if we have a dedicated serviceaccount keypair, use it to verify serviceaccounts #44169
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
mikedanese
commented
Apr 6, 2017
•
mikedanese
commented
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-github-robot
added
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, mikedanese
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
do-not-merge
|
@k8s-bot gce etcd3 e2e test this |
mikedanese
added
release-note-none
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 42025, 44169, 43940) |
liggitt
reviewed
Apr 7, 2017
| @@ -1004,6 +1004,9 @@ function start-kube-apiserver { | |||
| params+=" --kubelet-client-certificate=${APISERVER_CLIENT_CERT_PATH}" | |||
| params+=" --kubelet-client-key=${APISERVER_CLIENT_KEY_PATH}" | |||
| fi | |||
| if [[ -n "${SERVICEACCOUNT_CERT_PATH:-}" ]]; then | |||
There was a problem hiding this comment.
who is calling this a cert? it's a key, right?
There was a problem hiding this comment.
shouldn't this be SERVICEACCOUNT_KEY_PATH?
There was a problem hiding this comment.
huh, I guess this works because we'll parse the public key out of the certificate...
// Parse the key
var parsedKey interface{}
if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
parsedKey = cert.PublicKey
} else {
return nil, err
}
}didn't see that coming...
This was referenced Apr 7, 2017
k8s-github-robot
pushed a commit
that referenced
this pull request
Apr 11, 2017
…4169-release-1.5 Automatic merge from submit-queue Automated cherry pick of #44169 release 1.5
enisoc
added
release-note
mintzhao
pushed a commit
to mintzhao/kubernetes
that referenced
this pull request
Jun 1, 2017
…pick-of-#44169-release-1.6 Automatic merge from submit-queue Automated cherry pick of kubernetes#44169 release 1.6 kubernetes#44169 ```release-note Fix [broken service accounts when using dedicated service account key](kubernetes#44285). ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.