1 - 概述
authentication API
介绍
authentication API 的核心功能是处理 Kubernetes 集群的 身份认证,确保请求来源的合法性。
主要职责包括:
- 验证请求者身份:
- 确认用户、ServiceAccount 或外部系统的身份凭证
- 支持多种认证机制:
- X.509 客户端证书
- Bearer Token(如 ServiceAccount Token)
- 身份代理(OIDC、LDAP 等)
- 提供认证配置管理:
- 管理 TLS 证书配置
- 管理 ServiceAccount 的 Token 签发
核心 API 资源类型
在 authentication.k8s.io/v1 和核心 API 组中定义了以下关键资源:
(1) TokenReview
// 用于验证 Bearer Token 的有效性
type TokenReview struct {
metav1.TypeMeta `json:",inline"`
Spec TokenReviewSpec `json:"spec"`
Status TokenReviewStatus `json:"status,omitempty"`
}
关键字段:
spec.token:待验证的 Token 字符串status.authenticated:验证结果(true/false)status.user:认证通过后的用户信息(用户名、组等)
(2) CertificateSigningRequest (CSR)
// 在 certificates.k8s.io/v1 中定义,但用于认证流程
type CertificateSigningRequest struct {
metav1.TypeMeta `json:",inline"`
Spec CertificateSigningRequestSpec `json:"spec"`
}
关键字段:
spec.request:PEM 编码的证书签名请求spec.signerName:指定签名用途(如kubernetes.io/kube-apiserver-client)
(3) ServiceAccount
// 在核心 v1 API 中定义,用于 Pod 身份认证
type ServiceAccount struct {
metav1.TypeMeta `json:",inline"`
Secrets []ObjectReference `json:"secrets,omitempty"` // 关联的 Token Secret
}
2 - types.go
authentication API 类型
TokenReview
type TokenReview struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Spec holds information about the request being evaluated
Spec TokenReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
// Status is filled in by the server and indicates whether the request can be authenticated.
// +optional
Status TokenReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}
TokenRequest
// TokenRequest requests a token for a given service account.
type TokenRequest struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Spec holds information about the request being evaluated
Spec TokenRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
// Status is filled in by the server and indicates whether the token can be authenticated.
// +optional
Status TokenRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}
SelfSubjectReview
// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or
// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
type SelfSubjectReview struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Status is filled in by the server with the user attributes.
Status SelfSubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}
3 - register.go
authentication API 类型注册
注册类型:
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(SchemeGroupVersion,
&TokenReview{},
&TokenRequest{},
&SelfSubjectReview{},
)
metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
return nil
}