github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 21:17:23 +00:00
Code Issues Projects Releases Wiki Activity

Allow storage migration of CTB without attest authorization

Browse Source 
Signed-off-by: Monis Khan <mok@microsoft.com>
This commit is contained in:
Monis Khan 2023-09-20 12:26:11 -04:00
parent 7dcb412675
commit e00551fe5d
No known key found for this signature in database
2 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
plugin/pkg/admission/certificates/ctbattest/admission.go
View File

@ -27,7 +27,9 @@ import (
"k8s.io/component-base/featuregate" "k8s.io/component-base/featuregate"
"k8s.io/klog/v2" "k8s.io/klog/v2"
api "k8s.io/kubernetes/pkg/apis/certificates" api "k8s.io/kubernetes/pkg/apis/certificates"
kapihelper "k8s.io/kubernetes/pkg/apis/core/helper"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/registry/rbac"
"k8s.io/kubernetes/plugin/pkg/admission/certificates" "k8s.io/kubernetes/plugin/pkg/admission/certificates"
) )
@ -109,6 +111,11 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, _ admissi
return nil return nil
} }
// Skip the attest check when the semantics of the bundle are unchanged to support storage migration and GC workflows
if a.GetOperation() == admission.Update && rbac.IsOnlyMutatingGCFields(a.GetObject(), a.GetOldObject(), kapihelper.Semantic) {
return nil
}
if !certificates.IsAuthorizedForSignerName(ctx, p.authz, a.GetUserInfo(), "attest", newBundle.Spec.SignerName) { if !certificates.IsAuthorizedForSignerName(ctx, p.authz, a.GetUserInfo(), "attest", newBundle.Spec.SignerName) {
klog.V(4).Infof("user not permitted to attest ClusterTrustBundle %q with signerName %q", newBundle.Name, newBundle.Spec.SignerName) klog.V(4).Infof("user not permitted to attest ClusterTrustBundle %q with signerName %q", newBundle.Name, newBundle.Spec.SignerName)
return admission.NewForbidden(a, fmt.Errorf("user not permitted to attest for signerName %q", newBundle.Spec.SignerName)) return admission.NewForbidden(a, fmt.Errorf("user not permitted to attest for signerName %q", newBundle.Spec.SignerName))

46
plugin/pkg/admission/certificates/ctbattest/admission_test.go
View File

@ -22,6 +22,7 @@ import (
"fmt" "fmt"
"testing" "testing"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/admission"
@ -206,6 +207,51 @@ func TestPluginValidate(t *testing.T) {
}, },
allowed: false, allowed: false,
}, },
{
description: "should always allow no-op update",
clusterTrustBundleFeatureEnabled: true,
authzErr: errors.New("broken"),
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
oldObj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "panda.com/foo",
},
},
obj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "panda.com/foo",
},
},
operation: admission.Update,
},
allowed: true,
},
{
description: "should always allow finalizer update",
clusterTrustBundleFeatureEnabled: true,
authzErr: errors.New("broken"),
attributes: &testAttributes{
resource: certificatesapi.Resource("clustertrustbundles"),
oldObj: &certificatesapi.ClusterTrustBundle{
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "panda.com/foo",
},
},
obj: &certificatesapi.ClusterTrustBundle{
ObjectMeta: metav1.ObjectMeta{
OwnerReferences: []metav1.OwnerReference{
{APIVersion: "something"},
},
},
Spec: certificatesapi.ClusterTrustBundleSpec{
SignerName: "panda.com/foo",
},
},
operation: admission.Update,
},
allowed: true,
},
} }
for _, tc := range tests { for _, tc := range tests {