mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
add superuser fallback to authorizer (#111558)
* add superuser fallback to authorizer * change the order of authorizers * change the order of authorizers * remove the duplicate superuser authorizer * add integration test for superuser permissions
This commit is contained in:
parent
7dee7c8a6f
commit
f86acbad68
@ -23,6 +23,7 @@ import (
|
||||
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
"k8s.io/apiserver/pkg/authorization/union"
|
||||
@ -79,6 +80,10 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
|
||||
ruleResolvers []authorizer.RuleResolver
|
||||
)
|
||||
|
||||
// Add SystemPrivilegedGroup as an authorizing group
|
||||
superuserAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
authorizers = append(authorizers, superuserAuthorizer)
|
||||
|
||||
for _, authorizationMode := range config.AuthorizationModes {
|
||||
// Keep cases in sync with constant list in k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go.
|
||||
switch authorizationMode {
|
||||
|
@ -46,8 +46,6 @@ import (
|
||||
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
authorizerunion "k8s.io/apiserver/pkg/authorization/union"
|
||||
"k8s.io/apiserver/pkg/endpoints/discovery"
|
||||
"k8s.io/apiserver/pkg/endpoints/filterlatency"
|
||||
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
||||
@ -971,7 +969,4 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati
|
||||
|
||||
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)
|
||||
authn.Authenticator = authenticatorunion.New(tokenAuthenticator, authn.Authenticator)
|
||||
|
||||
tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
|
||||
authz.Authorizer = authorizerunion.New(tokenAuthorizer, authz.Authorizer)
|
||||
}
|
||||
|
@ -60,6 +60,11 @@ func TestCSRSignerNameSigningPlugin(t *testing.T) {
|
||||
defer s.TearDownFn()
|
||||
client := clientset.NewForConfigOrDie(s.ClientConfig)
|
||||
|
||||
// Drop the default RBAC superuser permissions to rely on the internal superuser authorizer
|
||||
if err := client.RbacV1().ClusterRoleBindings().Delete(context.TODO(), "cluster-admin", metav1.DeleteOptions{}); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Grant 'test-user' permission to sign CertificateSigningRequests with the specified signerName.
|
||||
const username = "test-user"
|
||||
grantUserPermissionToSignFor(t, client, username, test.allowedSignerName)
|
||||
@ -100,6 +105,12 @@ dgA7Fe4tMAoGCCqGSM49BAMCA0gAMEUCIQCTT1YWQZaAqfQ2oBxzOkJE2BqLFxhz
|
||||
-----END CERTIFICATE-----
|
||||
Trailing non-PEM content
|
||||
`)
|
||||
|
||||
// superuser should always have permission to sign; dry-run so we don't actually modify the CSR so the non-superuser can attempt as well
|
||||
if _, err := client.CertificatesV1().CertificateSigningRequests().UpdateStatus(context.TODO(), csr, metav1.UpdateOptions{DryRun: []string{metav1.DryRunAll}}); err != nil {
|
||||
t.Errorf("expected no superuser error but got: %v", err)
|
||||
}
|
||||
|
||||
_, err := testuserClient.CertificatesV1().CertificateSigningRequests().UpdateStatus(context.TODO(), csr, metav1.UpdateOptions{})
|
||||
if err != nil && test.error != err.Error() {
|
||||
t.Errorf("expected error %q but got: %v", test.error, err)
|
||||
|
Loading…
Reference in New Issue
Block a user