1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package api 18 19 import ( 20 "k8s.io/api/core/v1" 21 ) 22 23 const ( 24 // BootstrapTokenSecretPrefix is the prefix for bootstrap token names. 25 // Bootstrap tokens secrets must be named in the form 26 // `bootstrap-token-<token-id>`. This is the prefix to be used before the 27 // token ID. 28 BootstrapTokenSecretPrefix = "bootstrap-token-" 29 30 // SecretTypeBootstrapToken is used during the automated bootstrap process (first 31 // implemented by kubeadm). It stores tokens that are used to sign well known 32 // ConfigMaps. They may also eventually be used for authentication. 33 SecretTypeBootstrapToken v1.SecretType = "bootstrap.kubernetes.io/token" 34 35 // BootstrapTokenIDKey is the id of this token. This can be transmitted in the 36 // clear and encoded in the name of the secret. It must be a random 6 character 37 // string that matches the regexp `^([a-z0-9]{6})$`. Required. 38 BootstrapTokenIDKey = "token-id" 39 40 // BootstrapTokenSecretKey is the actual secret. It must be a random 16 character 41 // string that matches the regexp `^([a-z0-9]{16})$`. Required. 42 BootstrapTokenSecretKey = "token-secret" 43 44 // BootstrapTokenExpirationKey is when this token should be expired and no 45 // longer used. A controller will delete this resource after this time. This 46 // is an absolute UTC time using RFC3339. If this cannot be parsed, the token 47 // should be considered invalid. Optional. 48 BootstrapTokenExpirationKey = "expiration" 49 50 // BootstrapTokenDescriptionKey is a description in human-readable format that 51 // describes what the bootstrap token is used for. Optional. 52 BootstrapTokenDescriptionKey = "description" 53 54 // BootstrapTokenExtraGroupsKey is a comma-separated list of group names. 55 // The bootstrap token will authenticate as these groups in addition to the 56 // "system:bootstrappers" group. 57 BootstrapTokenExtraGroupsKey = "auth-extra-groups" 58 59 // BootstrapTokenUsagePrefix is the prefix for the other usage constants that specifies different 60 // functions of a bootstrap token 61 BootstrapTokenUsagePrefix = "usage-bootstrap-" 62 63 // BootstrapTokenUsageSigningKey signals that this token should be used to 64 // sign configs as part of the bootstrap process. Value must be "true". Any 65 // other value is assumed to be false. Optional. 66 BootstrapTokenUsageSigningKey = "usage-bootstrap-signing" 67 68 // BootstrapTokenUsageAuthentication signals that this token should be used 69 // as a bearer token to authenticate against the Kubernetes API. The bearer 70 // token takes the form "<token-id>.<token-secret>" and authenticates as the 71 // user "system:bootstrap:<token-id>" in the "system:bootstrappers" group 72 // as well as any groups specified using BootstrapTokenExtraGroupsKey. 73 // Value must be "true". Any other value is assumed to be false. Optional. 74 BootstrapTokenUsageAuthentication = "usage-bootstrap-authentication" 75 76 // ConfigMapClusterInfo defines the name for the ConfigMap where the information how to connect and trust the cluster exist 77 ConfigMapClusterInfo = "cluster-info" 78 79 // KubeConfigKey defines at which key in the Data object of the ConfigMap the KubeConfig object is stored 80 KubeConfigKey = "kubeconfig" 81 82 // JWSSignatureKeyPrefix defines what key prefix the JWS-signed tokens have 83 JWSSignatureKeyPrefix = "jws-kubeconfig-" 84 85 // BootstrapUserPrefix is the username prefix bootstrapping bearer tokens 86 // authenticate as. The full username given is "system:bootstrap:<token-id>". 87 BootstrapUserPrefix = "system:bootstrap:" 88 89 // BootstrapDefaultGroup is the default group for bootstrapping bearer 90 // tokens (in addition to any groups from BootstrapTokenExtraGroupsKey). 91 BootstrapDefaultGroup = "system:bootstrappers" 92 93 // BootstrapGroupPattern is the valid regex pattern that all groups 94 // assigned to a bootstrap token by BootstrapTokenExtraGroupsKey must match. 95 // See also util.ValidateBootstrapGroupName() 96 BootstrapGroupPattern = `\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\z` 97 98 // BootstrapTokenPattern defines the {id}.{secret} regular expression pattern 99 BootstrapTokenPattern = `\A([a-z0-9]{6})\.([a-z0-9]{16})\z` 100 101 // BootstrapTokenIDPattern defines token's id regular expression pattern 102 BootstrapTokenIDPattern = `\A([a-z0-9]{6})\z` 103 104 // BootstrapTokenIDBytes defines the number of bytes used for the Bootstrap Token's ID field 105 BootstrapTokenIDBytes = 6 106 107 // BootstrapTokenSecretBytes defines the number of bytes used the Bootstrap Token's Secret field 108 BootstrapTokenSecretBytes = 16 109 ) 110 111 // KnownTokenUsages specifies the known functions a token will get. 112 var KnownTokenUsages = []string{"signing", "authentication"} 113