor/github.com/golang/glog:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_xtest",
+    srcs = ["jwt_test.go"],
+    importpath = "k8s.io/kubernetes/pkg/serviceaccount_test",
+    deps = [
+        ":go_default_library",
+        "//pkg/controller/serviceaccount:go_default_library",
+        "//vendor/k8s.io/api/core/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes/fake:go_default_library",
+        "//vendor/k8s.io/client-go/util/cert:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/OWNERS
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/OWNERS
@ -0,0 +1,9 @@
+approvers:
+- liggitt
+- deads2k
+reviewers:
+- liggitt
+- deads2k
+- mikedanese
+- ericchiang
+- enj
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/jwt.go
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/jwt.go
@ -0,0 +1,250 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rsa"
+	"errors"
+	"fmt"
+
+	"k8s.io/api/core/v1"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/golang/glog"
+)
+
+const (
+	Issuer = "kubernetes/serviceaccount"
+
+	SubjectClaim            = "sub"
+	IssuerClaim             = "iss"
+	ServiceAccountNameClaim = "kubernetes.io/serviceaccount/service-account.name"
+	ServiceAccountUIDClaim  = "kubernetes.io/serviceaccount/service-account.uid"
+	SecretNameClaim         = "kubernetes.io/serviceaccount/secret.name"
+	NamespaceClaim          = "kubernetes.io/serviceaccount/namespace"
+)
+
+// ServiceAccountTokenGetter defines functions to retrieve a named service account and secret
+type ServiceAccountTokenGetter interface {
+	GetServiceAccount(namespace, name string) (*v1.ServiceAccount, error)
+	GetSecret(namespace, name string) (*v1.Secret, error)
+}
+
+type TokenGenerator interface {
+	// GenerateToken generates a token which will identify the given ServiceAccount.
+	// The returned token will be stored in the given (and yet-unpersisted) Secret.
+	GenerateToken(serviceAccount v1.ServiceAccount, secret v1.Secret) (string, error)
+}
+
+// JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey.
+// privateKey is a PEM-encoded byte array of a private RSA key.
+// JWTTokenAuthenticator()
+func JWTTokenGenerator(privateKey interface{}) TokenGenerator {
+	return &jwtTokenGenerator{privateKey}
+}
+
+type jwtTokenGenerator struct {
+	privateKey interface{}
+}
+
+func (j *jwtTokenGenerator) GenerateToken(serviceAccount v1.ServiceAccount, secret v1.Secret) (string, error) {
+	var method jwt.SigningMethod
+	switch privateKey := j.privateKey.(type) {
+	case *rsa.PrivateKey:
+		method = jwt.SigningMethodRS256
+	case *ecdsa.PrivateKey:
+		switch privateKey.Curve {
+		case elliptic.P256():
+			method = jwt.SigningMethodES256
+		case elliptic.P384():
+			method = jwt.SigningMethodES384
+		case elliptic.P521():
+			method = jwt.SigningMethodES512
+		default:
+			return "", fmt.Errorf("unknown private key curve, must be 256, 384, or 521")
+		}
+	default:
+		return "", fmt.Errorf("unknown private key type %T, must be *rsa.PrivateKey or *ecdsa.PrivateKey", j.privateKey)
+	}
+
+	token := jwt.New(method)
+
+	claims, _ := token.Claims.(jwt.MapClaims)
+
+	// Identify the issuer
+	claims[IssuerClaim] = Issuer
+
+	// Username
+	claims[SubjectClaim] = apiserverserviceaccount.MakeUsername(serviceAccount.Namespace, serviceAccount.Name)
+
+	// Persist enough structured info for the authenticator to be able to look up the service account and secret
+	claims[NamespaceClaim] = serviceAccount.Namespace
+	claims[ServiceAccountNameClaim] = serviceAccount.Name
+	claims[ServiceAccountUIDClaim] = serviceAccount.UID
+	claims[SecretNameClaim] = secret.Name
+
+	// Sign and get the complete encoded token as a string
+	return token.SignedString(j.privateKey)
+}
+
+// JWTTokenAuthenticator authenticates tokens as JWT tokens produced by JWTTokenGenerator
+// Token signatures are verified using each of the given public keys until one works (allowing key rotation)
+// If lookup is true, the service account and secret referenced as claims inside the token are retrieved and verified with the provided ServiceAccountTokenGetter
+func JWTTokenAuthenticator(keys []interface{}, lookup bool, getter ServiceAccountTokenGetter) authenticator.Token {
+	return &jwtTokenAuthenticator{keys, lookup, getter}
+}
+
+type jwtTokenAuthenticator struct {
+	keys   []interface{}
+	lookup bool
+	getter ServiceAccountTokenGetter
+}
+
+var errMismatchedSigningMethod = errors.New("invalid signing method")
+
+func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, error) {
+	var validationError error
+
+	for i, key := range j.keys {
+		// Attempt to verify with each key until we find one that works
+		parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
+			switch token.Method.(type) {
+			case *jwt.SigningMethodRSA:
+				if _, ok := key.(*rsa.PublicKey); ok {
+					return key, nil
+				}
+				return nil, errMismatchedSigningMethod
+			case *jwt.SigningMethodECDSA:
+				if _, ok := key.(*ecdsa.PublicKey); ok {
+					return key, nil
+				}
+				return nil, errMismatchedSigningMethod
+			default:
+				return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+			}
+		})
+
+		if err != nil {
+			switch err := err.(type) {
+			case *jwt.ValidationError:
+				if (err.Errors & jwt.ValidationErrorMalformed) != 0 {
+					// Not a JWT, no point in continuing
+					return nil, false, nil
+				}
+
+				if (err.Errors & jwt.ValidationErrorSignatureInvalid) != 0 {
+					// Signature error, perhaps one of the other keys will verify the signature
+					// If not, we want to return this error
+					glog.V(4).Infof("Signature error (key %d): %v", i, err)
+					validationError = err
+					continue
+				}
+
+				// This key doesn't apply to the given signature type
+				// Perhaps one of the other keys will verify the signature
+				// If not, we want to return this error
+				if err.Inner == errMismatchedSigningMethod {
+					glog.V(4).Infof("Mismatched key type (key %d): %v", i, err)
+					validationError = err
+					continue
+				}
+			}
+
+			// Other errors should just return as errors
+			return nil, false, err
+		}
+
+		// If we get here, we have a token with a recognized signature
+
+		claims, _ := parsedToken.Claims.(jwt.MapClaims)
+
+		// Make sure we issued the token
+		iss, _ := claims[IssuerClaim].(string)
+		if iss != Issuer {
+			return nil, false, nil
+		}
+
+		// Make sure the claims we need exist
+		sub, _ := claims[SubjectClaim].(string)
+		if len(sub) == 0 {
+			return nil, false, errors.New("sub claim is missing")
+		}
+		namespace, _ := claims[NamespaceClaim].(string)
+		if len(namespace) == 0 {
+			return nil, false, errors.New("namespace claim is missing")
+		}
+		secretName, _ := claims[SecretNameClaim].(string)
+		if len(namespace) == 0 {
+			return nil, false, errors.New("secretName claim is missing")
+		}
+		serviceAccountName, _ := claims[ServiceAccountNameClaim].(string)
+		if len(serviceAccountName) == 0 {
+			return nil, false, errors.New("serviceAccountName claim is missing")
+		}
+		serviceAccountUID, _ := claims[ServiceAccountUIDClaim].(string)
+		if len(serviceAccountUID) == 0 {
+			return nil, false, errors.New("serviceAccountUID claim is missing")
+		}
+
+		subjectNamespace, subjectName, err := apiserverserviceaccount.SplitUsername(sub)
+		if err != nil || subjectNamespace != namespace || subjectName != serviceAccountName {
+			return nil, false, errors.New("sub claim is invalid")
+		}
+
+		if j.lookup {
+			// Make sure token hasn't been invalidated by deletion of the secret
+			secret, err := j.getter.GetSecret(namespace, secretName)
+			if err != nil {
+				glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
+				return nil, false, errors.New("Token has been invalidated")
+			}
+			if secret.DeletionTimestamp != nil {
+				glog.V(4).Infof("Token is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
+				return nil, false, errors.New("Token has been invalidated")
+			}
+			if bytes.Compare(secret.Data[v1.ServiceAccountTokenKey], []byte(token)) != 0 {
+				glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
+				return nil, false, errors.New("Token does not match server's copy")
+			}
+
+			// Make sure service account still exists (name and UID)
+			serviceAccount, err := j.getter.GetServiceAccount(namespace, serviceAccountName)
+			if err != nil {
+				glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
+				return nil, false, err
+			}
+			if serviceAccount.DeletionTimestamp != nil {
+				glog.V(4).Infof("Service account has been deleted %s/%s", namespace, serviceAccountName)
+				return nil, false, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, serviceAccountName)
+			}
+			if string(serviceAccount.UID) != serviceAccountUID {
+				glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
+				return nil, false, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
+			}
+		}
+
+		return UserInfo(namespace, serviceAccountName, serviceAccountUID), true, nil
+	}
+
+	return nil, false, validationError
+}
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/jwt_test.go
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/jwt_test.go
@ -0,0 +1,322 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount_test
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	certutil "k8s.io/client-go/util/cert"
+	serviceaccountcontroller "k8s.io/kubernetes/pkg/controller/serviceaccount"
+	"k8s.io/kubernetes/pkg/serviceaccount"
+)
+
+const otherPublicKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArXz0QkIG1B5Bj2/W69GH
+rsm5e+RC3kE+VTgocge0atqlLBek35tRqLgUi3AcIrBZ/0YctMSWDVcRt5fkhWwe
+Lqjj6qvAyNyOkrkBi1NFDpJBjYJtuKHgRhNxXbOzTSNpdSKXTfOkzqv56MwHOP25
+yP/NNAODUtr92D5ySI5QX8RbXW+uDn+ixul286PBW/BCrE4tuS88dA0tYJPf8LCu
+sqQOwlXYH/rNUg4Pyl9xxhR5DIJR0OzNNfChjw60zieRIt2LfM83fXhwk8IxRGkc
+gPZm7ZsipmfbZK2Tkhnpsa4QxDg7zHJPMsB5kxRXW0cQipXcC3baDyN9KBApNXa0
+PwIDAQAB
+-----END PUBLIC KEY-----`
+
+const rsaPublicKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA249XwEo9k4tM8fMxV7zx
+OhcrP+WvXn917koM5Qr2ZXs4vo26e4ytdlrV0bQ9SlcLpQVSYjIxNfhTZdDt+ecI
+zshKuv1gKIxbbLQMOuK1eA/4HALyEkFgmS/tleLJrhc65tKPMGD+pKQ/xhmzRuCG
+51RoiMgbQxaCyYxGfNLpLAZK9L0Tctv9a0mJmGIYnIOQM4kC1A1I1n3EsXMWmeJU
+j7OTh/AjjCnMnkgvKT2tpKxYQ59PgDgU8Ssc7RDSmSkLxnrv+OrN80j6xrw0OjEi
+B4Ycr0PqfzZcvy8efTtFQ/Jnc4Bp1zUtFXt7+QeevePtQ2EcyELXE0i63T1CujRM
+WwIDAQAB
+-----END PUBLIC KEY-----
+`
+
+const rsaPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA249XwEo9k4tM8fMxV7zxOhcrP+WvXn917koM5Qr2ZXs4vo26
+e4ytdlrV0bQ9SlcLpQVSYjIxNfhTZdDt+ecIzshKuv1gKIxbbLQMOuK1eA/4HALy
+EkFgmS/tleLJrhc65tKPMGD+pKQ/xhmzRuCG51RoiMgbQxaCyYxGfNLpLAZK9L0T
+ctv9a0mJmGIYnIOQM4kC1A1I1n3EsXMWmeJUj7OTh/AjjCnMnkgvKT2tpKxYQ59P
+gDgU8Ssc7RDSmSkLxnrv+OrN80j6xrw0OjEiB4Ycr0PqfzZcvy8efTtFQ/Jnc4Bp
+1zUtFXt7+QeevePtQ2EcyELXE0i63T1CujRMWwIDAQABAoIBAHJx8GqyCBDNbqk7
+e7/hI9iE1S10Wwol5GH2RWxqX28cYMKq+8aE2LI1vPiXO89xOgelk4DN6urX6xjK
+ZBF8RRIMQy/e/O2F4+3wl+Nl4vOXV1u6iVXMsD6JRg137mqJf1Fr9elg1bsaRofL
+Q7CxPoB8dhS+Qb+hj0DhlqhgA9zG345CQCAds0ZYAZe8fP7bkwrLqZpMn7Dz9WVm
++YgYYKjuE95kPuup/LtWfA9rJyE/Fws8/jGvRSpVn1XglMLSMKhLd27sE8ZUSV0
+2KUzbfRGE0+AnRULRrjpYaPu0XQ2JjdNvtkjBnv27RB89W9Gklxq821eH1Y8got8
+FZodjxECgYEA93pz7AQZ2xDs67d1XLCzpX84GxKzttirmyj3OIlxgzVHjEMsvw8v
+sjFiBU5xEEQDosrBdSknnlJqyiq1YwWG/WDckr13d8G2RQWoySN7JVmTQfXcLoTu
+YGRiiTuoEi3ab3ZqrgGrFgX7T/cHuasbYvzCvhM2b4VIR3aSxU2DTUMCgYEA4x7J
+T/ErP6GkU5nKstu/mIXwNzayEO1BJvPYsy7i7EsxTm3xe/b8/6cYOz5fvJLGH5mT
+Q8YvuLqBcMwZardrYcwokD55UvNLOyfADDFZ6l3WntIqbA640Ok2g1X4U8J09xIq
+ZLIWK1yWbbvi4QCeN5hvWq47e8sIj5QHjIIjRwkCgYEAyNqjltxFN9zmzPDa2d24
+EAvOt3pYTYBQ1t9KtqImdL0bUqV6fZ6PsWoPCgt+DBuHb+prVPGP7Bkr/uTmznU/
+AlTO+12NsYLbr2HHagkXE31DEXE7CSLa8RNjN/UKtz4Ohq7vnowJvG35FCz/mb3
+FUHbtHTXa2+bGBUOTf/5Hw0CgYBxw0r9EwUhw1qnUYJ5op7OzFAtp+T7m4ul8kCa
+SCL8TxGsgl+SQ34opE775dtYfoBk9a0RJqVit3D8yg71KFjOTNAIqHJm/Vyyjc+h
+i9rJDSXiuczsAVfLtPVMRfS0J9QkqeG4PIfkQmVLI/CZ2ZBmsqEcX+eFs4ZfPLun
+Qsxe2QKBgGuPilIbLeIBDIaPiUI0FwU8v2j8CEQBYvoQn34c95hVQsig/o5z7zlo
+UsO0wlTngXKlWdOcCs1kqEhTLrstf48djDxAYAxkw40nzeJOt7q52ib/fvf4/UBy
+X024wzbiw1q07jFCyfQmODzURAx1VNT7QVUMdz/N8vy47/H40AZJ
+-----END RSA PRIVATE KEY-----
+`
+
+// openssl ecparam -name prime256v1 -genkey -out ecdsa256params.pem
+const ecdsaPrivateKeyWithParams = `-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJ9LWDj3ZWe9CksPV7mZjD2dYXG9icfzxadCRwd3vr1toAoGCCqGSM49
+AwEHoUQDQgAEaLNEpzbaaNTCkKjBVj7sxpfJ1ifJQGNvcck4nrzcwFRuujwVDDJh
+95iIGwKCQeSg+yhdN6Q/p2XaxNIZlYmUhg==
+-----END EC PRIVATE KEY-----
+`
+
+// openssl ecparam -name prime256v1 -genkey -noout -out ecdsa256.pem
+const ecdsaPrivateKey = `-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIEZmTmUhuanLjPA2CLquXivuwBDHTt5XYwgIr/kA1LtRoAoGCCqGSM49
+AwEHoUQDQgAEH6cuzP8XuD5wal6wf9M6xDljTOPLX2i8uIp/C/ASqiIGUeeKQtX0
+/IR3qCXyThP/dbCiHrF3v1cuhBOHY8CLVg==
+-----END EC PRIVATE KEY-----`
+
+// openssl ec -in ecdsa256.pem -pubout -out ecdsa256pub.pem
+const ecdsaPublicKey = `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEH6cuzP8XuD5wal6wf9M6xDljTOPL
+X2i8uIp/C/ASqiIGUeeKQtX0/IR3qCXyThP/dbCiHrF3v1cuhBOHY8CLVg==
+-----END PUBLIC KEY-----`
+
+func getPrivateKey(data string) interface{} {
+	key, _ := certutil.ParsePrivateKeyPEM([]byte(data))
+	return key
+}
+
+func getPublicKey(data string) interface{} {
+	keys, _ := certutil.ParsePublicKeysPEM([]byte(data))
+	return keys[0]
+}
+func TestTokenGenerateAndValidate(t *testing.T) {
+	expectedUserName := "system:serviceaccount:test:my-service-account"
+	expectedUserUID := "12345"
+
+	// Related API objects
+	serviceAccount := &v1.ServiceAccount{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-service-account",
+			UID:       "12345",
+			Namespace: "test",
+		},
+	}
+	rsaSecret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-rsa-secret",
+			Namespace: "test",
+		},
+	}
+	ecdsaSecret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-ecdsa-secret",
+			Namespace: "test",
+		},
+	}
+
+	// Generate the RSA token
+	rsaGenerator := serviceaccount.JWTTokenGenerator(getPrivateKey(rsaPrivateKey))
+	rsaToken, err := rsaGenerator.GenerateToken(*serviceAccount, *rsaSecret)
+	if err != nil {
+		t.Fatalf("error generating token: %v", err)
+	}
+	if len(rsaToken) == 0 {
+		t.Fatalf("no token generated")
+	}
+	rsaSecret.Data = map[string][]byte{
+		"token": []byte(rsaToken),
+	}
+
+	// Generate the ECDSA token
+	ecdsaGenerator := serviceaccount.JWTTokenGenerator(getPrivateKey(ecdsaPrivateKey))
+	ecdsaToken, err := ecdsaGenerator.GenerateToken(*serviceAccount, *ecdsaSecret)
+	if err != nil {
+		t.Fatalf("error generating token: %v", err)
+	}
+	if len(ecdsaToken) == 0 {
+		t.Fatalf("no token generated")
+	}
+	ecdsaSecret.Data = map[string][]byte{
+		"token": []byte(ecdsaToken),
+	}
+
+	testCases := map[string]struct {
+		Client clientset.Interface
+		Keys   []interface{}
+		Token  string
+
+		ExpectedErr      bool
+		ExpectedOK       bool
+		ExpectedUserName string
+		ExpectedUserUID  string
+		ExpectedGroups   []string
+	}{
+		"no keys": {
+			Token:       rsaToken,
+			Client:      nil,
+			Keys:        []interface{}{},
+			ExpectedErr: false,
+			ExpectedOK:  false,
+		},
+		"invalid keys (rsa)": {
+			Token:       rsaToken,
+			Client:      nil,
+			Keys:        []interface{}{getPublicKey(otherPublicKey), getPublicKey(ecdsaPublicKey)},
+			ExpectedErr: true,
+			ExpectedOK:  false,
+		},
+		"invalid keys (ecdsa)": {
+			Token:       ecdsaToken,
+			Client:      nil,
+			Keys:        []interface{}{getPublicKey(otherPublicKey), getPublicKey(rsaPublicKey)},
+			ExpectedErr: true,
+			ExpectedOK:  false,
+		},
+		"valid key (rsa)": {
+			Token:            rsaToken,
+			Client:           nil,
+			Keys:             []interface{}{getPublicKey(rsaPublicKey)},
+			ExpectedErr:      false,
+			ExpectedOK:       true,
+			ExpectedUserName: expectedUserName,
+			ExpectedUserUID:  expectedUserUID,
+			ExpectedGroups:   []string{"system:serviceaccounts", "system:serviceaccounts:test"},
+		},
+		"valid key (ecdsa)": {
+			Token:            ecdsaToken,
+			Client:           nil,
+			Keys:             []interface{}{getPublicKey(ecdsaPublicKey)},
+			ExpectedErr:      false,
+			ExpectedOK:       true,
+			ExpectedUserName: expectedUserName,
+			ExpectedUserUID:  expectedUserUID,
+			ExpectedGroups:   []string{"system:serviceaccounts", "system:serviceaccounts:test"},
+		},
+		"rotated keys (rsa)": {
+			Token:            rsaToken,
+			Client:           nil,
+			Keys:             []interface{}{getPublicKey(otherPublicKey), getPublicKey(ecdsaPublicKey), getPublicKey(rsaPublicKey)},
+			ExpectedErr:      false,
+			ExpectedOK:       true,
+			ExpectedUserName: expectedUserName,
+			ExpectedUserUID:  expectedUserUID,
+			ExpectedGroups:   []string{"system:serviceaccounts", "system:serviceaccounts:test"},
+		},
+		"rotated keys (ecdsa)": {
+			Token:            ecdsaToken,
+			Client:           nil,
+			Keys:             []interface{}{getPublicKey(otherPublicKey), getPublicKey(rsaPublicKey), getPublicKey(ecdsaPublicKey)},
+			ExpectedErr:      false,
+			ExpectedOK:       true,
+			ExpectedUserName: expectedUserName,
+			ExpectedUserUID:  expectedUserUID,
+			ExpectedGroups:   []string{"system:serviceaccounts", "system:serviceaccounts:test"},
+		},
+		"valid lookup": {
+			Token:            rsaToken,
+			Client:           fake.NewSimpleClientset(serviceAccount, rsaSecret, ecdsaSecret),
+			Keys:             []interface{}{getPublicKey(rsaPublicKey)},
+			ExpectedErr:      false,
+			ExpectedOK:       true,
+			ExpectedUserName: expectedUserName,
+			ExpectedUserUID:  expectedUserUID,
+			ExpectedGroups:   []string{"system:serviceaccounts", "system:serviceaccounts:test"},
+		},
+		"invalid secret lookup": {
+			Token:       rsaToken,
+			Client:      fake.NewSimpleClientset(serviceAccount),
+			Keys:        []interface{}{getPublicKey(rsaPublicKey)},
+			ExpectedErr: true,
+			ExpectedOK:  false,
+		},
+		"invalid serviceaccount lookup": {
+			Token:       rsaToken,
+			Client:      fake.NewSimpleClientset(rsaSecret, ecdsaSecret),
+			Keys:        []interface{}{getPublicKey(rsaPublicKey)},
+			ExpectedErr: true,
+			ExpectedOK:  false,
+		},
+	}
+
+	for k, tc := range testCases {
+		getter := serviceaccountcontroller.NewGetterFromClient(tc.Client)
+		authenticator := serviceaccount.JWTTokenAuthenticator(tc.Keys, tc.Client != nil, getter)
+
+		// An invalid, non-JWT token should always fail
+		if _, ok, err := authenticator.AuthenticateToken("invalid token"); err != nil || ok {
+			t.Errorf("%s: Expected err=nil, ok=false for non-JWT token", k)
+			continue
+		}
+
+		user, ok, err := authenticator.AuthenticateToken(tc.Token)
+		if (err != nil) != tc.ExpectedErr {
+			t.Errorf("%s: Expected error=%v, got %v", k, tc.ExpectedErr, err)
+			continue
+		}
+
+		if ok != tc.ExpectedOK {
+			t.Errorf("%s: Expected ok=%v, got %v", k, tc.ExpectedOK, ok)
+			continue
+		}
+
+		if err != nil || !ok {
+			continue
+		}
+
+		if user.GetName() != tc.ExpectedUserName {
+			t.Errorf("%s: Expected username=%v, got %v", k, tc.ExpectedUserName, user.GetName())
+			continue
+		}
+		if user.GetUID() != tc.ExpectedUserUID {
+			t.Errorf("%s: Expected userUID=%v, got %v", k, tc.ExpectedUserUID, user.GetUID())
+			continue
+		}
+		if !reflect.DeepEqual(user.GetGroups(), tc.ExpectedGroups) {
+			t.Errorf("%s: Expected groups=%v, got %v", k, tc.ExpectedGroups, user.GetGroups())
+			continue
+		}
+	}
+}
+
+func TestMakeSplitUsername(t *testing.T) {
+	username := apiserverserviceaccount.MakeUsername("ns", "name")
+	ns, name, err := apiserverserviceaccount.SplitUsername(username)
+	if err != nil {
+		t.Errorf("Unexpected error %v", err)
+	}
+	if ns != "ns" || name != "name" {
+		t.Errorf("Expected ns/name, got %s/%s", ns, name)
+	}
+
+	invalid := []string{"test", "system:serviceaccount", "system:serviceaccount:", "system:serviceaccount:ns", "system:serviceaccount:ns:name:extra"}
+	for _, n := range invalid {
+		_, _, err := apiserverserviceaccount.SplitUsername("test")
+		if err == nil {
+			t.Errorf("Expected error for %s", n)
+		}
+	}
+}
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go
@ -0,0 +1,74 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount
+
+import (
+	"k8s.io/api/core/v1"
+	apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
+	"k8s.io/apiserver/pkg/authentication/user"
+	api "k8s.io/kubernetes/pkg/apis/core"
+)
+
+// UserInfo returns a user.Info interface for the given namespace, service account name and UID
+func UserInfo(namespace, name, uid string) user.Info {
+	return &user.DefaultInfo{
+		Name:   apiserverserviceaccount.MakeUsername(namespace, name),
+		UID:    uid,
+		Groups: apiserverserviceaccount.MakeGroupNames(namespace),
+	}
+}
+
+// IsServiceAccountToken returns true if the secret is a valid api token for the service account
+func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool {
+	if secret.Type != v1.SecretTypeServiceAccountToken {
+		return false
+	}
+
+	name := secret.Annotations[v1.ServiceAccountNameKey]
+	uid := secret.Annotations[v1.ServiceAccountUIDKey]
+	if name != sa.Name {
+		// Name must match
+		return false
+	}
+	if len(uid) > 0 && uid != string(sa.UID) {
+		// If UID is specified, it must match
+		return false
+	}
+
+	return true
+}
+
+// TODO: remove the duplicate code
+// InternalIsServiceAccountToken returns true if the secret is a valid api token for the service account
+func InternalIsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool {
+	if secret.Type != api.SecretTypeServiceAccountToken {
+		return false
+	}
+
+	name := secret.Annotations[api.ServiceAccountNameKey]
+	uid := secret.Annotations[api.ServiceAccountUIDKey]
+	if name != sa.Name {
+		// Name must match
+		return false
+	}
+	if len(uid) > 0 && uid != string(sa.UID) {
+		// If UID is specified, it must match
+		return false
+	}
+
+	return true
+}