rebase: update kubernetes to v1.20.0

updated kubernetes packages to latest
release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

vendor/k8s.io/apiserver/pkg/authentication/authenticator/audagnostic.go

@@ -1,90 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package authenticator
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-)
-
-func authenticate(ctx context.Context, implicitAuds Audiences, authenticate func() (*Response, bool, error)) (*Response, bool, error) {
-	targetAuds, ok := AudiencesFrom(ctx)
-	// We can remove this once api audiences is never empty. That will probably
-	// be N releases after TokenRequest is GA.
-	if !ok {
-		return authenticate()
-	}
-	auds := implicitAuds.Intersect(targetAuds)
-	if len(auds) == 0 {
-		return nil, false, nil
-	}
-	resp, ok, err := authenticate()
-	if err != nil || !ok {
-		return nil, false, err
-	}
-	if len(resp.Audiences) > 0 {
-		// maybe the authenticator was audience aware after all.
-		return nil, false, fmt.Errorf("audience agnostic authenticator wrapped an authenticator that returned audiences: %q", resp.Audiences)
-	}
-	resp.Audiences = auds
-	return resp, true, nil
-}
-
-type audAgnosticRequestAuthenticator struct {
-	implicit Audiences
-	delegate Request
-}
-
-var _ = Request(&audAgnosticRequestAuthenticator{})
-
-func (a *audAgnosticRequestAuthenticator) AuthenticateRequest(req *http.Request) (*Response, bool, error) {
-	return authenticate(req.Context(), a.implicit, func() (*Response, bool, error) {
-		return a.delegate.AuthenticateRequest(req)
-	})
-}
-
-// WrapAudienceAgnosticRequest wraps an audience agnostic request authenticator
-// to restrict its accepted audiences to a set of implicit audiences.
-func WrapAudienceAgnosticRequest(implicit Audiences, delegate Request) Request {
-	return &audAgnosticRequestAuthenticator{
-		implicit: implicit,
-		delegate: delegate,
-	}
-}
-
-type audAgnosticTokenAuthenticator struct {
-	implicit Audiences
-	delegate Token
-}
-
-var _ = Token(&audAgnosticTokenAuthenticator{})
-
-func (a *audAgnosticTokenAuthenticator) AuthenticateToken(ctx context.Context, tok string) (*Response, bool, error) {
-	return authenticate(ctx, a.implicit, func() (*Response, bool, error) {
-		return a.delegate.AuthenticateToken(ctx, tok)
-	})
-}
-
-// WrapAudienceAgnosticToken wraps an audience agnostic token authenticator to
-// restrict its accepted audiences to a set of implicit audiences.
-func WrapAudienceAgnosticToken(implicit Audiences, delegate Token) Token {
-	return &audAgnosticTokenAuthenticator{
-		implicit: implicit,
-		delegate: delegate,
-	}
-}

vendor/k8s.io/apiserver/pkg/authentication/authenticator/audiences.go

@@ -1,63 +0,0 @@
-/*
-Copyright 2018 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package authenticator
-
-import "context"
-
-// Audiences is a container for the Audiences of a token.
-type Audiences []string
-
-// The key type is unexported to prevent collisions
-type key int
-
-const (
-	// audiencesKey is the context key for request audiences.
-	audiencesKey key = iota
-)
-
-// WithAudiences returns a context that stores a request's expected audiences.
-func WithAudiences(ctx context.Context, auds Audiences) context.Context {
-	return context.WithValue(ctx, audiencesKey, auds)
-}
-
-// AudiencesFrom returns a request's expected audiences stored in the request context.
-func AudiencesFrom(ctx context.Context) (Audiences, bool) {
-	auds, ok := ctx.Value(audiencesKey).(Audiences)
-	return auds, ok
-}
-
-// Has checks if Audiences contains a specific audiences.
-func (a Audiences) Has(taud string) bool {
-	for _, aud := range a {
-		if aud == taud {
-			return true
-		}
-	}
-	return false
-}
-
-// Intersect intersects Audiences with a target Audiences and returns all
-// elements in both.
-func (a Audiences) Intersect(tauds Audiences) Audiences {
-	selected := Audiences{}
-	for _, taud := range tauds {
-		if a.Has(taud) {
-			selected = append(selected, taud)
-		}
-	}
-	return selected
-}

vendor/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go

@@ -1,80 +0,0 @@
-/*
-Copyright 2014 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package authenticator
-
-import (
-	"context"
-	"net/http"
-
-	"k8s.io/apiserver/pkg/authentication/user"
-)
-
-// Token checks a string value against a backing authentication store and
-// returns a Response or an error if the token could not be checked.
-type Token interface {
-	AuthenticateToken(ctx context.Context, token string) (*Response, bool, error)
-}
-
-// Request attempts to extract authentication information from a request and
-// returns a Response or an error if the request could not be checked.
-type Request interface {
-	AuthenticateRequest(req *http.Request) (*Response, bool, error)
-}
-
-// Password checks a username and password against a backing authentication
-// store and returns a Response or an error if the password could not be
-// checked.
-type Password interface {
-	AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error)
-}
-
-// TokenFunc is a function that implements the Token interface.
-type TokenFunc func(ctx context.Context, token string) (*Response, bool, error)
-
-// AuthenticateToken implements authenticator.Token.
-func (f TokenFunc) AuthenticateToken(ctx context.Context, token string) (*Response, bool, error) {
-	return f(ctx, token)
-}
-
-// RequestFunc is a function that implements the Request interface.
-type RequestFunc func(req *http.Request) (*Response, bool, error)
-
-// AuthenticateRequest implements authenticator.Request.
-func (f RequestFunc) AuthenticateRequest(req *http.Request) (*Response, bool, error) {
-	return f(req)
-}
-
-// PasswordFunc is a function that implements the Password interface.
-type PasswordFunc func(ctx context.Context, user, password string) (*Response, bool, error)
-
-// AuthenticatePassword implements authenticator.Password.
-func (f PasswordFunc) AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) {
-	return f(ctx, user, password)
-}
-
-// Response is the struct returned by authenticator interfaces upon successful
-// authentication. It contains information about whether the authenticator
-// authenticated the request, information about the context of the
-// authentication, and information about the authenticated user.
-type Response struct {
-	// Audiences is the set of audiences the authenticator was able to validate
-	// the token against. If the authenticator is not audience aware, this field
-	// will be empty.
-	Audiences Audiences
-	// User is the UserInfo associated with the authentication context.
-	User user.Info
-}

vendor/k8s.io/apiserver/pkg/authentication/serviceaccount/util.go

@@ -17,10 +17,18 @@ limitations under the License.
 package serviceaccount
 
 import (
+	"context"
 	"fmt"
 	"strings"
 
+	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apiserver/pkg/authentication/user"
+	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+
+	"k8s.io/klog/v2"
 )
 
 const (
@@ -28,6 +36,12 @@ const (
 	ServiceAccountUsernameSeparator = ":"
 	ServiceAccountGroupPrefix       = "system:serviceaccounts:"
 	AllServiceAccountsGroup         = "system:serviceaccounts"
+	// PodNameKey is the key used in a user's "extra" to specify the pod name of
+	// the authenticating request.
+	PodNameKey = "authentication.kubernetes.io/pod-name"
+	// PodUIDKey is the key used in a user's "extra" to specify the pod UID of
+	// the authenticating request.
+	PodUIDKey = "authentication.kubernetes.io/pod-uid"
 )
 
 // MakeUsername generates a username from the given namespace and ServiceAccount name.
@@ -92,3 +106,78 @@ func MakeGroupNames(namespace string) []string {
 func MakeNamespaceGroupName(namespace string) string {
 	return ServiceAccountGroupPrefix + namespace
 }
+
+// UserInfo returns a user.Info interface for the given namespace, service account name and UID
+func UserInfo(namespace, name, uid string) user.Info {
+	return (&ServiceAccountInfo{
+		Name:      name,
+		Namespace: namespace,
+		UID:       uid,
+	}).UserInfo()
+}
+
+type ServiceAccountInfo struct {
+	Name, Namespace, UID string
+	PodName, PodUID      string
+}
+
+func (sa *ServiceAccountInfo) UserInfo() user.Info {
+	info := &user.DefaultInfo{
+		Name:   MakeUsername(sa.Namespace, sa.Name),
+		UID:    sa.UID,
+		Groups: MakeGroupNames(sa.Namespace),
+	}
+	if sa.PodName != "" && sa.PodUID != "" {
+		info.Extra = map[string][]string{
+			PodNameKey: {sa.PodName},
+			PodUIDKey:  {sa.PodUID},
+		}
+	}
+	return info
+}
+
+// IsServiceAccountToken returns true if the secret is a valid api token for the service account
+func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool {
+	if secret.Type != v1.SecretTypeServiceAccountToken {
+		return false
+	}
+
+	name := secret.Annotations[v1.ServiceAccountNameKey]
+	uid := secret.Annotations[v1.ServiceAccountUIDKey]
+	if name != sa.Name {
+		// Name must match
+		return false
+	}
+	if len(uid) > 0 && uid != string(sa.UID) {
+		// If UID is specified, it must match
+		return false
+	}
+
+	return true
+}
+
+func GetOrCreateServiceAccount(coreClient v1core.CoreV1Interface, namespace, name string) (*v1.ServiceAccount, error) {
+	sa, err := coreClient.ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	if err == nil {
+		return sa, nil
+	}
+	if !apierrors.IsNotFound(err) {
+		return nil, err
+	}
+
+	// Create the namespace if we can't verify it exists.
+	// Tolerate errors, since we don't know whether this component has namespace creation permissions.
+	if _, err := coreClient.Namespaces().Get(context.TODO(), namespace, metav1.GetOptions{}); apierrors.IsNotFound(err) {
+		if _, err = coreClient.Namespaces().Create(context.TODO(), &v1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace}}, metav1.CreateOptions{}); err != nil && !apierrors.IsAlreadyExists(err) {
+			klog.Warningf("create non-exist namespace %s failed:%v", namespace, err)
+		}
+	}
+
+	// Create the service account
+	sa, err = coreClient.ServiceAccounts(namespace).Create(context.TODO(), &v1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Namespace: namespace, Name: name}}, metav1.CreateOptions{})
+	if apierrors.IsAlreadyExists(err) {
+		// If we're racing to init and someone else already created it, re-fetch
+		return coreClient.ServiceAccounts(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	}
+	return sa, err
+}

vendor/k8s.io/apiserver/pkg/authentication/user/user.go

@@ -70,6 +70,7 @@ func (i *DefaultInfo) GetExtra() map[string][]string {
 const (
 	SystemPrivilegedGroup = "system:masters"
 	NodesGroup            = "system:nodes"
+	MonitoringGroup       = "system:monitoring"
 	AllUnauthenticated    = "system:unauthenticated"
 	AllAuthenticated      = "system:authenticated"