github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-09 03:57:41 +00:00
Code Issues Projects Releases Wiki Activity

Only default mode to AlwaysAllow when config file is unspecified

Browse Source
This commit is contained in:
Jordan Liggitt 2023-11-08 11:24:28 -06:00
parent 246d363ea4
commit 1f40e0916e
No known key found for this signature in database
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/controlplane/apiserver/options/options.go
View File

@ -222,6 +222,9 @@ func (o *Options) Complete(alternateDNS []string, alternateIPs []net.IP) (Comple
klog.Infof("external host was not specified, using %v", completed.GenericServerRunOptions.ExternalHost)
}
// put authorization options in final state
completed.Authorization.Complete()
// adjust authentication for completed authorization
completed.Authentication.ApplyAuthorization(completed.Authorization)
// Use (ServiceAccountSigningKeyFile != "") as a proxy to the user enabling

12
pkg/kubeapiserver/options/authorization.go
View File

@ -80,7 +80,7 @@ type BuiltInAuthorizationOptions struct {
// NewBuiltInAuthorizationOptions create a BuiltInAuthorizationOptions with default value
func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
return &BuiltInAuthorizationOptions{
Modes: []string{authzmodes.ModeAlwaysAllow},
Modes: []string{},
WebhookVersion: "v1beta1",
WebhookCacheAuthorizedTTL: 5 * time.Minute,
WebhookCacheUnauthorizedTTL: 30 * time.Second,
@ -88,6 +88,14 @@ func NewBuiltInAuthorizationOptions() *BuiltInAuthorizationOptions {
}
}
// Complete modifies authorization options
func (o *BuiltInAuthorizationOptions) Complete() []error {
if len(o.AuthorizationConfigurationFile) == 0 && len(o.Modes) == 0 {
o.Modes = []string{authzmodes.ModeAlwaysAllow}
}
return nil
}
// Validate checks invalid config combination
func (o *BuiltInAuthorizationOptions) Validate() []error {
if o == nil {
@ -185,7 +193,7 @@ func (o *BuiltInAuthorizationOptions) AddFlags(fs *pflag.FlagSet) {
}
fs.StringSliceVar(&o.Modes, authorizationModeFlag, o.Modes, ""+
"Ordered list of plug-ins to do authorization on secure port. Comma-delimited list of: "+
"Ordered list of plug-ins to do authorization on secure port. Defaults to AlwaysAllow if --authorization-config is not used. Comma-delimited list of: "+
strings.Join(authzmodes.AuthorizationModeChoices, ",")+".")
fs.StringVar(&o.PolicyFile, authorizationPolicyFileFlag, o.PolicyFile, ""+