github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-04 15:05:20 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #34381 from liggitt/kubelet-auth

Browse Source 
Automatic merge from submit-queue

kubelet authn/authz

Implements https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/kubelet-auth.md

Part of [Authenticated/Authorized access to kubelet API](https://github.com/kubernetes/features/issues/89) feature
This commit is contained in:
Kubernetes Submit Queue
2016-10-25 17:40:27 -07:00
committed by GitHub
parent b23798d4b5 c83f5804d2
commit a898f3d996
19 changed files with 6087 additions and 3643 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
pkg/kubelet/server/server_test.go
View File

@@ -605,10 +605,56 @@ func TestAuthFilters(t *testing.T) {
}
}
methodToAPIVerb := map[string]string{"GET": "get", "POST": "create", "PUT": "update"}
pathToSubresource := func(path string) string {
switch {
// Cases for subpaths we expect specific subresources for
case isSubpath(path, statsPath):
return "stats"
case isSubpath(path, specPath):
return "spec"
case isSubpath(path, logsPath):
return "log"
case isSubpath(path, metricsPath):
return "metrics"
// Cases for subpaths we expect to map to the "proxy" subresource
case isSubpath(path, "/attach"),
isSubpath(path, "/configz"),
isSubpath(path, "/containerLogs"),
isSubpath(path, "/debug"),
isSubpath(path, "/exec"),
isSubpath(path, "/healthz"),
isSubpath(path, "/pods"),
isSubpath(path, "/portForward"),
isSubpath(path, "/run"),
isSubpath(path, "/runningpods"):
return "proxy"
default:
panic(fmt.Errorf(`unexpected kubelet API path %s.
The kubelet API has likely registered a handler for a new path.
If the new path has a use case for partitioned authorization when requested from the kubelet API,
add a specific subresource for it in auth.go#GetRequestAttributes() and in TestAuthFilters().
Otherwise, add it to the expected list of paths that map to the "proxy" subresource in TestAuthFilters().`, path))
}
}
attributesGetter := NewNodeAuthorizerAttributesGetter(types.NodeName("test"))
for _, tc := range testcases {
var (
expectedUser = &user.DefaultInfo{Name: "test"}
expectedAttributes = &authorizer.AttributesRecord{User: expectedUser}
expectedAttributes = authorizer.AttributesRecord{
User: expectedUser,
APIGroup: "",
APIVersion: "v1",
Verb: methodToAPIVerb[tc.Method],
Resource: "nodes",
Name: "test",
Subresource: pathToSubresource(tc.Path),
ResourceRequest: true,
Path: tc.Path,
}
calledAuthenticate = false
calledAuthorize = false
@@ -624,12 +670,12 @@ func TestAuthFilters(t *testing.T) {
if u != expectedUser {
t.Fatalf("%s: expected user %v, got %v", tc.Path, expectedUser, u)
}
return expectedAttributes
return attributesGetter.GetRequestAttributes(u, req)
}
fw.fakeAuth.authorizeFunc = func(a authorizer.Attributes) (authorized bool, reason string, err error) {
calledAuthorize = true
if a != expectedAttributes {
t.Fatalf("%s: expected attributes %v, got %v", tc.Path, expectedAttributes, a)
t.Fatalf("%s: expected attributes\n\t%#v\ngot\n\t%#v", tc.Path, expectedAttributes, a)
}
return false, "", nil
}