github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 21:17:23 +00:00
Code Issues Projects Releases Wiki Activity

[auth]Check verbs for nonresourceurls and resources

Browse Source
This commit is contained in:
Troy Connor 2020-10-10 11:25:59 -04:00
parent c72b30b3b7
commit 782b943987
No known key found for this signature in database
GPG Key ID: 97E3BD011FA14CF8
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubectl/cmd/auth/BUILD
View File

@ -26,6 +26,7 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/cli-runtime/pkg/genericclioptions:go_default_library", "//staging/src/k8s.io/cli-runtime/pkg/genericclioptions:go_default_library",
"//staging/src/k8s.io/cli-runtime/pkg/printers:go_default_library", "//staging/src/k8s.io/cli-runtime/pkg/printers:go_default_library",
"//staging/src/k8s.io/cli-runtime/pkg/resource:go_default_library", "//staging/src/k8s.io/cli-runtime/pkg/resource:go_default_library",

20
pkg/kubectl/cmd/auth/cani.go
View File

@ -34,6 +34,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
utilerrors "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/cli-runtime/pkg/genericclioptions" "k8s.io/cli-runtime/pkg/genericclioptions"
"k8s.io/cli-runtime/pkg/printers" "k8s.io/cli-runtime/pkg/printers"
discovery "k8s.io/client-go/discovery" discovery "k8s.io/client-go/discovery"
@ -94,6 +95,9 @@ var (
# List all allowed actions in namespace "foo" # List all allowed actions in namespace "foo"
kubectl auth can-i --list --namespace=foo`) kubectl auth can-i --list --namespace=foo`)
resourceVerbs = sets.NewString("get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "use", "bind", "impersonate", "*")
nonResourceURLVerbs = sets.NewString("get", "put", "post", "head", "options", "delete", "patch", "*")
) )
// NewCmdCanI returns an initialized Command for 'auth can-i' sub command // NewCmdCanI returns an initialized Command for 'auth can-i' sub command
@ -201,6 +205,9 @@ func (o *CanIOptions) Validate() error {
if o.Resource != (schema.GroupVersionResource{}) || o.ResourceName != "" { if o.Resource != (schema.GroupVersionResource{}) || o.ResourceName != "" {
return fmt.Errorf("NonResourceURL and ResourceName can not specified together") return fmt.Errorf("NonResourceURL and ResourceName can not specified together")
} }
if !isKnownNonResourceVerb(o.Verb) {
fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb)
}
} else if !o.Resource.Empty() && !o.AllNamespaces && o.DiscoveryClient != nil { } else if !o.Resource.Empty() && !o.AllNamespaces && o.DiscoveryClient != nil {
if namespaced, err := isNamespaced(o.Resource, o.DiscoveryClient); err == nil && !namespaced { if namespaced, err := isNamespaced(o.Resource, o.DiscoveryClient); err == nil && !namespaced {
if len(o.Resource.Group) == 0 { if len(o.Resource.Group) == 0 {
@ -209,6 +216,10 @@ func (o *CanIOptions) Validate() error {
fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped in group '%s'\n", o.Resource.Resource, o.Resource.Group) fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped in group '%s'\n", o.Resource.Resource, o.Resource.Group)
} }
} }
if !isKnownResourceVerb(o.Verb) {
fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb)
}
} }
if o.NoHeaders { if o.NoHeaders {
@ -263,7 +274,6 @@ func (o *CanIOptions) RunAccessCheck() (bool, error) {
if err != nil { if err != nil {
return false, err return false, err
} }
if response.Status.Allowed { if response.Status.Allowed {
fmt.Fprintln(o.Out, "yes") fmt.Fprintln(o.Out, "yes")
} else { } else {
@ -393,3 +403,11 @@ func isNamespaced(gvr schema.GroupVersionResource, discoveryClient discovery.Dis
return false, fmt.Errorf("the server doesn't have a resource type '%s' in group '%s'", gvr.Resource, gvr.Group) return false, fmt.Errorf("the server doesn't have a resource type '%s' in group '%s'", gvr.Resource, gvr.Group)
} }
func isKnownResourceVerb(s string) bool {
return resourceVerbs.Has(s)
}
func isKnownNonResourceVerb(s string) bool {
return nonResourceURLVerbs.Has(s)
}