github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-01 17:29:00 +00:00
Code Issues Projects Releases Wiki Activity

clean node_authorizer code: verb judgement

Browse Source
This commit is contained in:
lemonli
2020-01-15 18:08:09 +08:00
parent a25c6aa350
commit 2498dbf636
1 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
plugin/pkg/auth/authorizer/node/node_authorizer.go
View File

@@ -167,10 +167,14 @@ func (r *NodeAuthorizer) authorizeGet(nodeName string, startingType vertexType,
// authorizeReadNamespacedObject authorizes "get", "list" and "watch" requests to single objects of a // authorizeReadNamespacedObject authorizes "get", "list" and "watch" requests to single objects of a
// specified types if they are related to the specified node. // specified types if they are related to the specified node.
func (r *NodeAuthorizer) authorizeReadNamespacedObject(nodeName string, startingType vertexType, attrs authorizer.Attributes) (authorizer.Decision, string, error) { func (r *NodeAuthorizer) authorizeReadNamespacedObject(nodeName string, startingType vertexType, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
if attrs.GetVerb() != "get" && attrs.GetVerb() != "list" && attrs.GetVerb() != "watch" { switch attrs.GetVerb() {
case "get", "list", "watch":
//ok
default:
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "can only read resources of this type", nil return authorizer.DecisionNoOpinion, "can only read resources of this type", nil
} }
if len(attrs.GetSubresource()) > 0 { if len(attrs.GetSubresource()) > 0 {
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "cannot read subresource", nil return authorizer.DecisionNoOpinion, "cannot read subresource", nil
@@ -229,11 +233,10 @@ func (r *NodeAuthorizer) authorizeCreateToken(nodeName string, startingType vert
func (r *NodeAuthorizer) authorizeLease(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) { func (r *NodeAuthorizer) authorizeLease(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
// allowed verbs: get, create, update, patch, delete // allowed verbs: get, create, update, patch, delete
verb := attrs.GetVerb() verb := attrs.GetVerb()
if verb != "get" && switch verb {
verb != "create" && case "get", "create", "update", "patch", "delete":
verb != "update" && //ok
verb != "patch" && default:
verb != "delete" {
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a node lease", nil return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a node lease", nil
} }
@@ -259,11 +262,10 @@ func (r *NodeAuthorizer) authorizeLease(nodeName string, attrs authorizer.Attrib
func (r *NodeAuthorizer) authorizeCSINode(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) { func (r *NodeAuthorizer) authorizeCSINode(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
// allowed verbs: get, create, update, patch, delete // allowed verbs: get, create, update, patch, delete
verb := attrs.GetVerb() verb := attrs.GetVerb()
if verb != "get" && switch verb {
verb != "create" && case "get", "create", "update", "patch", "delete":
verb != "update" && //ok
verb != "patch" && default:
verb != "delete" {
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a CSINode", nil return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a CSINode", nil
} }