github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-11-13 14:41:42 +00:00
Code Issues Projects Releases Wiki Activity

node authorizer sets up access rules for dynamic config

Browse Source 
This PR makes the node authorizer automatically set up access rules for
dynamic Kubelet config.

I also added some validation to the node strategy, which I discovered we
were missing while writing this.
This commit is contained in:
Michael Taufen
2018-02-20 11:28:28 -08:00
parent 90c09c75d6
commit ab8dc12333
11 changed files with 523 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
plugin/pkg/auth/authorizer/node/node_authorizer.go
View File

@@ -38,6 +38,7 @@ import (
// 1. If a request is not from a node (NodeIdentity() returns isNode=false), reject
// 2. If a specific node cannot be identified (NodeIdentity() returns nodeName=""), reject
// 3. If a request is for a secret, configmap, persistent volume or persistent volume claim, reject unless the verb is get, and the requested object is related to the requesting node:
// node <- configmap
// node <- pod
// node <- pod <- secret
// node <- pod <- configmap