Skip to content

Commit e70a9c6

Browse files
liggittliggitt
committed
Improve error message for projected tokens when API is not enabled
1 parent cc4ca62 commit e70a9c6

File tree

2 files changed

+26
-1
lines changed

2 files changed

+26
-1
lines changed

pkg/kubelet/token/BUILD

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ go_library(
2121
visibility = ["//visibility:public"],
2222
deps = [
2323
"//staging/src/k8s.io/api/authentication/v1:go_default_library",
24+
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
2425
"//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
2526
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
2627
"//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",

pkg/kubelet/token/token_manager.go

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ import (
2525
"time"
2626

2727
authenticationv1 "k8s.io/api/authentication/v1"
28+
apierrors "k8s.io/apimachinery/pkg/api/errors"
2829
"k8s.io/apimachinery/pkg/types"
2930
"k8s.io/apimachinery/pkg/util/clock"
3031
"k8s.io/apimachinery/pkg/util/wait"
@@ -39,12 +40,35 @@ const (
3940

4041
// NewManager returns a new token manager.
4142
func NewManager(c clientset.Interface) *Manager {
43+
// check whether the server supports token requests so we can give a more helpful error message
44+
supported := false
45+
once := &sync.Once{}
46+
tokenRequestsSupported := func() bool {
47+
once.Do(func() {
48+
resources, err := c.Discovery().ServerResourcesForGroupVersion("v1")
49+
if err != nil {
50+
return
51+
}
52+
for _, resource := range resources.APIResources {
53+
if resource.Name == "serviceaccounts/token" {
54+
supported = true
55+
return
56+
}
57+
}
58+
})
59+
return supported
60+
}
61+
4262
m := &Manager{
4363
getToken: func(name, namespace string, tr *authenticationv1.TokenRequest) (*authenticationv1.TokenRequest, error) {
4464
if c == nil {
4565
return nil, errors.New("cannot use TokenManager when kubelet is in standalone mode")
4666
}
47-
return c.CoreV1().ServiceAccounts(namespace).CreateToken(name, tr)
67+
tokenRequest, err := c.CoreV1().ServiceAccounts(namespace).CreateToken(name, tr)
68+
if apierrors.IsNotFound(err) && !tokenRequestsSupported() {
69+
return nil, fmt.Errorf("the API server does not have TokenRequest endpoints enabled")
70+
}
71+
return tokenRequest, err
4872
},
4973
cache: make(map[string]*authenticationv1.TokenRequest),
5074
clock: clock.RealClock{},

0 commit comments

Comments
 (0)