Merge pull request #126259 from liggitt/node-get-authz

Authorize Node reads via name, not graph
This commit is contained in:
Kubernetes Prow Robot 2024-07-21 13:08:21 -07:00 committed by GitHub
commit 00d03ec049
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 19 additions and 1 deletions

View File

@ -368,7 +368,18 @@ func (r *NodeAuthorizer) authorizeNode(nodeName string, attrs authorizer.Attribu
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
return authorizer.DecisionAllow, "", nil
case "get", "list", "watch":
return r.authorize(nodeName, nodeVertexType, attrs)
// Compare the name directly, rather than using the graph,
// so kubelets can attempt a read of their Node API object prior to creation.
switch attrs.GetName() {
case nodeName:
return authorizer.DecisionAllow, "", nil
case "":
klog.V(2).Infof("NODE DENY: '%s' %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, fmt.Sprintf("node '%s' cannot read all nodes, only its own Node object", nodeName), nil
default:
klog.V(2).Infof("NODE DENY: '%s' %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, fmt.Sprintf("node '%s' cannot read '%s', only its own Node object", nodeName, attrs.GetName()), nil
}
}
case "status":
switch attrs.GetVerb() {

View File

@ -70,6 +70,8 @@ func TestNodeAuthorizer(t *testing.T) {
node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}}
nodeunregistered := &user.DefaultInfo{Name: "system:node:nodeunregistered", Groups: []string{"system:nodes"}}
selectorAuthzDisabled := utilfeature.DefaultFeatureGate.DeepCopy()
featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, genericfeatures.AuthorizeWithSelectors, false)
featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, features.AuthorizeNodeWithSelectors, false)
@ -585,6 +587,11 @@ func TestNodeAuthorizer(t *testing.T) {
// nodes
// get nodes
{
name: "get related unregistered node",
attrs: authorizer.AttributesRecord{User: nodeunregistered, ResourceRequest: true, Verb: "get", Resource: "nodes", APIGroup: "", Name: "nodeunregistered"},
expect: authorizer.DecisionAllow,
},
{
name: "get related node",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "nodes", APIGroup: "", Name: "node0"},