From fd789474893e42c8b6f0cd39da842085412b2d7d Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Tue, 12 May 2020 13:40:25 -0400 Subject: [PATCH] Indicate node authorizer does not support rule resolution --- pkg/kubeapiserver/authorizer/config.go | 1 + plugin/pkg/auth/authorizer/node/BUILD | 1 + plugin/pkg/auth/authorizer/node/graph_test.go | 2 +- plugin/pkg/auth/authorizer/node/node_authorizer.go | 14 +++++++++++++- .../auth/authorizer/node/node_authorizer_test.go | 4 ++-- 5 files changed, 18 insertions(+), 4 deletions(-) diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index cdbc11f48f3..0a1b1ca85c2 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -86,6 +86,7 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro ) nodeAuthorizer := node.NewAuthorizer(graph, nodeidentifier.NewDefaultNodeIdentifier(), bootstrappolicy.NodeRules()) authorizers = append(authorizers, nodeAuthorizer) + ruleResolvers = append(ruleResolvers, nodeAuthorizer) case modes.ModeAlwaysAllow: alwaysAllowAuthorizer := authorizerfactory.NewAlwaysAllowAuthorizer() diff --git a/plugin/pkg/auth/authorizer/node/BUILD b/plugin/pkg/auth/authorizer/node/BUILD index 44e712e0be5..ad0320bc581 100644 --- a/plugin/pkg/auth/authorizer/node/BUILD +++ b/plugin/pkg/auth/authorizer/node/BUILD @@ -52,6 +52,7 @@ go_library( "//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/api/storage/v1:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library", diff --git a/plugin/pkg/auth/authorizer/node/graph_test.go b/plugin/pkg/auth/authorizer/node/graph_test.go index 7581343c63a..cb1dc31d792 100644 --- a/plugin/pkg/auth/authorizer/node/graph_test.go +++ b/plugin/pkg/auth/authorizer/node/graph_test.go @@ -188,7 +188,7 @@ func TestIndex(t *testing.T) { g := NewGraph() g.destinationEdgeThreshold = 3 - a := NewAuthorizer(g, nil, nil).(*NodeAuthorizer) + a := NewAuthorizer(g, nil, nil) addPod := func(podNumber, nodeNumber int) { t.Helper() diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer.go b/plugin/pkg/auth/authorizer/node/node_authorizer.go index ff7b709d28b..b48a66188c7 100644 --- a/plugin/pkg/auth/authorizer/node/node_authorizer.go +++ b/plugin/pkg/auth/authorizer/node/node_authorizer.go @@ -24,6 +24,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/component-base/featuregate" @@ -58,8 +59,11 @@ type NodeAuthorizer struct { features featuregate.FeatureGate } +var _ = authorizer.Authorizer(&NodeAuthorizer{}) +var _ = authorizer.RuleResolver(&NodeAuthorizer{}) + // NewAuthorizer returns a new node authorizer -func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) authorizer.Authorizer { +func NewAuthorizer(graph *Graph, identifier nodeidentifier.NodeIdentifier, rules []rbacv1.PolicyRule) *NodeAuthorizer { return &NodeAuthorizer{ graph: graph, identifier: identifier, @@ -79,6 +83,14 @@ var ( csiNodeResource = storageapi.Resource("csinodes") ) +func (r *NodeAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { + if _, isNode := r.identifier.NodeIdentity(user); isNode { + // indicate nodes do not have fully enumerated permissions + return nil, nil, true, fmt.Errorf("node authorizer does not support user rule resolution") + } + return nil, nil, false, nil +} + func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) { nodeName, isNode := r.identifier.NodeIdentity(attrs.GetUser()) if !isNode { diff --git a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go index 9490026b567..7cef6b27cec 100644 --- a/plugin/pkg/auth/authorizer/node/node_authorizer_test.go +++ b/plugin/pkg/auth/authorizer/node/node_authorizer_test.go @@ -82,7 +82,7 @@ func TestAuthorizer(t *testing.T) { populate(g, nodes, pods, pvs, attachments) identifier := nodeidentifier.NewDefaultNodeIdentifier() - authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()).(*NodeAuthorizer) + authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()) node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}} @@ -671,7 +671,7 @@ func BenchmarkAuthorization(b *testing.B) { populate(g, nodes, pods, pvs, attachments) identifier := nodeidentifier.NewDefaultNodeIdentifier() - authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()).(*NodeAuthorizer) + authz := NewAuthorizer(g, identifier, bootstrappolicy.NodeRules()) node0 := &user.DefaultInfo{Name: "system:node:node0", Groups: []string{"system:nodes"}}