Remove support for basic authentication

This change removes support for basic authn in v1.19 via the
--basic-auth-file flag.  This functionality was deprecated in v1.16
in response to ATR-K8S-002: Non-constant time password comparison.

Similar functionality is available via the --token-auth-file flag
for development purposes.

Signed-off-by: Monis Khan <[email protected]>

Author: enj

cluster/gce/gci/configure-kubeapiserver.sh

@@ -101,9 +101,6 @@ function start-kube-apiserver {
     params+=" --service-account-key-file=${SERVICEACCOUNT_CERT_PATH}"
   fi
   params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv"
-  if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then
-    params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv"
-  fi
 
   if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]]; then
     params+=" --request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT_SEC}s"

cmd/controller-manager/app/serve.go

@@ -37,7 +37,7 @@ import (
 // BuildHandlerChain builds a handler chain with a base handler and CompletedConfig.
 func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.AuthorizationInfo, authenticationInfo *apiserver.AuthenticationInfo) http.Handler {
 	requestInfoResolver := &apirequest.RequestInfoFactory{}
-	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
+	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs)
 
 	handler := apiHandler
 	if authorizationInfo != nil {

cmd/kube-apiserver/app/options/options_test.go

@@ -276,7 +276,6 @@ func TestAddFlags(t *testing.T) {
 				UsernameClaim: "sub",
 				SigningAlgs:   []string{"RS256"},
 			},
-			PasswordFile:  &kubeoptions.PasswordFileAuthenticationOptions{},
 			RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{},
 			ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{
 				Lookup: true,

cmd/kube-scheduler/app/server.go

@@ -262,7 +262,7 @@ func Run(ctx context.Context, cc schedulerserverconfig.CompletedConfig, outOfTre
 // buildHandlerChain wraps the given handler with the standard filters.
 func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz authorizer.Authorizer) http.Handler {
 	requestInfoResolver := &apirequest.RequestInfoFactory{}
-	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false)
+	failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs)
 
 	handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs)
 	handler = genericapifilters.WithAuthentication(handler, authn, failedHandler, nil)

pkg/kubeapiserver/authenticator/BUILD

@@ -27,8 +27,6 @@ go_library(
         "//staging/src/k8s.io/apiserver/pkg/authentication/token/union:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
-        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library",
-        "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library",
         "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:go_default_library",
         "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library",
         "//staging/src/k8s.io/client-go/plugin/pkg/client/auth:go_default_library",

pkg/kubeapiserver/authenticator/config.go

@@ -36,8 +36,6 @@ import (
 	tokenunion "k8s.io/apiserver/pkg/authentication/token/union"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile"
-	"k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
 	"k8s.io/apiserver/plugin/pkg/authenticator/token/webhook"
 
@@ -51,7 +49,6 @@ import (
 // Config contains the data on how to authenticate a request to the Kube API Server
 type Config struct {
 	Anonymous      bool
-	BasicAuthFile  string
 	BootstrapToken bool
 
 	TokenAuthFile               string
@@ -109,22 +106,6 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er
 		authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, requestHeaderAuthenticator))
 	}
 
-	// basic auth
-	if len(config.BasicAuthFile) > 0 {
-		basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile)
-		if err != nil {
-			return nil, nil, err
-		}
-		authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, basicAuth))
-
-		securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{
-			SecuritySchemeProps: spec.SecuritySchemeProps{
-				Type:        "basic",
-				Description: "HTTP Basic authentication",
-			},
-		}
-	}
-
 	// X509 methods
 	if config.ClientCAContentProvider != nil {
 		certAuth := x509.NewDynamic(config.ClientCAContentProvider.VerifyOptions, x509.CommonNameUserConversion)
@@ -235,16 +216,6 @@ func IsValidServiceAccountKeyFile(file string) bool {
 	return err == nil
 }
 
-// newAuthenticatorFromBasicAuthFile returns an authenticator.Request or an error
-func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) {
-	basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile)
-	if err != nil {
-		return nil, err
-	}
-
-	return basicauth.New(basicAuthenticator), nil
-}
-
 // newAuthenticatorFromTokenFile returns an authenticator.Token or an error
 func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, error) {
 	tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile)

pkg/kubeapiserver/options/authentication.go

@@ -43,7 +43,6 @@ type BuiltInAuthenticationOptions struct {
 	BootstrapToken  *BootstrapTokenAuthenticationOptions
 	ClientCert      *genericoptions.ClientCertAuthenticationOptions
 	OIDC            *OIDCAuthenticationOptions
-	PasswordFile    *PasswordFileAuthenticationOptions
 	RequestHeader   *genericoptions.RequestHeaderAuthenticationOptions
 	ServiceAccounts *ServiceAccountAuthenticationOptions
 	TokenFile       *TokenFileAuthenticationOptions
@@ -73,10 +72,6 @@ type OIDCAuthenticationOptions struct {
 	RequiredClaims map[string]string
 }
 
-type PasswordFileAuthenticationOptions struct {
-	BasicAuthFile string
-}
-
 type ServiceAccountAuthenticationOptions struct {
 	KeyFiles      []string
 	Lookup        bool
@@ -108,7 +103,6 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
 		WithBootstrapToken().
 		WithClientCert().
 		WithOIDC().
-		WithPasswordFile().
 		WithRequestHeader().
 		WithServiceAccounts().
 		WithTokenFile().
@@ -135,11 +129,6 @@ func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions
 	return s
 }
 
-func (s *BuiltInAuthenticationOptions) WithPasswordFile() *BuiltInAuthenticationOptions {
-	s.PasswordFile = &PasswordFileAuthenticationOptions{}
-	return s
-}
-
 func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions {
 	s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{}
 	return s
@@ -274,13 +263,6 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
 			"Repeat this flag to specify multiple claims.")
 	}
 
-	if s.PasswordFile != nil {
-		fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
-			"If set, the file that will be used to admit requests to the secure port of the API server "+
-			"via http basic authentication.")
-		fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
-	}
-
 	if s.RequestHeader != nil {
 		s.RequestHeader.AddFlags(fs)
 	}
@@ -377,10 +359,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat
 		ret.OIDCRequiredClaims = s.OIDC.RequiredClaims
 	}
 
-	if s.PasswordFile != nil {
-		ret.BasicAuthFile = s.PasswordFile.BasicAuthFile
-	}
-
 	if s.RequestHeader != nil {
 		var err error
 		ret.RequestHeaderConfig, err = s.RequestHeader.ToAuthenticationRequestHeaderConfig()
@@ -447,8 +425,6 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
 		}
 	}
 
-	c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0
-
 	c.Authentication.APIAudiences = o.APIAudiences
 	if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 {
 		c.Authentication.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer}

pkg/kubeapiserver/options/authentication_test.go

@@ -120,9 +120,6 @@ func TestToAuthenticationConfig(t *testing.T) {
 			IssuerURL:     "testIssuerURL",
 			ClientID:      "testClientID",
 		},
-		PasswordFile: &PasswordFileAuthenticationOptions{
-			BasicAuthFile: "/testBasicAuthFile",
-		},
 		RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{
 			UsernameHeaders:     []string{"x-remote-user"},
 			GroupHeaders:        []string{"x-remote-group"},
@@ -144,7 +141,6 @@ func TestToAuthenticationConfig(t *testing.T) {
 	expectConfig := kubeauthenticator.Config{
 		APIAudiences:                authenticator.Audiences{"http://foo.bar.com"},
 		Anonymous:                   false,
-		BasicAuthFile:               "/testBasicAuthFile",
 		BootstrapToken:              false,
 		ClientCAContentProvider:     nil, // this is nil because you can't compare functions
 		TokenAuthFile:               "/testTokenFile",

staging/src/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go

@@ -35,13 +35,6 @@ type Request interface {
 	AuthenticateRequest(req *http.Request) (*Response, bool, error)
 }
 
-// Password checks a username and password against a backing authentication
-// store and returns a Response or an error if the password could not be
-// checked.
-type Password interface {
-	AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error)
-}
-
 // TokenFunc is a function that implements the Token interface.
 type TokenFunc func(ctx context.Context, token string) (*Response, bool, error)
 
@@ -58,14 +51,6 @@ func (f RequestFunc) AuthenticateRequest(req *http.Request) (*Response, bool, er
 	return f(req)
 }
 
-// PasswordFunc is a function that implements the Password interface.
-type PasswordFunc func(ctx context.Context, user, password string) (*Response, bool, error)
-
-// AuthenticatePassword implements authenticator.Password.
-func (f PasswordFunc) AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) {
-	return f(ctx, user, password)
-}
-
 // Response is the struct returned by authenticator interfaces upon successful
 // authentication. It contains information about whether the authenticator
 // authenticated the request, information about the context of the

staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go

@@ -71,11 +71,8 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed
 	})
 }
 
-func Unauthorized(s runtime.NegotiatedSerializer, supportsBasicAuth bool) http.Handler {
+func Unauthorized(s runtime.NegotiatedSerializer) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		if supportsBasicAuth {
-			w.Header().Set("WWW-Authenticate", `Basic realm="kubernetes-master"`)
-		}
 		ctx := req.Context()
 		requestInfo, found := genericapirequest.RequestInfoFrom(ctx)
 		if !found {