github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 19:31:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #87239 from lemonli/cleanup/node-authorizer

Browse Source 
clean up node_authorizer code: verb judgement
This commit is contained in:
Kubernetes Prow Robot 2020-01-24 19:21:15 -08:00 committed by GitHub
commit 9633dd63b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
plugin/pkg/auth/authorizer/node/node_authorizer.go
View File

@ -167,10 +167,14 @@ func (r *NodeAuthorizer) authorizeGet(nodeName string, startingType vertexType,
// authorizeReadNamespacedObject authorizes "get", "list" and "watch" requests to single objects of a // authorizeReadNamespacedObject authorizes "get", "list" and "watch" requests to single objects of a
// specified types if they are related to the specified node. // specified types if they are related to the specified node.
func (r *NodeAuthorizer) authorizeReadNamespacedObject(nodeName string, startingType vertexType, attrs authorizer.Attributes) (authorizer.Decision, string, error) { func (r *NodeAuthorizer) authorizeReadNamespacedObject(nodeName string, startingType vertexType, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
if attrs.GetVerb() != "get" && attrs.GetVerb() != "list" && attrs.GetVerb() != "watch" { switch attrs.GetVerb() {
case "get", "list", "watch":
//ok
default:
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "can only read resources of this type", nil return authorizer.DecisionNoOpinion, "can only read resources of this type", nil
} }
if len(attrs.GetSubresource()) > 0 { if len(attrs.GetSubresource()) > 0 {
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "cannot read subresource", nil return authorizer.DecisionNoOpinion, "cannot read subresource", nil
@ -229,11 +233,10 @@ func (r *NodeAuthorizer) authorizeCreateToken(nodeName string, startingType vert
func (r *NodeAuthorizer) authorizeLease(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) { func (r *NodeAuthorizer) authorizeLease(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
// allowed verbs: get, create, update, patch, delete // allowed verbs: get, create, update, patch, delete
verb := attrs.GetVerb() verb := attrs.GetVerb()
if verb != "get" && switch verb {
verb != "create" && case "get", "create", "update", "patch", "delete":
verb != "update" && //ok
verb != "patch" && default:
verb != "delete" {
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a node lease", nil return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a node lease", nil
} }
@ -259,11 +262,10 @@ func (r *NodeAuthorizer) authorizeLease(nodeName string, attrs authorizer.Attrib
func (r *NodeAuthorizer) authorizeCSINode(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) { func (r *NodeAuthorizer) authorizeCSINode(nodeName string, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
// allowed verbs: get, create, update, patch, delete // allowed verbs: get, create, update, patch, delete
verb := attrs.GetVerb() verb := attrs.GetVerb()
if verb != "get" && switch verb {
verb != "create" && case "get", "create", "update", "patch", "delete":
verb != "update" && //ok
verb != "patch" && default:
verb != "delete" {
klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs) klog.V(2).Infof("NODE DENY: %s %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a CSINode", nil return authorizer.DecisionNoOpinion, "can only get, create, update, patch, or delete a CSINode", nil
} }