github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-11-01 14:22:17 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #38968 from liggitt/anonymous-abac

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 36751, 38968)

Convert * users/groups to system:authenticated group in ABAC

Part of enabling anonymous auth by default in 1.6 means protecting earlier policies that did not intend to grant access to anonymous users.

This modifies ABAC policies that match `user` or `group` `*` to only match authenticated users.

Docs PR to update examples to use `system:authenticated` or `system:unauthenticated` groups explicitly: https://github.com/kubernetes/kubernetes.github.io/pull/1992

```release-note
ABAC policies using "user":"*" or "group":"*" to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify "group":"system:unauthenticated"
```
This commit is contained in:
Kubernetes Submit Queue
2016-12-20 23:31:43 -08:00
committed by GitHub
parent d4bad94461 742ef34484
commit c3aac2b938
16 changed files with 591 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
test/integration/auth/auth_test.go
View File

@@ -46,6 +46,7 @@ import (
"k8s.io/kubernetes/pkg/auth/authenticator/bearertoken"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/group"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api/v1"
apiserverauthorizer "k8s.io/kubernetes/pkg/genericapiserver/authorizer"
@@ -67,7 +68,7 @@ func getTestTokenAuth() authenticator.Request {
tokenAuthenticator := tokentest.New()
tokenAuthenticator.Tokens[AliceToken] = &user.DefaultInfo{Name: "alice", UID: "1"}
tokenAuthenticator.Tokens[BobToken] = &user.DefaultInfo{Name: "bob", UID: "2"}
return bearertoken.New(tokenAuthenticator)
return group.NewGroupAdder(bearertoken.New(tokenAuthenticator), []string{user.AllAuthenticated})
}
func getTestWebhookTokenAuth(serverURL string) (authenticator.Request, error) {

1
test/test_owners.csv
View File

@@ -576,6 +576,7 @@ k8s.io/kubernetes/pkg/apimachinery,gmarek,1
k8s.io/kubernetes/pkg/apimachinery/announced,kargakis,1
k8s.io/kubernetes/pkg/apimachinery/registered,jlowdermilk,1
k8s.io/kubernetes/pkg/apis/abac/v0,liggitt,0
k8s.io/kubernetes/pkg/apis/abac/v1beta1,liggitt,0
k8s.io/kubernetes/pkg/apis/apps/validation,derekwaynecarr,1
k8s.io/kubernetes/pkg/apis/authorization/validation,erictune,0
k8s.io/kubernetes/pkg/apis/autoscaling/v1,yarntime,0
1 name owner auto-assigned
576 k8s.io/kubernetes/pkg/apimachinery/announced kargakis 1
577 k8s.io/kubernetes/pkg/apimachinery/registered jlowdermilk 1
578 k8s.io/kubernetes/pkg/apis/abac/v0 liggitt 0
579 k8s.io/kubernetes/pkg/apis/abac/v1beta1 liggitt 0
580 k8s.io/kubernetes/pkg/apis/apps/validation derekwaynecarr 1
581 k8s.io/kubernetes/pkg/apis/authorization/validation erictune 0
582 k8s.io/kubernetes/pkg/apis/autoscaling/v1 yarntime 0