github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 20:53:33 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #80007 from liggitt/populate-version-authorization-check

Browse Source 
Populate API version in synthetic authorization requests
This commit is contained in:
Kubernetes Prow Robot 2019-07-10 22:59:07 -07:00 committed by GitHub
commit ab960c612c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/registry/rbac/escalation_check.go
View File

@ -80,6 +80,7 @@ func RoleEscalationAuthorized(ctx context.Context, a authorizer.Authorizer) bool
User: user, User: user,
Verb: "escalate", Verb: "escalate",
APIGroup: requestInfo.APIGroup, APIGroup: requestInfo.APIGroup,
APIVersion: "*",
Resource: requestInfo.Resource, Resource: requestInfo.Resource,
Name: requestInfo.Name, Name: requestInfo.Name,
Namespace: requestInfo.Namespace, Namespace: requestInfo.Namespace,
@ -122,10 +123,12 @@ func BindingAuthorized(ctx context.Context, roleRef rbac.RoleRef, bindingNamespa
switch roleRef.Kind { switch roleRef.Kind {
case "ClusterRole": case "ClusterRole":
attrs.APIGroup = roleRef.APIGroup attrs.APIGroup = roleRef.APIGroup
attrs.APIVersion = "*"
attrs.Resource = "clusterroles" attrs.Resource = "clusterroles"
attrs.Name = roleRef.Name attrs.Name = roleRef.Name
case "Role": case "Role":
attrs.APIGroup = roleRef.APIGroup attrs.APIGroup = roleRef.APIGroup
attrs.APIVersion = "*"
attrs.Resource = "roles" attrs.Resource = "roles"
attrs.Name = roleRef.Name attrs.Name = roleRef.Name
default: default:

1
plugin/pkg/admission/security/podsecuritypolicy/admission.go
View File

@ -373,6 +373,7 @@ func buildAttributes(info user.Info, namespace, policyName, apiGroupName string)
Namespace: namespace, Namespace: namespace,
Name: policyName, Name: policyName,
APIGroup: apiGroupName, APIGroup: apiGroupName,
APIVersion: "*",
Resource: "podsecuritypolicies", Resource: "podsecuritypolicies",
ResourceRequest: true, ResourceRequest: true,
} }

6
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
View File

@ -68,16 +68,18 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
groups := []string{} groups := []string{}
userExtra := map[string][]string{} userExtra := map[string][]string{}
for _, impersonationRequest := range impersonationRequests { for _, impersonationRequest := range impersonationRequests {
gvk := impersonationRequest.GetObjectKind().GroupVersionKind()
actingAsAttributes := &authorizer.AttributesRecord{ actingAsAttributes := &authorizer.AttributesRecord{
User: requestor, User: requestor,
Verb: "impersonate", Verb: "impersonate",
APIGroup: impersonationRequest.GetObjectKind().GroupVersionKind().Group, APIGroup: gvk.Group,
APIVersion: gvk.Version,
Namespace: impersonationRequest.Namespace, Namespace: impersonationRequest.Namespace,
Name: impersonationRequest.Name, Name: impersonationRequest.Name,
ResourceRequest: true, ResourceRequest: true,
} }
switch impersonationRequest.GetObjectKind().GroupVersionKind().GroupKind() { switch gvk.GroupKind() {
case v1.SchemeGroupVersion.WithKind("ServiceAccount").GroupKind(): case v1.SchemeGroupVersion.WithKind("ServiceAccount").GroupKind():
actingAsAttributes.Resource = "serviceaccounts" actingAsAttributes.Resource = "serviceaccounts"
username = serviceaccount.MakeUsername(impersonationRequest.Namespace, impersonationRequest.Name) username = serviceaccount.MakeUsername(impersonationRequest.Namespace, impersonationRequest.Name)