github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-06 07:57:35 +00:00
Code Issues Projects Releases Wiki Activity

Ensure version "*" is passed instead of "" for all authz checks (#116937)

Browse Source 
* ensure version * is passed instead of  for all authz checks

* unexport match function

* remove allversion constant
This commit is contained in:
Sheng Zhan
2023-04-26 00:06:18 +08:00
committed by GitHub
parent c471f03ea3
commit 892ebf2d25
4 changed files with 42 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/controller/certificates/approver/sarapprove.go
View File

@@ -29,7 +29,6 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
certificatesinformers "k8s.io/client-go/informers/certificates/v1"
clientset "k8s.io/client-go/kubernetes"
capihelper "k8s.io/kubernetes/pkg/apis/certificates"
"k8s.io/kubernetes/pkg/controller/certificates"
)
@@ -63,12 +62,12 @@ func recognizers() []csrRecognizer {
recognizers := []csrRecognizer{
{
recognize: isSelfNodeClientCert,
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create", Subresource: "selfnodeclient"},
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create", Subresource: "selfnodeclient", Version: "*"},
successMessage: "Auto approving self kubelet client certificate after SubjectAccessReview.",
},
{
recognize: isNodeClientCert,
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create", Subresource: "nodeclient"},
permission: authorization.ResourceAttributes{Group: "certificates.k8s.io", Resource: "certificatesigningrequests", Verb: "create", Subresource: "nodeclient", Version: "*"},
successMessage: "Auto approving kubelet client certificate after SubjectAccessReview.",
},
}