Merge pull request #80007 from liggitt/populate-version-authorization-check

Populate API version in synthetic authorization requests
This commit is contained in:
Kubernetes Prow Robot 2019-07-10 22:59:07 -07:00 committed by GitHub
commit ab960c612c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 2 deletions

View File

@ -80,6 +80,7 @@ func RoleEscalationAuthorized(ctx context.Context, a authorizer.Authorizer) bool
User: user,
Verb: "escalate",
APIGroup: requestInfo.APIGroup,
APIVersion: "*",
Resource: requestInfo.Resource,
Name: requestInfo.Name,
Namespace: requestInfo.Namespace,
@ -122,10 +123,12 @@ func BindingAuthorized(ctx context.Context, roleRef rbac.RoleRef, bindingNamespa
switch roleRef.Kind {
case "ClusterRole":
attrs.APIGroup = roleRef.APIGroup
attrs.APIVersion = "*"
attrs.Resource = "clusterroles"
attrs.Name = roleRef.Name
case "Role":
attrs.APIGroup = roleRef.APIGroup
attrs.APIVersion = "*"
attrs.Resource = "roles"
attrs.Name = roleRef.Name
default:

View File

@ -373,6 +373,7 @@ func buildAttributes(info user.Info, namespace, policyName, apiGroupName string)
Namespace: namespace,
Name: policyName,
APIGroup: apiGroupName,
APIVersion: "*",
Resource: "podsecuritypolicies",
ResourceRequest: true,
}

View File

@ -68,16 +68,18 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
groups := []string{}
userExtra := map[string][]string{}
for _, impersonationRequest := range impersonationRequests {
gvk := impersonationRequest.GetObjectKind().GroupVersionKind()
actingAsAttributes := &authorizer.AttributesRecord{
User: requestor,
Verb: "impersonate",
APIGroup: impersonationRequest.GetObjectKind().GroupVersionKind().Group,
APIGroup: gvk.Group,
APIVersion: gvk.Version,
Namespace: impersonationRequest.Namespace,
Name: impersonationRequest.Name,
ResourceRequest: true,
}
switch impersonationRequest.GetObjectKind().GroupVersionKind().GroupKind() {
switch gvk.GroupKind() {
case v1.SchemeGroupVersion.WithKind("ServiceAccount").GroupKind():
actingAsAttributes.Resource = "serviceaccounts"
username = serviceaccount.MakeUsername(impersonationRequest.Namespace, impersonationRequest.Name)