github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #108146 from marosset/windows-kubelet-elevated-check

Browse Source 
Fixing logic for kubelet permissions check on windows
This commit is contained in:
Kubernetes Prow Robot 2022-03-29 17:34:40 -07:00 committed by GitHub
commit faf7ad6120
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
cmd/kubelet/app/server_windows.go
View File

@ -20,66 +20,27 @@ limitations under the License.
package app package app
import ( import (
"fmt" "errors"
"os/user" "os/user"
"golang.org/x/sys/windows" "golang.org/x/sys/windows"
"k8s.io/klog/v2"
) )
func isAdmin() (bool, error) { func checkPermissions() error {
// Get current user
u, err := user.Current() u, err := user.Current()
if err != nil { if err != nil {
return false, fmt.Errorf("error retrieving current user: %s", err) klog.ErrorS(err, "Unable to get current user")
} return err
// Get IDs of group user is a member of
ids, err := u.GroupIds()
if err != nil {
return false, fmt.Errorf("error retrieving group ids: %s", err)
} }
// Check for existence of BUILTIN\ADMINISTRATORS group id // For Windows user.UserName contains the login name and user.Name contains
for i := range ids { // the user's display name - https://pkg.go.dev/os/user#User
// BUILTIN\ADMINISTRATORS klog.InfoS("Kubelet is running as", "login name", u.Username, "dispaly name", u.Name)
if "S-1-5-32-544" == ids[i] {
return true, nil
}
}
return false, nil
}
func checkPermissions() error { if !windows.GetCurrentProcessToken().IsElevated() {
//https://github.com/golang/go/issues/28804#issuecomment-505326268 return errors.New("kubelet needs to run with elevated permissions!")
var sid *windows.SID
var userIsAdmin bool
// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-checktokenmembership
err := windows.AllocateAndInitializeSid(
&windows.SECURITY_NT_AUTHORITY,
2,
windows.SECURITY_BUILTIN_DOMAIN_RID,
windows.DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&sid)
if err != nil {
return fmt.Errorf("error while checking for elevated permissions: %s", err)
}
//We must free the sid to prevent security token leaks
defer windows.FreeSid(sid)
token := windows.Token(0)
userIsAdmin, err = isAdmin()
if err != nil {
return fmt.Errorf("error while checking admin group membership: %s", err)
}
member, err := token.IsMember(sid)
if err != nil {
return fmt.Errorf("error while checking for elevated permissions: %s", err)
}
if !member {
return fmt.Errorf("kubelet needs to run with administrator permissions. Run as admin is: %t, User in admin group: %t", member, userIsAdmin)
} }
return nil return nil