github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #108146 from marosset/windows-kubelet-elevated-check

Browse Source 
Fixing logic for kubelet permissions check on windows
This commit is contained in:
Kubernetes Prow Robot 2022-03-29 17:34:40 -07:00 committed by GitHub
commit faf7ad6120
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
cmd/kubelet/app/server_windows.go
View File

@ -20,66 +20,27 @@ limitations under the License.
package app
import (
"fmt"
"errors"
"os/user"
"golang.org/x/sys/windows"
"k8s.io/klog/v2"
)
func isAdmin() (bool, error) {
// Get current user
func checkPermissions() error {
u, err := user.Current()
if err != nil {
return false, fmt.Errorf("error retrieving current user: %s", err)
}
// Get IDs of group user is a member of
ids, err := u.GroupIds()
if err != nil {
return false, fmt.Errorf("error retrieving group ids: %s", err)
klog.ErrorS(err, "Unable to get current user")
return err
}
// Check for existence of BUILTIN\ADMINISTRATORS group id
for i := range ids {
// BUILTIN\ADMINISTRATORS
if "S-1-5-32-544" == ids[i] {
return true, nil
}
}
return false, nil
}
// For Windows user.UserName contains the login name and user.Name contains
// the user's display name - https://pkg.go.dev/os/user#User
klog.InfoS("Kubelet is running as", "login name", u.Username, "dispaly name", u.Name)
func checkPermissions() error {
//https://github.com/golang/go/issues/28804#issuecomment-505326268
var sid *windows.SID
var userIsAdmin bool
// https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-checktokenmembership
err := windows.AllocateAndInitializeSid(
&windows.SECURITY_NT_AUTHORITY,
2,
windows.SECURITY_BUILTIN_DOMAIN_RID,
windows.DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&sid)
if err != nil {
return fmt.Errorf("error while checking for elevated permissions: %s", err)
}
//We must free the sid to prevent security token leaks
defer windows.FreeSid(sid)
token := windows.Token(0)
userIsAdmin, err = isAdmin()
if err != nil {
return fmt.Errorf("error while checking admin group membership: %s", err)
}
member, err := token.IsMember(sid)
if err != nil {
return fmt.Errorf("error while checking for elevated permissions: %s", err)
}
if !member {
return fmt.Errorf("kubelet needs to run with administrator permissions. Run as admin is: %t, User in admin group: %t", member, userIsAdmin)
if !windows.GetCurrentProcessToken().IsElevated() {
return errors.New("kubelet needs to run with elevated permissions!")
}
return nil