Merge remote-tracking branch 'origin/master' into release-1.13

Kubernetes-commit: 23dc5401f4e9b985860aeae9657bba1b28c74ff8

vendor/k8s.io/api/authentication/v1beta1/generated.proto

@@ -57,6 +57,14 @@ message TokenReviewSpec {
   // Token is the opaque bearer token.
   // +optional
   optional string token = 1;
+
+  // Audiences is a list of the identifiers that the resource server presented
+  // with the token identifies as. Audience-aware token authenticators will
+  // verify that the token was intended for at least one of the audiences in
+  // this list. If no audiences are provided, the audience will default to the
+  // audience of the Kubernetes apiserver.
+  // +optional
+  repeated string audiences = 2;
 }
 
 // TokenReviewStatus is the result of the token authentication request.
@@ -69,6 +77,18 @@ message TokenReviewStatus {
   // +optional
   optional UserInfo user = 2;
 
+  // Audiences are audience identifiers chosen by the authenticator that are
+  // compatible with both the TokenReview and token. An identifier is any
+  // identifier in the intersection of the TokenReviewSpec audiences and the
+  // token's audiences. A client of the TokenReview API that sets the
+  // spec.audiences field should validate that a compatible audience identifier
+  // is returned in the status.audiences field to ensure that the TokenReview
+  // server is audience aware. If a TokenReview returns an empty
+  // status.audience field where status.authenticated is "true", the token is
+  // valid against the audience of the Kubernetes API server.
+  // +optional
+  repeated string audiences = 4;
+
   // Error indicates that the token couldn't be checked
   // +optional
   optional string error = 3;