add selfsubjectrulesreview api

2025-10-21 22:49:31 +00:00 · 2017-07-14 11:24:27 +08:00
parent 6a845c67f0
commit f14c138438
28 changed files with 951 additions and 33 deletions
--- a/pkg/kubeapiserver/authorizer/config.go
+++ b/pkg/kubeapiserver/authorizer/config.go
@@ -56,17 +56,20 @@ type AuthorizationConfig struct {

 // New returns the right sort of union of multiple authorizer.Authorizer objects
 // based on the authorizationMode or an error.
-func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
+func (config AuthorizationConfig) New() (authorizer.Authorizer, authorizer.RuleResolver, error) {
 	if len(config.AuthorizationModes) == 0 {
-		return nil, errors.New("At least one authorization mode should be passed")
+		return nil, nil, errors.New("At least one authorization mode should be passed")
 	}

-	var authorizers []authorizer.Authorizer
+	var (
+		authorizers   []authorizer.Authorizer
+		ruleResolvers []authorizer.RuleResolver
+	)
 	authorizerMap := make(map[string]bool)

 	for _, authorizationMode := range config.AuthorizationModes {
 		if authorizerMap[authorizationMode] {
-			return nil, fmt.Errorf("Authorization mode %s specified more than once", authorizationMode)
+			return nil, nil, fmt.Errorf("Authorization mode %s specified more than once", authorizationMode)
 		}
 		// Keep cases in sync with constant list above.
 		switch authorizationMode {
@@ -81,29 +84,35 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
 			authorizers = append(authorizers, nodeAuthorizer)

 		case modes.ModeAlwaysAllow:
-			authorizers = append(authorizers, authorizerfactory.NewAlwaysAllowAuthorizer())
+			alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()
+			authorizers = append(authorizers, alwaysAllowAuthorizer)
+			ruleResolvers = append(ruleResolvers, alwaysAllowAuthorizer)
 		case modes.ModeAlwaysDeny:
-			authorizers = append(authorizers, authorizerfactory.NewAlwaysDenyAuthorizer())
+			alwaysDenyAuthorizer := authorizerfactory.NewAlwaysDenyAuthorizer()
+			authorizers = append(authorizers, alwaysDenyAuthorizer)
+			ruleResolvers = append(ruleResolvers, alwaysDenyAuthorizer)
 		case modes.ModeABAC:
 			if config.PolicyFile == "" {
-				return nil, errors.New("ABAC's authorization policy file not passed")
+				return nil, nil, errors.New("ABAC's authorization policy file not passed")
 			}
 			abacAuthorizer, err := abac.NewFromFile(config.PolicyFile)
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}
 			authorizers = append(authorizers, abacAuthorizer)
+			ruleResolvers = append(ruleResolvers, abacAuthorizer)
 		case modes.ModeWebhook:
 			if config.WebhookConfigFile == "" {
-				return nil, errors.New("Webhook's configuration file not passed")
+				return nil, nil, errors.New("Webhook's configuration file not passed")
 			}
 			webhookAuthorizer, err := webhook.New(config.WebhookConfigFile,
 				config.WebhookCacheAuthorizedTTL,
 				config.WebhookCacheUnauthorizedTTL)
 			if err != nil {
-				return nil, err
+				return nil, nil, err
 			}
 			authorizers = append(authorizers, webhookAuthorizer)
+			ruleResolvers = append(ruleResolvers, webhookAuthorizer)
 		case modes.ModeRBAC:
 			rbacAuthorizer := rbac.New(
 				&rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
@@ -112,18 +121,19 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
 				&rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
 			)
 			authorizers = append(authorizers, rbacAuthorizer)
+			ruleResolvers = append(ruleResolvers, rbacAuthorizer)
 		default:
-			return nil, fmt.Errorf("Unknown authorization mode %s specified", authorizationMode)
+			return nil, nil, fmt.Errorf("Unknown authorization mode %s specified", authorizationMode)
 		}
 		authorizerMap[authorizationMode] = true
 	}

 	if !authorizerMap[modes.ModeABAC] && config.PolicyFile != "" {
-		return nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC")
+		return nil, nil, errors.New("Cannot specify --authorization-policy-file without mode ABAC")
 	}
 	if !authorizerMap[modes.ModeWebhook] && config.WebhookConfigFile != "" {
-		return nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook")
+		return nil, nil, errors.New("Cannot specify --authorization-webhook-config-file without mode Webhook")
 	}

-	return union.New(authorizers...), nil
+	return union.New(authorizers...), union.NewRuleResolvers(ruleResolvers...), nil
 }
--- a/pkg/kubeapiserver/authorizer/config_test.go
+++ b/pkg/kubeapiserver/authorizer/config_test.go
@@ -91,7 +91,7 @@ func TestNew(t *testing.T) {
 	}

 	for _, tt := range tests {
-		_, err := tt.config.New()
+		_, _, err := tt.config.New()
 		if tt.wantErr && (err == nil) {
 			t.Errorf("New %s", tt.msg)
 		} else if !tt.wantErr && (err != nil) {