github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

Split node/rbac/abac construction

Browse Source
This commit is contained in:
Jordan Liggitt 2023-11-07 10:38:19 -06:00
parent 49124293c3
commit 1fddc948ed
No known key found for this signature in database
1 changed files with 44 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
pkg/kubeapiserver/authorizer/config.go
View File

@ -78,15 +78,7 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
initialConfig: config, initialConfig: config,
} }
var ( // Build and store authorizers which will persist across reloads
authorizers []authorizer.Authorizer
ruleResolvers []authorizer.RuleResolver
)
// Add SystemPrivilegedGroup as an authorizing group
superuserAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
authorizers = append(authorizers, superuserAuthorizer)
for _, configuredAuthorizer := range config.AuthorizationConfiguration.Authorizers { for _, configuredAuthorizer := range config.AuthorizationConfiguration.Authorizers {
// Keep cases in sync with constant list in k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go. // Keep cases in sync with constant list in k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go.
switch configuredAuthorizer.Type { switch configuredAuthorizer.Type {
@ -101,9 +93,43 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
config.VersionedInformerFactory.Storage().V1().VolumeAttachments(), config.VersionedInformerFactory.Storage().V1().VolumeAttachments(),
) )
r.nodeAuthorizer = node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules()) r.nodeAuthorizer = node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())
case authzconfig.AuthorizerType(modes.ModeABAC):
var err error
r.abacAuthorizer, err = abac.NewFromFile(config.PolicyFile)
if err != nil {
return nil, nil, err
}
case authzconfig.AuthorizerType(modes.ModeRBAC):
r.rbacAuthorizer = rbac.New(
&rbac.RoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().Roles().Lister()},
&rbac.RoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().RoleBindings().Lister()},
&rbac.ClusterRoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoles().Lister()},
&rbac.ClusterRoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoleBindings().Lister()},
)
}
}
// Construct the authorizers / ruleResolvers for the given configuration
var (
authorizers []authorizer.Authorizer
ruleResolvers []authorizer.RuleResolver
)
// Add SystemPrivilegedGroup as an authorizing group
superuserAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
authorizers = append(authorizers, superuserAuthorizer)
for _, configuredAuthorizer := range config.AuthorizationConfiguration.Authorizers {
// Keep cases in sync with constant list in k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go.
switch configuredAuthorizer.Type {
case authzconfig.AuthorizerType(modes.ModeNode):
if r.nodeAuthorizer == nil {
return nil, nil, fmt.Errorf("nil nodeAuthorizer")
}
authorizers = append(authorizers, r.nodeAuthorizer) authorizers = append(authorizers, r.nodeAuthorizer)
ruleResolvers = append(ruleResolvers, r.nodeAuthorizer) ruleResolvers = append(ruleResolvers, r.nodeAuthorizer)
case authzconfig.AuthorizerType(modes.ModeAlwaysAllow): case authzconfig.AuthorizerType(modes.ModeAlwaysAllow):
alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer() alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()
authorizers = append(authorizers, alwaysAllowAuthorizer) authorizers = append(authorizers, alwaysAllowAuthorizer)
@ -113,18 +139,16 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
authorizers = append(authorizers, alwaysDenyAuthorizer) authorizers = append(authorizers, alwaysDenyAuthorizer)
ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer) ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)
case authzconfig.AuthorizerType(modes.ModeABAC): case authzconfig.AuthorizerType(modes.ModeABAC):
var err error if r.abacAuthorizer == nil {
r.abacAuthorizer, err = abac.NewFromFile(config.PolicyFile) return nil, nil, fmt.Errorf("nil abacAuthorizer")
if err != nil {
return nil, nil, err
} }
authorizers = append(authorizers, r.abacAuthorizer) authorizers = append(authorizers, r.abacAuthorizer)
ruleResolvers = append(ruleResolvers, r.abacAuthorizer) ruleResolvers = append(ruleResolvers, r.abacAuthorizer)
case authzconfig.AuthorizerType(modes.ModeWebhook): case authzconfig.AuthorizerType(modes.ModeWebhook):
if config.WebhookRetryBackoff == nil { if r.initialConfig.WebhookRetryBackoff == nil {
return nil, nil, errors.New("retry backoff parameters for authorization webhook has not been specified") return nil, nil, errors.New("retry backoff parameters for authorization webhook has not been specified")
} }
clientConfig, err := webhookutil.LoadKubeconfig(*configuredAuthorizer.Webhook.ConnectionInfo.KubeConfigFile, config.CustomDial) clientConfig, err := webhookutil.LoadKubeconfig(*configuredAuthorizer.Webhook.ConnectionInfo.KubeConfigFile, r.initialConfig.CustomDial)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, err
} }
@ -141,7 +165,7 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
configuredAuthorizer.Webhook.SubjectAccessReviewVersion, configuredAuthorizer.Webhook.SubjectAccessReviewVersion,
configuredAuthorizer.Webhook.AuthorizedTTL.Duration, configuredAuthorizer.Webhook.AuthorizedTTL.Duration,
configuredAuthorizer.Webhook.UnauthorizedTTL.Duration, configuredAuthorizer.Webhook.UnauthorizedTTL.Duration,
*config.WebhookRetryBackoff, *r.initialConfig.WebhookRetryBackoff,
decisionOnError, decisionOnError,
configuredAuthorizer.Webhook.MatchConditions, configuredAuthorizer.Webhook.MatchConditions,
) )
@ -151,12 +175,9 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
authorizers = append(authorizers, webhookAuthorizer) authorizers = append(authorizers, webhookAuthorizer)
ruleResolvers = append(ruleResolvers, webhookAuthorizer) ruleResolvers = append(ruleResolvers, webhookAuthorizer)
case authzconfig.AuthorizerType(modes.ModeRBAC): case authzconfig.AuthorizerType(modes.ModeRBAC):
r.rbacAuthorizer = rbac.New( if r.rbacAuthorizer == nil {
&rbac.RoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().Roles().Lister()}, return nil, nil, fmt.Errorf("nil rbacAuthorizer")
&rbac.RoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().RoleBindings().Lister()}, }
&rbac.ClusterRoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoles().Lister()},
&rbac.ClusterRoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoleBindings().Lister()},
)
authorizers = append(authorizers, r.rbacAuthorizer) authorizers = append(authorizers, r.rbacAuthorizer)
ruleResolvers = append(ruleResolvers, r.rbacAuthorizer) ruleResolvers = append(ruleResolvers, r.rbacAuthorizer)
default: default: