mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 11:21:47 +00:00
Indicate node authorizer does not support rule resolution
This commit is contained in:
parent
0a6c826d3e
commit
fd78947489
@ -86,6 +86,7 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
|
||||
)
|
||||
nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules())
|
||||
authorizers = append(authorizers, nodeAuthorizer)
|
||||
ruleResolvers = append(ruleResolvers, nodeAuthorizer)
|
||||
|
||||
case modes.ModeAlwaysAllow:
|
||||
alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer()
|
||||
|
@ -52,6 +52,7 @@ go_library(
|
||||
"//staging/src/k8s.io/api/rbac/v1:go_default_library",
|
||||
"//staging/src/k8s.io/api/storage/v1:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
|
||||
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
|
||||
|
@ -188,7 +188,7 @@ func TestIndex(t *testing.T) {
|
||||
g := NewGraph()
|
||||
g.destinationEdgeThreshold = 3
|
||||
|
||||
a := NewAuthorizer(g, nil, nil).(*NodeAuthorizer)
|
||||
a := NewAuthorizer(g, nil, nil)
|
||||
|
||||
addPod := func(podNumber, nodeNumber int) {
|
||||
t.Helper()
|
||||
|
@ -24,6 +24,7 @@ import (
|
||||
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/component-base/featuregate"
|
||||
@ -58,8 +59,11 @@ type NodeAuthorizer struct {
|
||||
features featuregate.FeatureGate
|
||||
}
|
||||
|
||||
var _ = authorizer.Authorizer(&NodeAuthorizer{})
|
||||
var _ = authorizer.RuleResolver(&NodeAuthorizer{})
|
||||
|
||||
// NewAuthorizer returns a new node authorizer
|
||||
func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) authorizer.Authorizer {
|
||||
func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) *NodeAuthorizer {
|
||||
return &NodeAuthorizer{
|
||||
graph: graph,
|
||||
identifier: identifier,
|
||||
@ -79,6 +83,14 @@ var (
|
||||
csiNodeResource = storageapi.Resource("csinodes")
|
||||
)
|
||||
|
||||
func (r *NodeAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
|
||||
if _, isNode := r.identifier.NodeIdentity(user); isNode {
|
||||
// indicate nodes do not have fully enumerated permissions
|
||||
return nil, nil, true, fmt.Errorf("node authorizer does not support user rule resolution")
|
||||
}
|
||||
return nil, nil, false, nil
|
||||
}
|
||||
|
||||
func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
|
||||
nodeName, isNode := r.identifier.NodeIdentity(attrs.GetUser())
|
||||
if !isNode {
|
||||
|
@ -82,7 +82,7 @@ func TestAuthorizer(t *testing.T) {
|
||||
populate(g, nodes, pods, pvs, attachments)
|
||||
|
||||
identifier := nodeidentifier.NewDefaultNodeIdentifier()
|
||||
authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()).(*NodeAuthorizer)
|
||||
authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules())
|
||||
|
||||
node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}}
|
||||
|
||||
@ -671,7 +671,7 @@ func BenchmarkAuthorization(b *testing.B) {
|
||||
populate(g, nodes, pods, pvs, attachments)
|
||||
|
||||
identifier := nodeidentifier.NewDefaultNodeIdentifier()
|
||||
authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()).(*NodeAuthorizer)
|
||||
authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules())
|
||||
|
||||
node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user