mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-04 01:40:07 +00:00
This change add nonResourceURL to kubectl auth cani
This commit is contained in:
Cao Shufeng
parent
da5edc11f3
commit
3bf3a031e8
@ -24,7 +24,6 @@ go_library(
|
|||||||
"//vendor/github.com/spf13/cobra:go_default_library",
|
"//vendor/github.com/spf13/cobra:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/api/meta:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||||
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
|
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
@ -28,7 +28,6 @@ import (
|
|||||||
|
|
||||||
"k8s.io/apimachinery/pkg/api/meta"
|
"k8s.io/apimachinery/pkg/api/meta"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
|
||||||
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
|
authorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
|
||||||
internalauthorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion"
|
internalauthorizationclient "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/authorization/internalversion"
|
||||||
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
|
"k8s.io/kubernetes/pkg/kubectl/cmd/templates"
|
||||||
@ -45,6 +44,7 @@ type CanIOptions struct {
|
|||||||
|
|
||||||
Verb string
|
Verb string
|
||||||
Resource schema.GroupVersionResource
|
Resource schema.GroupVersionResource
|
||||||
|
NonResourceURL string
|
||||||
Subresource string
|
Subresource string
|
||||||
ResourceName string
|
ResourceName string
|
||||||
|
|
||||||
@ -58,6 +58,7 @@ var (
|
|||||||
|
|
||||||
VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc.
|
VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc.
|
||||||
TYPE is a Kubernetes resource. Shortcuts and groups will be resolved.
|
TYPE is a Kubernetes resource. Shortcuts and groups will be resolved.
|
||||||
|
NONRESOURCEURL is a partial URL starts with "/".
|
||||||
NAME is the name of a particular Kubernetes resource.`)
|
NAME is the name of a particular Kubernetes resource.`)
|
||||||
|
|
||||||
canIExample = templates.Examples(`
|
canIExample = templates.Examples(`
|
||||||
@ -73,8 +74,11 @@ var (
|
|||||||
# Check to see if I can get the job named "bar" in namespace "foo"
|
# Check to see if I can get the job named "bar" in namespace "foo"
|
||||||
kubectl auth can-i list jobs.batch/bar -n foo
|
kubectl auth can-i list jobs.batch/bar -n foo
|
||||||
|
|
||||||
# check to see if I can read pod logs
|
# Check to see if I can read pod logs
|
||||||
kubectl auth can-i get pods --subresource=log`)
|
kubectl auth can-i get pods --subresource=log
|
||||||
|
|
||||||
|
# Check to see if I can access the URL /logs/
|
||||||
|
kubectl auth can-i get /logs/`)
|
||||||
)
|
)
|
||||||
|
|
||||||
func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command {
|
func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command {
|
||||||
@ -84,7 +88,7 @@ func NewCmdCanI(f cmdutil.Factory, out, err io.Writer) *cobra.Command {
|
|||||||
}
|
}
|
||||||
|
|
||||||
cmd := &cobra.Command{
|
cmd := &cobra.Command{
|
||||||
Use: "can-i VERB [TYPE | TYPE/NAME]",
|
Use: "can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]",
|
||||||
Short: "Check whether an action is allowed",
|
Short: "Check whether an action is allowed",
|
||||||
Long: canILong,
|
Long: canILong,
|
||||||
Example: canIExample,
|
Example: canIExample,
|
||||||
@ -116,9 +120,13 @@ func (o *CanIOptions) Complete(f cmdutil.Factory, args []string) error {
|
|||||||
|
|
||||||
switch len(args) {
|
switch len(args) {
|
||||||
case 2:
|
case 2:
|
||||||
|
o.Verb = args[0]
|
||||||
|
if strings.HasPrefix(args[1], "/") {
|
||||||
|
o.NonResourceURL = args[1]
|
||||||
|
break
|
||||||
|
}
|
||||||
resourceTokens := strings.SplitN(args[1], "/", 2)
|
resourceTokens := strings.SplitN(args[1], "/", 2)
|
||||||
restMapper, _ := f.Object()
|
restMapper, _ := f.Object()
|
||||||
o.Verb = args[0]
|
|
||||||
o.Resource = o.resourceFor(restMapper, resourceTokens[0])
|
o.Resource = o.resourceFor(restMapper, resourceTokens[0])
|
||||||
if len(resourceTokens) > 1 {
|
if len(resourceTokens) > 1 {
|
||||||
o.ResourceName = resourceTokens[1]
|
o.ResourceName = resourceTokens[1]
|
||||||
@ -146,12 +154,21 @@ func (o *CanIOptions) Complete(f cmdutil.Factory, args []string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (o *CanIOptions) Validate() error {
|
func (o *CanIOptions) Validate() error {
|
||||||
errors := []error{}
|
if o.NonResourceURL != "" {
|
||||||
return utilerrors.NewAggregate(errors)
|
if o.Subresource != "" {
|
||||||
|
return fmt.Errorf("--subresource can not be used with nonResourceURL")
|
||||||
|
}
|
||||||
|
if o.Resource != (schema.GroupVersionResource{}) || o.ResourceName != "" {
|
||||||
|
return fmt.Errorf("nonResourceURL and Resource can not specified together")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (o *CanIOptions) RunAccessCheck() (bool, error) {
|
func (o *CanIOptions) RunAccessCheck() (bool, error) {
|
||||||
sar := &authorizationapi.SelfSubjectAccessReview{
|
var sar *authorizationapi.SelfSubjectAccessReview
|
||||||
|
if o.NonResourceURL == "" {
|
||||||
|
sar = &authorizationapi.SelfSubjectAccessReview{
|
||||||
Spec: authorizationapi.SelfSubjectAccessReviewSpec{
|
Spec: authorizationapi.SelfSubjectAccessReviewSpec{
|
||||||
ResourceAttributes: &authorizationapi.ResourceAttributes{
|
ResourceAttributes: &authorizationapi.ResourceAttributes{
|
||||||
Namespace: o.Namespace,
|
Namespace: o.Namespace,
|
||||||
@ -163,6 +180,17 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
sar = &authorizationapi.SelfSubjectAccessReview{
|
||||||
|
Spec: authorizationapi.SelfSubjectAccessReviewSpec{
|
||||||
|
NonResourceAttributes: &authorizationapi.NonResourceAttributes{
|
||||||
|
Verb: o.Verb,
|
||||||
|
Path: o.NonResourceURL,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
response, err := o.SelfSARClient.SelfSubjectAccessReviews().Create(sar)
|
response, err := o.SelfSARClient.SelfSubjectAccessReviews().Create(sar)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@ -104,6 +104,15 @@ func TestRunAccessCheck(t *testing.T) {
|
|||||||
`{"resourceAttributes":{"verb":"get","resource":"pods","subresource":"log"}}`,
|
`{"resourceAttributes":{"verb":"get","resource":"pods","subresource":"log"}}`,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "nonResourceURL",
|
||||||
|
o: &CanIOptions{},
|
||||||
|
args: []string{"get", "/logs"},
|
||||||
|
allowed: true,
|
||||||
|
expectedBodyStrings: []string{
|
||||||
|
`{"nonResourceAttributes":{"path":"/logs","verb":"get"}}`,
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user