Bumping k8s dependencies to 1.13

2018-11-16 14:08:25 -08:00
parent 305407125c
commit b4c0b68ec7
8002 changed files with 884099 additions and 276228 deletions
--- a/vendor/k8s.io/kubernetes/pkg/serviceaccount/claims.go
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/claims.go
@@ -94,11 +94,11 @@ type validator struct {

 var _ = Validator(&validator{})

-func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{}) (string, string, string, error) {
+func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{}) (*ServiceAccountInfo, error) {
 	private, ok := privateObj.(*privateClaims)
 	if !ok {
 		glog.Errorf("jwt validator expected private claim of type *privateClaims but got: %T", privateObj)
-		return "", "", "", errors.New("Token could not be validated.")
+		return nil, errors.New("Token could not be validated.")
 	}
 	err := public.Validate(jwt.Expected{
 		Time: now(),
@@ -106,10 +106,10 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 	switch {
 	case err == nil:
 	case err == jwt.ErrExpired:
-		return "", "", "", errors.New("Token has expired.")
+		return nil, errors.New("Token has expired.")
 	default:
 		glog.Errorf("unexpected validation error: %T", err)
-		return "", "", "", errors.New("Token could not be validated.")
+		return nil, errors.New("Token could not be validated.")
 	}

 	var audValid bool
@@ -122,7 +122,7 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 	}

 	if !audValid {
-		return "", "", "", errors.New("Token is invalid for this audience.")
+		return nil, errors.New("Token is invalid for this audience.")
 	}

 	namespace := private.Kubernetes.Namespace
@@ -133,15 +133,15 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 	serviceAccount, err := v.getter.GetServiceAccount(namespace, saref.Name)
 	if err != nil {
 		glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, saref.Name, err)
-		return "", "", "", err
+		return nil, err
 	}
 	if serviceAccount.DeletionTimestamp != nil {
 		glog.V(4).Infof("Service account has been deleted %s/%s", namespace, saref.Name)
-		return "", "", "", fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, saref.Name)
+		return nil, fmt.Errorf("ServiceAccount %s/%s has been deleted", namespace, saref.Name)
 	}
 	if string(serviceAccount.UID) != saref.UID {
 		glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, saref.Name, string(serviceAccount.UID), saref.UID)
-		return "", "", "", fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, saref.UID)
+		return nil, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, saref.UID)
 	}

 	if secref != nil {
@@ -149,36 +149,45 @@ func (v *validator) Validate(_ string, public *jwt.Claims, privateObj interface{
 		secret, err := v.getter.GetSecret(namespace, secref.Name)
 		if err != nil {
 			glog.V(4).Infof("Could not retrieve bound secret %s/%s for service account %s/%s: %v", namespace, secref.Name, namespace, saref.Name, err)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if secret.DeletionTimestamp != nil {
 			glog.V(4).Infof("Bound secret is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, secref.Name, namespace, saref.Name)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if secref.UID != string(secret.UID) {
 			glog.V(4).Infof("Secret UID no longer matches %s/%s: %q != %q", namespace, secref.Name, string(secret.UID), secref.UID)
-			return "", "", "", fmt.Errorf("Secret UID (%s) does not match claim (%s)", secret.UID, secref.UID)
+			return nil, fmt.Errorf("Secret UID (%s) does not match claim (%s)", secret.UID, secref.UID)
 		}
 	}

+	var podName, podUID string
 	if podref != nil {
 		// Make sure token hasn't been invalidated by deletion of the pod
 		pod, err := v.getter.GetPod(namespace, podref.Name)
 		if err != nil {
-			glog.V(4).Infof("Could not retrieve bound secret %s/%s for service account %s/%s: %v", namespace, podref.Name, namespace, saref.Name, err)
-			return "", "", "", errors.New("Token has been invalidated")
+			glog.V(4).Infof("Could not retrieve bound pod %s/%s for service account %s/%s: %v", namespace, podref.Name, namespace, saref.Name, err)
+			return nil, errors.New("Token has been invalidated")
 		}
 		if pod.DeletionTimestamp != nil {
 			glog.V(4).Infof("Bound pod is deleted and awaiting removal: %s/%s for service account %s/%s", namespace, podref.Name, namespace, saref.Name)
-			return "", "", "", errors.New("Token has been invalidated")
+			return nil, errors.New("Token has been invalidated")
 		}
 		if podref.UID != string(pod.UID) {
 			glog.V(4).Infof("Pod UID no longer matches %s/%s: %q != %q", namespace, podref.Name, string(pod.UID), podref.UID)
-			return "", "", "", fmt.Errorf("Pod UID (%s) does not match claim (%s)", pod.UID, podref.UID)
+			return nil, fmt.Errorf("Pod UID (%s) does not match claim (%s)", pod.UID, podref.UID)
 		}
+		podName = podref.Name
+		podUID = podref.UID
 	}

-	return private.Kubernetes.Namespace, private.Kubernetes.Svcacct.Name, private.Kubernetes.Svcacct.UID, nil
+	return &ServiceAccountInfo{
+		Namespace: private.Kubernetes.Namespace,
+		Name:      private.Kubernetes.Svcacct.Name,
+		UID:       private.Kubernetes.Svcacct.UID,
+		PodName:   podName,
+		PodUID:    podUID,
+	}, nil
 }

 func (v *validator) NewPrivateClaims() interface{} {