github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-14 06:15:45 +00:00
Code Issues Projects Releases Wiki Activity

server/config: assing system:apiserver user to system:authenticated group

Browse Source
This commit is contained in:
Lukasz Szaszkiewicz 2024-10-07 17:39:10 +02:00
parent 02ed463dcc
commit ff3d440e27
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
staging/src/k8s.io/apiserver/pkg/server/config.go
View File

@ -1155,7 +1155,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati
tokens[privilegedLoopbackToken] = &user.DefaultInfo{ tokens[privilegedLoopbackToken] = &user.DefaultInfo{
Name: user.APIServerUser, Name: user.APIServerUser,
UID: uid, UID: uid,
Groups: []string{user.SystemPrivilegedGroup}, Groups: []string{user.AllAuthenticated, user.SystemPrivilegedGroup},
} }
tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences) tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)

30
staging/src/k8s.io/apiserver/pkg/server/config_test.go
View File

@ -17,6 +17,7 @@ limitations under the License.
package server package server
import ( import (
"context"
"fmt" "fmt"
"io" "io"
"net/http" "net/http"
@ -36,6 +37,7 @@ import (
"k8s.io/apiserver/pkg/audit/policy" "k8s.io/apiserver/pkg/audit/policy"
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/server/healthz" "k8s.io/apiserver/pkg/server/healthz"
"k8s.io/client-go/informers" "k8s.io/client-go/informers"
@ -78,6 +80,34 @@ func TestAuthorizeClientBearerTokenNoops(t *testing.T) {
} }
} }
func TestAuthorizeClientBearerTokenRequiredGroups(t *testing.T) {
fakeAuthenticator := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
return &authenticator.Response{User: &user.DefaultInfo{}}, false, nil
})
fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
return authorizer.DecisionAllow, "", nil
})
target := &rest.Config{BearerToken: "secretToken"}
authN := &AuthenticationInfo{Authenticator: fakeAuthenticator}
authC := &AuthorizationInfo{Authorizer: fakeAuthorizer}
AuthorizeClientBearerToken(target, authN, authC)
fakeRequest, err := http.NewRequest("", "", nil)
if err != nil {
t.Fatal(err)
}
fakeRequest.Header.Set("Authorization", "bearer secretToken")
rsp, _, err := authN.Authenticator.AuthenticateRequest(fakeRequest)
if err != nil {
t.Fatal(err)
}
expectedGroups := []string{user.AllAuthenticated, user.SystemPrivilegedGroup}
if !reflect.DeepEqual(expectedGroups, rsp.User.GetGroups()) {
t.Fatalf("unexpected groups = %v returned, expected = %v", rsp.User.GetGroups(), expectedGroups)
}
}
func TestNewWithDelegate(t *testing.T) { func TestNewWithDelegate(t *testing.T) {
delegateConfig := NewConfig(codecs) delegateConfig := NewConfig(codecs)
delegateConfig.ExternalAddress = "192.168.10.4:443" delegateConfig.ExternalAddress = "192.168.10.4:443"