diff options
Diffstat (limited to 'vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go')
| -rw-r--r-- | vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go b/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go new file mode 100644 index 000000000..1fd5bd899 --- /dev/null +++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go @@ -0,0 +1,74 @@ +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package serviceaccount + +import ( + apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" + "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/kubernetes/pkg/api" + "k8s.io/kubernetes/pkg/api/v1" +) + +// UserInfo returns a user.Info interface for the given namespace, service account name and UID +func UserInfo(namespace, name, uid string) user.Info { + return &user.DefaultInfo{ + Name: apiserverserviceaccount.MakeUsername(namespace, name), + UID: uid, + Groups: apiserverserviceaccount.MakeGroupNames(namespace, name), + } +} + +// IsServiceAccountToken returns true if the secret is a valid api token for the service account +func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool { + if secret.Type != v1.SecretTypeServiceAccountToken { + return false + } + + name := secret.Annotations[v1.ServiceAccountNameKey] + uid := secret.Annotations[v1.ServiceAccountUIDKey] + if name != sa.Name { + // Name must match + return false + } + if len(uid) > 0 && uid != string(sa.UID) { + // If UID is specified, it must match + return false + } + + return true +} + +// TODO: remove the duplicate code +// InternalIsServiceAccountToken returns true if the secret is a valid api token for the service account +func InternalIsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool { + if secret.Type != api.SecretTypeServiceAccountToken { + return false + } + + name := secret.Annotations[api.ServiceAccountNameKey] + uid := secret.Annotations[api.ServiceAccountUIDKey] + if name != sa.Name { + // Name must match + return false + } + if len(uid) > 0 && uid != string(sa.UID) { + // If UID is specified, it must match + return false + } + + return true +} |