Store constructed node/rbac/abac authorizers

2025-08-11 21:12:07 +00:00 · 2023-11-07 10:33:12 -06:00 · 2023-11-07 10:33:12 -06:00 · 49124293c3
commit 49124293c3
parent 5f4cb8b09a
2 changed files with 74 additions and 10 deletions
--- a/pkg/kubeapiserver/authorizer/config.go
+++ b/pkg/kubeapiserver/authorizer/config.go
@ -74,6 +74,10 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
 		return nil, nil, fmt.Errorf("at least one authorization mode must be passed")
 	}
 	r := &reloadableAuthorizerResolver{
 		initialConfig: config,
 	}
 	var (
 		authorizers   []authorizer.Authorizer
 		ruleResolvers []authorizer.RuleResolver
@ -96,9 +100,9 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
 				config.VersionedInformerFactory.Core().V1().PersistentVolumes(),
 				config.VersionedInformerFactory.Storage().V1().VolumeAttachments(),
 			)
-			nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())
+			r.nodeAuthorizer = node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())
-			authorizers = append(authorizers, nodeAuthorizer)
+			authorizers = append(authorizers, r.nodeAuthorizer)
-			ruleResolvers = append(ruleResolvers, nodeAuthorizer)
+			ruleResolvers = append(ruleResolvers, r.nodeAuthorizer)
 		case authzconfig.AuthorizerType(modes.ModeAlwaysAllow):
 			alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()
@ -109,12 +113,13 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
 			authorizers = append(authorizers, alwaysDenyAuthorizer)
 			ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)
 		case authzconfig.AuthorizerType(modes.ModeABAC):
-			abacAuthorizer, err := abac.NewFromFile(config.PolicyFile)
+			var err error
 			r.abacAuthorizer, err = abac.NewFromFile(config.PolicyFile)
 			if err != nil {
 				return nil, nil, err
 			}
-			authorizers = append(authorizers, abacAuthorizer)
+			authorizers = append(authorizers, r.abacAuthorizer)
-			ruleResolvers = append(ruleResolvers, abacAuthorizer)
+			ruleResolvers = append(ruleResolvers, r.abacAuthorizer)
 		case authzconfig.AuthorizerType(modes.ModeWebhook):
 			if config.WebhookRetryBackoff == nil {
 				return nil, nil, errors.New("retry backoff parameters for authorization webhook has not been specified")
@ -146,20 +151,25 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
 			authorizers = append(authorizers, webhookAuthorizer)
 			ruleResolvers = append(ruleResolvers, webhookAuthorizer)
 		case authzconfig.AuthorizerType(modes.ModeRBAC):
-			rbacAuthorizer := rbac.New(
+			r.rbacAuthorizer = rbac.New(
 				&rbac.RoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().Roles().Lister()},
 				&rbac.RoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().RoleBindings().Lister()},
 				&rbac.ClusterRoleGetter{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoles().Lister()},
 				&rbac.ClusterRoleBindingLister{Lister: config.VersionedInformerFactory.Rbac().V1().ClusterRoleBindings().Lister()},
 			)
-			authorizers = append(authorizers, rbacAuthorizer)
+			authorizers = append(authorizers, r.rbacAuthorizer)
-			ruleResolvers = append(ruleResolvers, rbacAuthorizer)
+			ruleResolvers = append(ruleResolvers, r.rbacAuthorizer)
 		default:
 			return nil, nil, fmt.Errorf("unknown authorization mode %s specified", configuredAuthorizer.Type)
 		}
 	}
-	return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil
+	r.current.Store(&authorizerResolver{
 		authorizer:   union.New(authorizers...),
 		ruleResolver: union.NewRuleResolvers(ruleResolvers...),
 	})
 	return r, r, nil
 }
 // RepeatableAuthorizerTypes is the list of Authorizer that can be repeated in the Authorization Config
--- a/pkg/kubeapiserver/authorizer/reload.go
+++ b/pkg/kubeapiserver/authorizer/reload.go
@ -0,0 +1,54 @@
 /*
 Copyright 2024 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package authorizer
 import (
 	"context"
 	"sync/atomic"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/kubernetes/pkg/auth/authorizer/abac"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
 	"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
 )
 type reloadableAuthorizerResolver struct {
 	// initialConfig holds the ReloadFile used to initiate background reloading,
 	// and information used to construct webhooks that isn't exposed in the authorization
 	// configuration file (dial function, backoff settings, etc)
 	initialConfig Config
 	nodeAuthorizer *node.NodeAuthorizer
 	rbacAuthorizer *rbac.RBACAuthorizer
 	abacAuthorizer abac.PolicyList
 	current atomic.Pointer[authorizerResolver]
 }
 type authorizerResolver struct {
 	authorizer   authorizer.Authorizer
 	ruleResolver authorizer.RuleResolver
 }
 func (r *reloadableAuthorizerResolver) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
 	return r.current.Load().authorizer.Authorize(ctx, a)
 }
 func (r *reloadableAuthorizerResolver) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
 	return r.current.Load().ruleResolver.RulesFor(user, namespace)
 }