github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #126259 from liggitt/node-get-authz

Browse Source 
Authorize Node reads via name, not graph
This commit is contained in:
Kubernetes Prow Robot 2024-07-21 13:08:21 -07:00 committed by GitHub
commit 00d03ec049
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
plugin/pkg/auth/authorizer/node/node_authorizer.go
View File

@ -368,7 +368,18 @@ func (r *NodeAuthorizer) authorizeNode(nodeName string, attrs authorizer.Attribu
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object. // Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
return authorizer.DecisionAllow, "", nil return authorizer.DecisionAllow, "", nil
case "get", "list", "watch": case "get", "list", "watch":
return r.authorize(nodeName, nodeVertexType, attrs) // Compare the name directly, rather than using the graph,
// so kubelets can attempt a read of their Node API object prior to creation.
switch attrs.GetName() {
case nodeName:
return authorizer.DecisionAllow, "", nil
case "":
klog.V(2).Infof("NODE DENY: '%s' %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, fmt.Sprintf("node '%s' cannot read all nodes, only its own Node object", nodeName), nil
default:
klog.V(2).Infof("NODE DENY: '%s' %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, fmt.Sprintf("node '%s' cannot read '%s', only its own Node object", nodeName, attrs.GetName()), nil
}
} }
case "status": case "status":
switch attrs.GetVerb() { switch attrs.GetVerb() {

7
plugin/pkg/auth/authorizer/node/node_authorizer_test.go
View File

@ -70,6 +70,8 @@ func TestNodeAuthorizer(t *testing.T) {
node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}} node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}}
nodeunregistered := &user.DefaultInfo{Name: "system:node:nodeunregistered", Groups: []string{"system:nodes"}}
selectorAuthzDisabled := utilfeature.DefaultFeatureGate.DeepCopy() selectorAuthzDisabled := utilfeature.DefaultFeatureGate.DeepCopy()
featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, genericfeatures.AuthorizeWithSelectors, false) featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, genericfeatures.AuthorizeWithSelectors, false)
featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, features.AuthorizeNodeWithSelectors, false) featuregatetesting.SetFeatureGateDuringTest(t, selectorAuthzDisabled, features.AuthorizeNodeWithSelectors, false)
@ -585,6 +587,11 @@ func TestNodeAuthorizer(t *testing.T) {
// nodes // nodes
// get nodes // get nodes
{
name: "get related unregistered node",
attrs: authorizer.AttributesRecord{User: nodeunregistered, ResourceRequest: true, Verb: "get", Resource: "nodes", APIGroup: "", Name: "nodeunregistered"},
expect: authorizer.DecisionAllow,
},
{ {
name: "get related node", name: "get related node",
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "nodes", APIGroup: "", Name: "node0"}, attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "nodes", APIGroup: "", Name: "node0"},