kubernetes/plugin/pkg/auth/authenticator/token/bootstrap/bootstrap.go

// NewTokenAuthenticator initializes a bootstrap token authenticator.
//
// Lister is expected to be for the "kube-system" namespace.
func NewTokenAuthenticator(lister corev1listers.SecretNamespaceLister) *TokenAuthenticator {}

type TokenAuthenticator

// tokenErrorf prints a error message for a secret that has matched a bearer
// token but fails to meet some other criteria.
//
//	tokenErrorf(secret, "has invalid value for key %s", key)
func tokenErrorf(s *corev1.Secret, format string, i ...interface{}

// AuthenticateToken tries to match the provided token to a bootstrap token secret
// in a given namespace. If found, it authenticates the token in the
// "system:bootstrappers" group and with the "system:bootstrap:(token-id)" username.
//
// All secrets must be of type "bootstrap.kubernetes.io/token". An example secret:
//
//	apiVersion: v1
//	kind: Secret
//	metadata:
//	  # Name MUST be of form "bootstrap-token-( token id )".
//	  name: bootstrap-token-( token id )
//	  namespace: kube-system
//	# Only secrets of this type will be evaluated.
//	type: bootstrap.kubernetes.io/token
//	data:
//	  token-secret: ( private part of token )
//	  token-id: ( token id )
//	  # Required key usage.
//	  usage-bootstrap-authentication: true
//	  auth-extra-groups: "system:bootstrappers:custom-group1,system:bootstrappers:custom-group2"
//	  # May also contain an expiry.
//
// Tokens are expected to be of the form:
//
//	( token-id ).( token-secret )
func (t *TokenAuthenticator) AuthenticateToken(ctx context.Context, token string) (*authenticator.Response, bool, error) {}