github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 02:34:03 +00:00
Code Issues Projects Releases Wiki Activity

Add slash ended urls for service-account-issuer-discovery to match API in swagger (#117511)

Browse Source 
* Add slash ended urls for service-account-issuer-discovery to match API in swagger

* update the comment for adding slash-ended URLs

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>

---------

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
This commit is contained in:
Hao Ruan 2023-07-18 16:11:08 +08:00 committed by GitHub
parent b2a9c06b2e
commit 056c19e8b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -514,12 +514,15 @@ func ClusterRoles() []rbacv1.ClusterRole {
}...)
// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
// Also allow slash-ended URLs to allow clients generated from published openapi docs prior to fixing the trailing slash to work properly
roles = append(roles, rbacv1.ClusterRole{
ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("get").URLs(
"/.well-known/openid-configuration",
"/.well-known/openid-configuration/",
"/openid/v1/jwks",
"/openid/v1/jwks/",
).RuleOrDie(),
},
})

2
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@ -1265,7 +1265,9 @@ items:
rules:
- nonResourceURLs:
- /.well-known/openid-configuration
- /.well-known/openid-configuration/
- /openid/v1/jwks
- /openid/v1/jwks/
verbs:
- get
- apiVersion: rbac.authorization.k8s.io/v1