Indicate node authorizer does not support rule resolution

2025-07-22 11:21:47 +00:00 · 2020-05-12 13:40:25 -04:00 · 2020-05-12 13:40:25 -04:00 · fd78947489
commit fd78947489
parent 0a6c826d3e
5 changed files with 18 additions and 4 deletions
--- a/pkg/kubeapiserver/authorizer/config.go
+++ b/pkg/kubeapiserver/authorizer/config.go
@ -86,6 +86,7 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
 			)
 			nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())
 			authorizers = append(authorizers, nodeAuthorizer)
+			ruleResolvers = append(ruleResolvers, nodeAuthorizer)

 		case modes.ModeAlwaysAllow:
 			alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()
--- a/plugin/pkg/auth/authorizer/node/BUILD
+++ b/plugin/pkg/auth/authorizer/node/BUILD
@ -52,6 +52,7 @@ go_library(
        "//staging/src/k8s.io/api/rbac/v1:go_default_library",
        "//staging/src/k8s.io/api/storage/v1:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
        "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
        "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
--- a/plugin/pkg/auth/authorizer/node/graph_test.go
+++ b/plugin/pkg/auth/authorizer/node/graph_test.go
@ -188,7 +188,7 @@ func TestIndex(t *testing.T) {
 	g := NewGraph()
 	g.destinationEdgeThreshold = 3

-	a := NewAuthorizer(g, nil, nil).(*NodeAuthorizer)
+	a := NewAuthorizer(g, nil, nil)

 	addPod := func(podNumber, nodeNumber int) {
 		t.Helper()
--- a/plugin/pkg/auth/authorizer/node/node_authorizer.go
+++ b/plugin/pkg/auth/authorizer/node/node_authorizer.go
@ -24,6 +24,7 @@ import (

 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/component-base/featuregate"
@ -58,8 +59,11 @@ type NodeAuthorizer struct {
 	features featuregate.FeatureGate
 }

+var _ = authorizer.Authorizer(&NodeAuthorizer{})
+var _ = authorizer.RuleResolver(&NodeAuthorizer{})
+
 // NewAuthorizer returns a new node authorizer
-func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) authorizer.Authorizer {
+func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) *NodeAuthorizer {
 	return &NodeAuthorizer{
 		graph:      graph,
 		identifier: identifier,
@ -79,6 +83,14 @@ var (
 	csiNodeResource   = storageapi.Resource("csinodes")
 )

+func (r *NodeAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
+	if _, isNode := r.identifier.NodeIdentity(user); isNode {
+		// indicate nodes do not have fully enumerated permissions
+		return nil, nil, true, fmt.Errorf("node authorizer does not support user rule resolution")
+	}
+	return nil, nil, false, nil
+}
+
 func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
 	nodeName, isNode := r.identifier.NodeIdentity(attrs.GetUser())
 	if !isNode {
--- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go
+++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go
@ -82,7 +82,7 @@ func TestAuthorizer(t *testing.T) {
 	populate(g, nodes, pods, pvs, attachments)

 	identifier := nodeidentifier.NewDefaultNodeIdentifier()
-	authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()).(*NodeAuthorizer)
+	authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules())

 	node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}}

@ -671,7 +671,7 @@ func BenchmarkAuthorization(b *testing.B) {
 	populate(g, nodes, pods, pvs, attachments)

 	identifier := nodeidentifier.NewDefaultNodeIdentifier()
-	authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()).(*NodeAuthorizer)
+	authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules())

 	node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}}