// NewTokenAuthenticator initializes a bootstrap token authenticator. // // Lister is expected to be for the "kube-system" namespace. func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator { … } type TokenAuthenticator … // tokenErrorf prints a error message for a secret that has matched a bearer // token but fails to meet some other criteria. // // tokenErrorf(secret, "has invalid value for key %s", key) func tokenErrorf(s *corev1.Secret, format string, i ...interface{ … } // AuthenticateToken tries to match the provided token to a bootstrap token secret // in a given namespace. If found, it authenticates the token in the // "system:bootstrappers" group and with the "system:bootstrap:(token-id)" username. // // All secrets must be of type "bootstrap.kubernetes.io/token". An example secret: // // apiVersion: v1 // kind: Secret // metadata: // # Name MUST be of form "bootstrap-token-( token id )". // name: bootstrap-token-( token id ) // namespace: kube-system // # Only secrets of this type will be evaluated. // type: bootstrap.kubernetes.io/token // data: // token-secret: ( private part of token ) // token-id: ( token id ) // # Required key usage. // usage-bootstrap-authentication: true // auth-extra-groups: "system:bootstrappers:custom-group1,system:bootstrappers:custom-group2" // # May also contain an expiry. // // Tokens are expected to be of the form: // // ( token-id ).( token-secret ) func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) { … }