Move kube-apiserver authz validation functions

2025-08-22 01:56:16 +00:00 · 2023-11-07 10:15:56 -06:00 · 2023-11-07 10:15:56 -06:00 · 5f4cb8b09a
commit 5f4cb8b09a
parent eeefc299e5
2 changed files with 65 additions and 50 deletions
--- a/pkg/kubeapiserver/authorizer/config.go
+++ b/pkg/kubeapiserver/authorizer/config.go
@ -19,10 +19,15 @@ package authorizer
 import (
 	"errors"
 	"fmt"
 	"strings"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	authzconfig "k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/apis/apiserver/load"
 	"k8s.io/apiserver/pkg/apis/apiserver/validation"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/authorization/authorizerfactory"
@ -156,3 +161,56 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
 	return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil
 }
 // RepeatableAuthorizerTypes is the list of Authorizer that can be repeated in the Authorization Config
 var repeatableAuthorizerTypes = []string{modes.ModeWebhook}
 // GetNameForAuthorizerMode returns the name to be set for the mode in AuthorizationConfiguration
 // For now, lower cases the mode name
 func GetNameForAuthorizerMode(mode string) string {
 	return strings.ToLower(mode)
 }
 func LoadAndValidateFile(configFile string, requireNonWebhookTypes sets.Set[authzconfig.AuthorizerType]) (*authzconfig.AuthorizationConfiguration, error) {
 	// load the file and check for errors
 	authorizationConfiguration, err := load.LoadFromFile(configFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load AuthorizationConfiguration from file: %v", err)
 	}
 	// validate the file and return any error
 	if errors := validation.ValidateAuthorizationConfiguration(nil, authorizationConfiguration,
 		sets.NewString(modes.AuthorizationModeChoices...),
 		sets.NewString(repeatableAuthorizerTypes...),
 	); len(errors) != 0 {
 		return nil, fmt.Errorf(errors.ToAggregate().Error())
 	}
 	// test to check if the authorizer names passed conform to the authorizers for type!=Webhook
 	// this test is only for kube-apiserver and hence checked here
 	// it preserves compatibility with o.buildAuthorizationConfiguration
 	var allErrors []error
 	seenModes := sets.New[authzconfig.AuthorizerType]()
 	for _, authorizer := range authorizationConfiguration.Authorizers {
 		if string(authorizer.Type) == modes.ModeWebhook {
 			continue
 		}
 		seenModes.Insert(authorizer.Type)
 		expectedName := GetNameForAuthorizerMode(string(authorizer.Type))
 		if expectedName != authorizer.Name {
 			allErrors = append(allErrors, fmt.Errorf("expected name %s for authorizer %s instead of %s", expectedName, authorizer.Type, authorizer.Name))
 		}
 	}
 	if missingTypes := requireNonWebhookTypes.Difference(seenModes); missingTypes.Len() > 0 {
 		allErrors = append(allErrors, fmt.Errorf("missing required types: %v", sets.List(missingTypes)))
 	}
 	if len(allErrors) > 0 {
 		return nil, utilerrors.NewAggregate(allErrors)
 	}
 	return authorizationConfiguration, nil
 }
--- a/pkg/kubeapiserver/options/authorization.go
+++ b/pkg/kubeapiserver/options/authorization.go
@ -21,7 +21,6 @@ import (
 	"strings"
 	"time"
 	"k8s.io/apiserver/pkg/apis/apiserver/load"
 	genericfeatures "k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@ -31,7 +30,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/wait"
 	authzconfig "k8s.io/apiserver/pkg/apis/apiserver"
 	"k8s.io/apiserver/pkg/apis/apiserver/validation"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	versionedinformers "k8s.io/client-go/informers"
@ -50,9 +48,6 @@ const (
 	authorizationConfigFlag                 = "authorization-config"
 )
 // RepeatableAuthorizerTypes is the list of Authorizer that can be repeated in the Authorization Config
 var repeatableAuthorizerTypes = []string{authzmodes.ModeWebhook}
 // BuiltInAuthorizationOptions contains all build-in authorization options for API Server
 type BuiltInAuthorizationOptions struct {
 	Modes                       []string
@ -118,32 +113,10 @@ func (o *BuiltInAuthorizationOptions) Validate() []error {
 			return append(allErrors, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag))
 		}
-		// load the file and check for errors
+		// load/validate kube-apiserver authz config with no opinion about required modes
-		config, err := load.LoadFromFile(o.AuthorizationConfigurationFile)
+		_, err := authorizer.LoadAndValidateFile(o.AuthorizationConfigurationFile, nil)
 		if err != nil {
-			return append(allErrors, fmt.Errorf("failed to load AuthorizationConfiguration from file: %v", err))
+			return append(allErrors, err)
 		}
 		// validate the file and return any error
 		if errors := validation.ValidateAuthorizationConfiguration(nil, config,
 			sets.NewString(authzmodes.AuthorizationModeChoices...),
 			sets.NewString(repeatableAuthorizerTypes...),
 		); len(errors) != 0 {
 			allErrors = append(allErrors, errors.ToAggregate().Errors()...)
 		}
 		// test to check if the authorizer names passed conform to the authorizers for type!=Webhook
 		// this test is only for kube-apiserver and hence checked here
 		// it preserves compatibility with o.buildAuthorizationConfiguration
 		for _, authorizer := range config.Authorizers {
 			if string(authorizer.Type) == authzmodes.ModeWebhook {
 				continue
 			}
 			expectedName := getNameForAuthorizerMode(string(authorizer.Type))
 			if expectedName != authorizer.Name {
 				allErrors = append(allErrors, fmt.Errorf("expected name %s for authorizer %s instead of %s", expectedName, authorizer.Type, authorizer.Name))
 			}
 		}
 		return allErrors
@ -255,24 +228,14 @@ func (o *BuiltInAuthorizationOptions) ToAuthorizationConfig(versionedInformerFac
 		if !utilfeature.DefaultFeatureGate.Enabled(genericfeatures.StructuredAuthorizationConfiguration) {
 			return nil, fmt.Errorf("--%s cannot be used without enabling StructuredAuthorizationConfiguration feature flag", authorizationConfigFlag)
 		}
 		// error out if legacy flags are defined
 		if o.AreLegacyFlagsSet != nil && o.AreLegacyFlagsSet() {
 			return nil, fmt.Errorf("--%s can not be specified when --%s or --authorization-webhook-* flags are defined", authorizationConfigFlag, authorizationModeFlag)
 		}
-
+		// load/validate kube-apiserver authz config with no opinion about required modes
-		// load the file and check for errors
+		authorizationConfiguration, err = authorizer.LoadAndValidateFile(o.AuthorizationConfigurationFile, nil)
 		authorizationConfiguration, err = load.LoadFromFile(o.AuthorizationConfigurationFile)
 		if err != nil {
-			return nil, fmt.Errorf("failed to load AuthorizationConfiguration from file: %v", err)
+			return nil, err
 		}
 		// validate the file and return any error
 		if errors := validation.ValidateAuthorizationConfiguration(nil, authorizationConfiguration,
 			sets.NewString(authzmodes.AuthorizationModeChoices...),
 			sets.NewString(repeatableAuthorizerTypes...),
 		); len(errors) != 0 {
 			return nil, fmt.Errorf(errors.ToAggregate().Error())
 		}
 	} else {
 		authorizationConfiguration, err = o.buildAuthorizationConfiguration()
@ -321,16 +284,10 @@ func (o *BuiltInAuthorizationOptions) buildAuthorizationConfiguration() (*authzc
 		default:
 			authorizers = append(authorizers, authzconfig.AuthorizerConfiguration{
 				Type: authzconfig.AuthorizerType(mode),
-				Name: getNameForAuthorizerMode(mode),
+				Name: authorizer.GetNameForAuthorizerMode(mode),
 			})
 		}
 	}
 	return &authzconfig.AuthorizationConfiguration{Authorizers: authorizers}, nil
 }
 // getNameForAuthorizerMode returns the name to be set for the mode in AuthorizationConfiguration
 // For now, lower cases the mode name
 func getNameForAuthorizerMode(mode string) string {
 	return strings.ToLower(mode)
 }