From d105ddd35082a77ad9012d5386ef31734a7171b1 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Thu, 2 May 2024 12:03:39 +0300 Subject: [PATCH] kubeadm: update the IsPriviligedUser preflight check on Windows Use GetCurrentProcessToken() instead of checking the groups of a user. The Go stdlib way of fetching the groups of an user appears to be failing on some Windows setups. Which could be a regression in later Go versions, or simply the code does not work on certain setups. --- cmd/kubeadm/app/preflight/checks_windows.go | 27 ++++----------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/cmd/kubeadm/app/preflight/checks_windows.go b/cmd/kubeadm/app/preflight/checks_windows.go index 3ee8ff7a105..de0d52c6eca 100644 --- a/cmd/kubeadm/app/preflight/checks_windows.go +++ b/cmd/kubeadm/app/preflight/checks_windows.go @@ -20,34 +20,17 @@ limitations under the License. package preflight import ( - "os/user" - "github.com/pkg/errors" + "golang.org/x/sys/windows" ) -// The "Well-known SID" of Administrator group -// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems -const administratorSID = "S-1-5-32-544" - // Check validates if a user has elevated (administrator) privileges. func (ipuc IsPrivilegedUserCheck) Check() (warnings, errorList []error) { - currUser, err := user.Current() - if err != nil { - return nil, []error{errors.Wrap(err, "cannot get current user")} + hProcessToken := windows.GetCurrentProcessToken() + if hProcessToken.IsElevated() { + return nil, nil } - - groupIds, err := currUser.GroupIds() - if err != nil { - return nil, []error{errors.Wrap(err, "cannot get group IDs for current user")} - } - - for _, sid := range groupIds { - if sid == administratorSID { - return nil, nil - } - } - - return nil, []error{errors.New("user is not running as administrator")} + return nil, []error{errors.New("the kubeadm process must be run by a user with elevated privileges")} } // Check number of memory required by kubeadm