mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-31 15:25:57 +00:00
Make signer admission plugin check on condition update
This commit is contained in:
parent
aed0621f2e
commit
377adfa2b7
@ -24,10 +24,10 @@ import (
|
|||||||
|
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
|
|
||||||
|
apiequality "k8s.io/apimachinery/pkg/api/equality"
|
||||||
"k8s.io/apiserver/pkg/admission"
|
"k8s.io/apiserver/pkg/admission"
|
||||||
genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
|
genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||||
|
|
||||||
api "k8s.io/kubernetes/pkg/apis/certificates"
|
api "k8s.io/kubernetes/pkg/apis/certificates"
|
||||||
"k8s.io/kubernetes/plugin/pkg/admission/certificates"
|
"k8s.io/kubernetes/plugin/pkg/admission/certificates"
|
||||||
)
|
)
|
||||||
@ -73,10 +73,10 @@ func NewPlugin() *Plugin {
|
|||||||
|
|
||||||
var csrGroupResource = api.Resource("certificatesigningrequests")
|
var csrGroupResource = api.Resource("certificatesigningrequests")
|
||||||
|
|
||||||
// Validate verifies that the requesting user has permission to approve
|
// Validate verifies that the requesting user has permission to sign
|
||||||
// CertificateSigningRequests for the specified signerName.
|
// CertificateSigningRequests for the specified signerName.
|
||||||
func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
|
func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admission.ObjectInterfaces) error {
|
||||||
// Ignore all calls to anything other than 'certificatesigningrequests/approval'.
|
// Ignore all calls to anything other than 'certificatesigningrequests/status'.
|
||||||
// Ignore all operations other than UPDATE.
|
// Ignore all operations other than UPDATE.
|
||||||
if a.GetSubresource() != "status" ||
|
if a.GetSubresource() != "status" ||
|
||||||
a.GetResource().GroupResource() != csrGroupResource {
|
a.GetResource().GroupResource() != csrGroupResource {
|
||||||
@ -92,8 +92,8 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
|
|||||||
return admission.NewForbidden(a, fmt.Errorf("expected type CertificateSigningRequest, got: %T", a.GetObject()))
|
return admission.NewForbidden(a, fmt.Errorf("expected type CertificateSigningRequest, got: %T", a.GetObject()))
|
||||||
}
|
}
|
||||||
|
|
||||||
// only run if the status.certificate field has been changed
|
// only run if the status.certificate or status.conditions field has been changed
|
||||||
if reflect.DeepEqual(oldCSR.Status.Certificate, csr.Status.Certificate) {
|
if reflect.DeepEqual(oldCSR.Status.Certificate, csr.Status.Certificate) && apiequality.Semantic.DeepEqual(oldCSR.Status.Conditions, csr.Status.Conditions) {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -48,7 +48,7 @@ func TestPlugin_Validate(t *testing.T) {
|
|||||||
},
|
},
|
||||||
allowed: false,
|
allowed: false,
|
||||||
},
|
},
|
||||||
"allowed if the 'certificate' field has not changed": {
|
"allowed if the 'certificate' and conditions field has not changed": {
|
||||||
attributes: &testAttributes{
|
attributes: &testAttributes{
|
||||||
resource: certificatesapi.Resource("certificatesigningrequests"),
|
resource: certificatesapi.Resource("certificatesigningrequests"),
|
||||||
subresource: "status",
|
subresource: "status",
|
||||||
@ -63,7 +63,7 @@ func TestPlugin_Validate(t *testing.T) {
|
|||||||
allowed: true,
|
allowed: true,
|
||||||
authzErr: errors.New("faked error"),
|
authzErr: errors.New("faked error"),
|
||||||
},
|
},
|
||||||
"deny request if authz lookup fails": {
|
"deny request if authz lookup fails on certificate change": {
|
||||||
allowedName: "abc.com/xyz",
|
allowedName: "abc.com/xyz",
|
||||||
attributes: &testAttributes{
|
attributes: &testAttributes{
|
||||||
resource: certificatesapi.Resource("certificatesigningrequests"),
|
resource: certificatesapi.Resource("certificatesigningrequests"),
|
||||||
@ -84,6 +84,27 @@ func TestPlugin_Validate(t *testing.T) {
|
|||||||
authzErr: errors.New("test"),
|
authzErr: errors.New("test"),
|
||||||
allowed: false,
|
allowed: false,
|
||||||
},
|
},
|
||||||
|
"deny request if authz lookup fails on condition change": {
|
||||||
|
allowedName: "abc.com/xyz",
|
||||||
|
attributes: &testAttributes{
|
||||||
|
resource: certificatesapi.Resource("certificatesigningrequests"),
|
||||||
|
subresource: "status",
|
||||||
|
oldObj: &certificatesapi.CertificateSigningRequest{Spec: certificatesapi.CertificateSigningRequestSpec{
|
||||||
|
SignerName: "abc.com/xyz",
|
||||||
|
}},
|
||||||
|
obj: &certificatesapi.CertificateSigningRequest{
|
||||||
|
Spec: certificatesapi.CertificateSigningRequestSpec{
|
||||||
|
SignerName: "abc.com/xyz",
|
||||||
|
},
|
||||||
|
Status: certificatesapi.CertificateSigningRequestStatus{
|
||||||
|
Conditions: []certificatesapi.CertificateSigningRequestCondition{{Type: certificatesapi.CertificateFailed}},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
operation: admission.Update,
|
||||||
|
},
|
||||||
|
authzErr: errors.New("test"),
|
||||||
|
allowed: false,
|
||||||
|
},
|
||||||
"allow request if user is authorized for specific signerName": {
|
"allow request if user is authorized for specific signerName": {
|
||||||
allowedName: "abc.com/xyz",
|
allowedName: "abc.com/xyz",
|
||||||
attributes: &testAttributes{
|
attributes: &testAttributes{
|
||||||
|
Loading…
Reference in New Issue
Block a user