aboutsummaryrefslogtreecommitdiff
path: root/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go')
-rw-r--r--vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go74
1 files changed, 74 insertions, 0 deletions
diff --git a/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go b/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go
new file mode 100644
index 000000000..1fd5bd899
--- /dev/null
+++ b/vendor/k8s.io/kubernetes/pkg/serviceaccount/util.go
@@ -0,0 +1,74 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package serviceaccount
+
+import (
+ apiserverserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
+ "k8s.io/apiserver/pkg/authentication/user"
+ "k8s.io/kubernetes/pkg/api"
+ "k8s.io/kubernetes/pkg/api/v1"
+)
+
+// UserInfo returns a user.Info interface for the given namespace, service account name and UID
+func UserInfo(namespace, name, uid string) user.Info {
+ return &user.DefaultInfo{
+ Name: apiserverserviceaccount.MakeUsername(namespace, name),
+ UID: uid,
+ Groups: apiserverserviceaccount.MakeGroupNames(namespace, name),
+ }
+}
+
+// IsServiceAccountToken returns true if the secret is a valid api token for the service account
+func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool {
+ if secret.Type != v1.SecretTypeServiceAccountToken {
+ return false
+ }
+
+ name := secret.Annotations[v1.ServiceAccountNameKey]
+ uid := secret.Annotations[v1.ServiceAccountUIDKey]
+ if name != sa.Name {
+ // Name must match
+ return false
+ }
+ if len(uid) > 0 && uid != string(sa.UID) {
+ // If UID is specified, it must match
+ return false
+ }
+
+ return true
+}
+
+// TODO: remove the duplicate code
+// InternalIsServiceAccountToken returns true if the secret is a valid api token for the service account
+func InternalIsServiceAccountToken(secret *api.Secret, sa *api.ServiceAccount) bool {
+ if secret.Type != api.SecretTypeServiceAccountToken {
+ return false
+ }
+
+ name := secret.Annotations[api.ServiceAccountNameKey]
+ uid := secret.Annotations[api.ServiceAccountUIDKey]
+ if name != sa.Name {
+ // Name must match
+ return false
+ }
+ if len(uid) > 0 && uid != string(sa.UID) {
+ // If UID is specified, it must match
+ return false
+ }
+
+ return true
+}