github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-31 15:25:57 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #43489 from liggitt/20170302-psp-authz

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 43492, 43489)

Authorize PSP usage for pods without service accounts

Fixes #43459

```release-note
PodSecurityPolicy authorization is correctly enforced by the PodSecurityPolicy admission plugin.
```
This commit is contained in:
Kubernetes Submit Queue 2017-03-21 22:53:18 -07:00 committed by GitHub
commit 6f9074f069
2 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
plugin/pkg/admission/security/podsecuritypolicy/admission.go
View File

@ -288,7 +288,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
} }
for _, constraint := range list { for _, constraint := range list {
if authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) { // if no user info exists then the API is being hit via the unsecured port. In this case authorize the request.
if user == nil || authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) {
matchedPolicies = append(matchedPolicies, constraint) matchedPolicies = append(matchedPolicies, constraint)
} }
} }
@ -298,10 +299,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
// authorizedForPolicy returns true if info is authorized to perform a "get" on policy. // authorizedForPolicy returns true if info is authorized to perform a "get" on policy.
func authorizedForPolicy(info user.Info, policy *extensions.PodSecurityPolicy, authz authorizer.Authorizer) bool { func authorizedForPolicy(info user.Info, policy *extensions.PodSecurityPolicy, authz authorizer.Authorizer) bool {
// if no info exists then the API is being hit via the unsecured port. In this case
// authorize the request.
if info == nil { if info == nil {
return true return false
} }
attr := buildAttributes(info, policy) attr := buildAttributes(info, policy)
allowed, reason, err := authz.Authorize(attr) allowed, reason, err := authz.Authorize(attr)

7
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View File

@ -1610,7 +1610,7 @@ func TestGetMatchingPolicies(t *testing.T) {
// (ie. a request hitting the unsecure port) // (ie. a request hitting the unsecure port)
expectedPolicies: sets.NewString("policy1", "policy2", "policy3"), expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
}, },
"policies are allowed for nil sa info": { "policies are not allowed for nil sa info": {
user: &user.DefaultInfo{Name: "user"}, user: &user.DefaultInfo{Name: "user"},
sa: nil, sa: nil,
disallowedPolicies: map[string][]string{ disallowedPolicies: map[string][]string{
@ -1622,9 +1622,8 @@ func TestGetMatchingPolicies(t *testing.T) {
policyWithName("policy2"), policyWithName("policy2"),
policyWithName("policy3"), policyWithName("policy3"),
}, },
// all policies are allowed regardless of the permissions when sa info is nil // only the policies for the user are allowed when sa info is nil
// (ie. a request hitting the unsecure port) expectedPolicies: sets.NewString("policy2"),
expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
}, },
} }
for k, v := range tests { for k, v := range tests {