diff --git a/pkg/kubeapiserver/authorizer/BUILD b/pkg/kubeapiserver/authorizer/BUILD index 5fab7712679..a2864f4014a 100644 --- a/pkg/kubeapiserver/authorizer/BUILD +++ b/pkg/kubeapiserver/authorizer/BUILD @@ -20,16 +20,13 @@ go_library( name = "go_default_library", srcs = ["config.go"], deps = [ - "//pkg/apis/rbac:go_default_library", "//pkg/auth/authorizer/abac:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", "//pkg/client/informers/informers_generated/internalversion:go_default_library", - "//pkg/client/listers/rbac/internalversion:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//plugin/pkg/auth/authorizer/node:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library", diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index e30bbfddd5c..1466d2b4114 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -21,16 +21,13 @@ import ( "fmt" "time" - "k8s.io/apimachinery/pkg/labels" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/plugin/pkg/authorizer/webhook" - rbacapi "k8s.io/kubernetes/pkg/apis/rbac" "k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/auth/nodeidentifier" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" - rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" @@ -57,38 +54,6 @@ type AuthorizationConfig struct { InformerFactory informers.SharedInformerFactory } -type roleGetter struct { - lister rbaclisters.RoleLister -} - -func (g *roleGetter) GetRole(namespace, name string) (*rbacapi.Role, error) { - return g.lister.Roles(namespace).Get(name) -} - -type roleBindingLister struct { - lister rbaclisters.RoleBindingLister -} - -func (l *roleBindingLister) ListRoleBindings(namespace string) ([]*rbacapi.RoleBinding, error) { - return l.lister.RoleBindings(namespace).List(labels.Everything()) -} - -type clusterRoleGetter struct { - lister rbaclisters.ClusterRoleLister -} - -func (g *clusterRoleGetter) GetClusterRole(name string) (*rbacapi.ClusterRole, error) { - return g.lister.Get(name) -} - -type clusterRoleBindingLister struct { - lister rbaclisters.ClusterRoleBindingLister -} - -func (l *clusterRoleBindingLister) ListClusterRoleBindings() ([]*rbacapi.ClusterRoleBinding, error) { - return l.lister.List(labels.Everything()) -} - // New returns the right sort of union of multiple authorizer.Authorizer objects // based on the authorizationMode or an error. func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { @@ -141,10 +106,10 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { authorizers = append(authorizers, webhookAuthorizer) case modes.ModeRBAC: rbacAuthorizer := rbac.New( - &roleGetter{config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, - &roleBindingLister{config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()}, - &clusterRoleGetter{config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()}, - &clusterRoleBindingLister{config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()}, + &rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, + &rbac.RoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()}, + &rbac.ClusterRoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()}, + &rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()}, ) authorizers = append(authorizers, rbacAuthorizer) default: diff --git a/plugin/pkg/auth/authorizer/rbac/BUILD b/plugin/pkg/auth/authorizer/rbac/BUILD index 37fdbaaf0c5..4325ab9c12b 100644 --- a/plugin/pkg/auth/authorizer/rbac/BUILD +++ b/plugin/pkg/auth/authorizer/rbac/BUILD @@ -14,8 +14,10 @@ go_library( ], deps = [ "//pkg/apis/rbac:go_default_library", + "//pkg/client/listers/rbac/internalversion:go_default_library", "//pkg/registry/rbac/validation:go_default_library", "//vendor/github.com/golang/glog:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", diff --git a/plugin/pkg/auth/authorizer/rbac/rbac.go b/plugin/pkg/auth/authorizer/rbac/rbac.go index 25d773909e7..6341936edc5 100644 --- a/plugin/pkg/auth/authorizer/rbac/rbac.go +++ b/plugin/pkg/auth/authorizer/rbac/rbac.go @@ -24,10 +24,12 @@ import ( "bytes" + "k8s.io/apimachinery/pkg/labels" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/kubernetes/pkg/apis/rbac" + rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion" rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation" ) @@ -156,3 +158,35 @@ func RuleAllows(requestAttributes authorizer.Attributes, rule *rbac.PolicyRule) return rbac.VerbMatches(rule, requestAttributes.GetVerb()) && rbac.NonResourceURLMatches(rule, requestAttributes.GetPath()) } + +type RoleGetter struct { + Lister rbaclisters.RoleLister +} + +func (g *RoleGetter) GetRole(namespace, name string) (*rbac.Role, error) { + return g.Lister.Roles(namespace).Get(name) +} + +type RoleBindingLister struct { + Lister rbaclisters.RoleBindingLister +} + +func (l *RoleBindingLister) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) { + return l.Lister.RoleBindings(namespace).List(labels.Everything()) +} + +type ClusterRoleGetter struct { + Lister rbaclisters.ClusterRoleLister +} + +func (g *ClusterRoleGetter) GetClusterRole(name string) (*rbac.ClusterRole, error) { + return g.Lister.Get(name) +} + +type ClusterRoleBindingLister struct { + Lister rbaclisters.ClusterRoleBindingLister +} + +func (l *ClusterRoleBindingLister) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) { + return l.Lister.List(labels.Everything()) +} diff --git a/plugin/pkg/auth/authorizer/rbac/subject_locator.go b/plugin/pkg/auth/authorizer/rbac/subject_locator.go index e86df3249ce..0f5f413b9a3 100644 --- a/plugin/pkg/auth/authorizer/rbac/subject_locator.go +++ b/plugin/pkg/auth/authorizer/rbac/subject_locator.go @@ -31,6 +31,12 @@ type RoleToRuleMapper interface { GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error) } +type SubjectLocator interface { + AllowedSubjects(attributes authorizer.Attributes) ([]rbac.Subject, error) +} + +var _ = SubjectLocator(&SubjectAccessEvaluator{}) + type SubjectAccessEvaluator struct { superUser string