├── .dockerignore ├── .gitignore ├── .travis.yml ├── Dockerfile ├── LICENSE.txt ├── Makefile ├── README.md ├── glide.lock ├── glide.yaml ├── hooks └── pre_build ├── main.go └── manifests ├── admin-cluster-role.yaml ├── github-authn.yaml └── token-webhook-config.json /.dockerignore: -------------------------------------------------------------------------------- 1 | .git 2 | vendor 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | vendor 2 | _output 3 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: go 2 | 3 | go: 1.7.5 4 | 5 | go_import_path: github.com/oursky/kubernetes-github-authn 6 | 7 | before_install: 8 | - go get github.com/Masterminds/glide 9 | 10 | install: 11 | - glide install 12 | - go install 13 | 14 | script: 15 | - make build 16 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.4 2 | 3 | RUN apk --no-cache --update add ca-certificates 4 | 5 | COPY _output/main /boot 6 | 7 | CMD ["/boot"] 8 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | REPO := oursky/kubernetes-github-authn 2 | IMAGE_NAME := $(REPO) 3 | GO_SRC_PATH := /go/src/github.com/$(REPO) 4 | PORT := 8080 5 | 6 | ifeq (1,${WITH_DOCKER}) 7 | DOCKER_RUN := docker run --rm -i \ 8 | -v `pwd`:$(GO_SRC_PATH) \ 9 | -w $(GO_SRC_PATH) 10 | GO_RUN := $(DOCKER_RUN) golang:1.7.5-alpine 11 | GLIDE_RUN := $(DOCKER_RUN) -e GLIDE_HOME=/root/.glide lwolf/golang-glide 12 | endif 13 | 14 | .PHONY: build 15 | build: 16 | $(GO_RUN) go build -o _output/main main.go 17 | 18 | .PHONY: vendor 19 | vendor: 20 | $(GLIDE_RUN) glide install 21 | 22 | .PHONY: clean 23 | clean: 24 | rm -rf _output 25 | 26 | .PHONY: docker-build 27 | docker-build: 28 | WITH_DOCKER=1 make build 29 | docker build -t $(IMAGE_NAME) . 30 | 31 | .PHONY: docker-run 32 | docker-run: 33 | docker run -it --rm -p $(PORT):3000 $(IMAGE_NAME) 34 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Webhook Token Authenticator for GitHub 2 | 3 | This project implements a Kubernetes [Webhook Token 4 | Authenticator](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication) 5 | for authenticating users using GitHub Personal Access Token. 6 | 7 | When user 8 | tries to authenticate to the Kubernetes API, the Kubernetes apiserver 9 | calls this authenticator to verify the bearer token. This authenticator checks 10 | if the access token is valid using GitHub API and returns the GitHub username 11 | to apiserver. 12 | 13 | You should configure Kubernetes apiserver with an [authorization 14 | plugin](https://kubernetes.io/docs/admin/authorization/) to control what 15 | Kubernetes resources can a user access. 16 | 17 | ## How to use 18 | 19 | First of all, you need to run the authenticator using the example [DaemonSet 20 | manifest](manifests/github-authn.yaml). It is recommended to run the 21 | authenticator on your Kubernetes master using host networking so that the 22 | apiserver can access the authenticator through the loopback interface. 23 | 24 | ``` 25 | kubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/github-authn.yaml 26 | ``` 27 | 28 | Confirm that the authenticator is running: 29 | 30 | ``` 31 | kubectl get ds -l k8s-app=github-authn -n kube-system 32 | ``` 33 | 34 | Next, configure apiserver to verify bearer token using this authenticator. 35 | There are two configuration options you need to set: 36 | 37 | * `--authentication-token-webhook-config-file` a kubeconfig file describing how to 38 | access the remote webhook service. 39 | * `--authentication-token-webhook-cache-ttl` how long to cache authentication 40 | decisions. Defaults to two minutes. 41 | 42 | Check the [example config file](manifests/token-webhook-config.json) and save 43 | this file in the Kubernetes master. Set the path to this config file 44 | with configurion option above. 45 | 46 | It is recommended you read the [Kubernetes 47 | documentation](https://kubernetes.io/docs/admin/authentication/#webhook-token-authentication) for how to configure 48 | webhook token authentication. 49 | 50 | ## Authorization with role-based access control (RBAC) 51 | 52 | Kubernetes support multiple [authorization 53 | plugins](https://kubernetes.io/docs/admin/authorization) and we recommend 54 | you choose role-based access control (RBAC) because permission settings can be 55 | set using the Kubernetes API. Permission is granted on which roles that the 56 | authenticated user has. 57 | 58 | Suppose that we have a user called `johndoe` and this user has administrative 59 | access to the project `project1`. First of all, we need to define a new role 60 | called `admin` which can control all resources. 61 | 62 | ``` 63 | kubectl create -f https://raw.githubusercontent.com/oursky/kubernetes-github-authn/master/manifests/admin-cluster-role.yaml 64 | ``` 65 | 66 | We need to assign `johndoe` to this `admin` role so that he has control to 67 | all the resources in the namespace `project1`. 68 | 69 | ``` 70 | kubectl create namespace project1 71 | kubectl create rolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe --namespace=project1 72 | ``` 73 | 74 | If we want to assign `johndoe` to the `admin` role in all namespaces instead of 75 | just the `project1` namespace, create a `ClusterRoleBinding` instead of 76 | a `RoleBinding`: 77 | 78 | ``` 79 | kubectl create clusterrolebinding johndoe-admin-binding --clusterrole=admin --user=johndoe 80 | ``` 81 | 82 | Read the [Kubernetes 83 | documentation](https://kubernetes.io/docs/admin/authorization/rbac/) to learn 84 | more about how to configure your apiserver to use RBAC. 85 | -------------------------------------------------------------------------------- /glide.lock: -------------------------------------------------------------------------------- 1 | hash: 6f6f645db3a4423c4835188db4ff1a4c8ca43c2a7a1e0a0b651706938c85a54d 2 | updated: 2017-04-06T10:31:09.042561872+08:00 3 | imports: 4 | - name: github.com/davecgh/go-spew 5 | version: 5215b55f46b2b919f50a1df0eaa5886afe4e3b3d 6 | subpackages: 7 | - spew 8 | - name: github.com/docker/distribution 9 | version: cd27f179f2c10c5d300e6d09025b538c475b0d51 10 | subpackages: 11 | - digest 12 | - reference 13 | - name: github.com/emicklei/go-restful 14 | version: 89ef8af493ab468a45a42bb0d89a06fccdd2fb22 15 | subpackages: 16 | - log 17 | - swagger 18 | - name: github.com/ghodss/yaml 19 | version: 73d445a93680fa1a78ae23a5839bad48f32ba1ee 20 | - name: github.com/go-openapi/jsonpointer 21 | version: 46af16f9f7b149af66e5d1bd010e3574dc06de98 22 | - name: github.com/go-openapi/jsonreference 23 | version: 13c6e3589ad90f49bd3e3bbe2c2cb3d7a4142272 24 | - name: github.com/go-openapi/spec 25 | version: 6aced65f8501fe1217321abf0749d354824ba2ff 26 | - name: github.com/go-openapi/swag 27 | version: 1d0bd113de87027671077d3c71eb3ac5d7dbba72 28 | - name: github.com/gogo/protobuf 29 | version: e18d7aa8f8c624c915db340349aad4c49b10d173 30 | subpackages: 31 | - proto 32 | - sortkeys 33 | - name: github.com/golang/glog 34 | version: 44145f04b68cf362d9c4df2182967c2275eaefed 35 | - name: github.com/golang/protobuf 36 | version: 8616e8ee5e20a1704615e6c8d7afcdac06087a67 37 | subpackages: 38 | - proto 39 | - name: github.com/google/go-github 40 | version: 12363ffc10018c93407ebf303040586d55957271 41 | subpackages: 42 | - github 43 | - name: github.com/google/go-querystring 44 | version: 53e6ce116135b80d037921a7fdd5138cf32d7a8a 45 | subpackages: 46 | - query 47 | - name: github.com/google/gofuzz 48 | version: bbcb9da2d746f8bdbd6a936686a0a6067ada0ec5 49 | - name: github.com/mailru/easyjson 50 | version: d5b7844b561a7bc640052f1b935f7b800330d7e0 51 | subpackages: 52 | - buffer 53 | - jlexer 54 | - jwriter 55 | - name: github.com/pborman/uuid 56 | version: ca53cad383cad2479bbba7f7a1a05797ec1386e4 57 | - name: github.com/PuerkitoBio/purell 58 | version: 8a290539e2e8629dbc4e6bad948158f790ec31f4 59 | - name: github.com/PuerkitoBio/urlesc 60 | version: 5bd2802263f21d8788851d5305584c82a5c75d7e 61 | - name: github.com/spf13/pflag 62 | version: 5ccb023bc27df288a957c5e994cd44fd19619465 63 | - name: github.com/ugorji/go 64 | version: f1f1a805ed361a0e078bb537e4ea78cd37dcf065 65 | subpackages: 66 | - codec 67 | - name: golang.org/x/net 68 | version: e90d6d0afc4c315a0d87a568ae68577cc15149a0 69 | subpackages: 70 | - context 71 | - http2 72 | - http2/hpack 73 | - idna 74 | - lex/httplex 75 | - name: golang.org/x/oauth2 76 | version: 7fdf09982454086d5570c7db3e11f360194830ca 77 | subpackages: 78 | - internal 79 | - name: golang.org/x/text 80 | version: 2910a502d2bf9e43193af9d68ca516529614eed3 81 | subpackages: 82 | - cases 83 | - internal/tag 84 | - language 85 | - runes 86 | - secure/bidirule 87 | - secure/precis 88 | - transform 89 | - unicode/bidi 90 | - unicode/norm 91 | - width 92 | - name: google.golang.org/appengine 93 | version: 4f7eeb5305a4ba1966344836ba4af9996b7b4e05 94 | subpackages: 95 | - internal 96 | - internal/app_identity 97 | - internal/base 98 | - internal/datastore 99 | - internal/log 100 | - internal/modules 101 | - internal/remote_api 102 | - internal/urlfetch 103 | - urlfetch 104 | - name: gopkg.in/inf.v0 105 | version: 3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4 106 | - name: gopkg.in/yaml.v2 107 | version: 53feefa2559fb8dfa8d81baad31be332c97d6c77 108 | - name: k8s.io/client-go 109 | version: e121606b0d09b2e1c467183ee46217fa85a6b672 110 | subpackages: 111 | - pkg/api 112 | - pkg/api/meta 113 | - pkg/api/meta/metatypes 114 | - pkg/api/resource 115 | - pkg/api/unversioned 116 | - pkg/api/v1 117 | - pkg/apis/authentication 118 | - pkg/apis/authentication/v1beta1 119 | - pkg/apis/autoscaling 120 | - pkg/apis/batch 121 | - pkg/apis/extensions 122 | - pkg/auth/user 123 | - pkg/conversion 124 | - pkg/conversion/queryparams 125 | - pkg/fields 126 | - pkg/genericapiserver/openapi/common 127 | - pkg/labels 128 | - pkg/runtime 129 | - pkg/runtime/serializer 130 | - pkg/runtime/serializer/json 131 | - pkg/runtime/serializer/protobuf 132 | - pkg/runtime/serializer/recognizer 133 | - pkg/runtime/serializer/streaming 134 | - pkg/runtime/serializer/versioning 135 | - pkg/selection 136 | - pkg/third_party/forked/golang/reflect 137 | - pkg/types 138 | - pkg/util 139 | - pkg/util/errors 140 | - pkg/util/framer 141 | - pkg/util/intstr 142 | - pkg/util/json 143 | - pkg/util/labels 144 | - pkg/util/net 145 | - pkg/util/parsers 146 | - pkg/util/rand 147 | - pkg/util/runtime 148 | - pkg/util/sets 149 | - pkg/util/uuid 150 | - pkg/util/validation 151 | - pkg/util/validation/field 152 | - pkg/util/wait 153 | - pkg/util/yaml 154 | - pkg/watch 155 | - pkg/watch/versioned 156 | testImports: [] 157 | -------------------------------------------------------------------------------- /glide.yaml: -------------------------------------------------------------------------------- 1 | package: github.com/oursky/kubernetes-github-authn 2 | import: 3 | - package: github.com/google/go-github 4 | subpackages: 5 | - github 6 | - package: golang.org/x/oauth2 7 | - package: k8s.io/client-go 8 | version: ~2.0.0 9 | subpackages: 10 | - pkg/apis/authentication/v1beta1 11 | -------------------------------------------------------------------------------- /hooks/pre_build: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | make vendor WITH_DOCKER=1 4 | make build WITH_DOCKER=1 5 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "encoding/json" 6 | "log" 7 | "net/http" 8 | 9 | "github.com/google/go-github/github" 10 | "golang.org/x/oauth2" 11 | authentication "k8s.io/client-go/pkg/apis/authentication/v1beta1" 12 | ) 13 | 14 | func main() { 15 | http.HandleFunc("/authenticate", func(w http.ResponseWriter, r *http.Request) { 16 | decoder := json.NewDecoder(r.Body) 17 | var tr authentication.TokenReview 18 | err := decoder.Decode(&tr) 19 | if err != nil { 20 | log.Println("[Error]", err.Error()) 21 | w.WriteHeader(http.StatusBadRequest) 22 | json.NewEncoder(w).Encode(map[string]interface{}{ 23 | "apiVersion": "authentication.k8s.io/v1beta1", 24 | "kind": "TokenReview", 25 | "status": authentication.TokenReviewStatus{ 26 | Authenticated: false, 27 | }, 28 | }) 29 | return 30 | } 31 | 32 | // Check User 33 | ts := oauth2.StaticTokenSource( 34 | &oauth2.Token{AccessToken: tr.Spec.Token}, 35 | ) 36 | tc := oauth2.NewClient(oauth2.NoContext, ts) 37 | client := github.NewClient(tc) 38 | user, _, err := client.Users.Get(context.Background(), "") 39 | if err != nil { 40 | log.Println("[Error]", err.Error()) 41 | w.WriteHeader(http.StatusUnauthorized) 42 | json.NewEncoder(w).Encode(map[string]interface{}{ 43 | "apiVersion": "authentication.k8s.io/v1beta1", 44 | "kind": "TokenReview", 45 | "status": authentication.TokenReviewStatus{ 46 | Authenticated: false, 47 | }, 48 | }) 49 | return 50 | } 51 | 52 | log.Printf("[Success] login as %s", *user.Login) 53 | w.WriteHeader(http.StatusOK) 54 | trs := authentication.TokenReviewStatus{ 55 | Authenticated: true, 56 | User: authentication.UserInfo{ 57 | Username: *user.Login, 58 | UID: *user.Login, 59 | }, 60 | } 61 | json.NewEncoder(w).Encode(map[string]interface{}{ 62 | "apiVersion": "authentication.k8s.io/v1beta1", 63 | "kind": "TokenReview", 64 | "status": trs, 65 | }) 66 | }) 67 | log.Fatal(http.ListenAndServe(":3000", nil)) 68 | } 69 | -------------------------------------------------------------------------------- /manifests/admin-cluster-role.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | name: admin 5 | rules: 6 | - apiGroups: ["*"] 7 | resources: ["*"] 8 | verbs: ["*"] 9 | nonResourceURLs: ["*"] 10 | -------------------------------------------------------------------------------- /manifests/github-authn.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: DaemonSet 3 | metadata: 4 | labels: 5 | k8s-app: github-authn 6 | name: github-authn 7 | namespace: kube-system 8 | spec: 9 | selector: 10 | matchLabels: 11 | k8s-app: github-authn 12 | template: 13 | metadata: 14 | labels: 15 | k8s-app: github-authn 16 | annotations: 17 | scheduler.alpha.kubernetes.io/critical-pod: '' 18 | spec: 19 | containers: 20 | - image: oursky/kubernetes-github-authn 21 | name: kubernetes-github-authn 22 | ports: 23 | - containerPort: 3000 24 | hostPort: 3000 25 | protocol: TCP 26 | hostNetwork: true 27 | tolerations: 28 | - key: node-role.kubernetes.io/master 29 | effect: NoSchedule 30 | nodeSelector: 31 | node-role.kubernetes.io/master: "" 32 | restartPolicy: Always 33 | -------------------------------------------------------------------------------- /manifests/token-webhook-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "kind": "Config", 3 | "apiVersion": "v1", 4 | "preferences": {}, 5 | "clusters": [ 6 | { 7 | "name": "github-authn", 8 | "cluster": { 9 | "server": "http://localhost:3000/authenticate" 10 | } 11 | } 12 | ], 13 | "users": [ 14 | { 15 | "name": "authn-apiserver", 16 | "user": { 17 | "token": "secret" 18 | } 19 | } 20 | ], 21 | "contexts": [ 22 | { 23 | "name": "webhook", 24 | "context": { 25 | "cluster": "github-authn", 26 | "user": "authn-apiserver" 27 | } 28 | } 29 | ], 30 | "current-context": "webhook" 31 | } 32 | --------------------------------------------------------------------------------