Implement /ext in Steve for Imperative API (#287)

This implements the Imperative API that is served at /ext with Steve. The imperative API is compatible with Kubernetes' API server and will be used as an extension API server.
2025-09-03 08:25:13 +00:00 · 2024-10-11 15:19:27 -04:00
parent 57a25ffa82
commit 1f21e5e515
18 changed files with 5343 additions and 4 deletions
--- a/pkg/ext/apiserver_authorization.go
+++ b/pkg/ext/apiserver_authorization.go
@@ -0,0 +1,47 @@
+package ext
+
+import (
+	"context"
+
+	"github.com/rancher/steve/pkg/accesscontrol"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+var _ authorizer.Authorizer = (*AccessSetAuthorizer)(nil)
+
+type AccessSetAuthorizer struct {
+	asl accesscontrol.AccessSetLookup
+}
+
+func NewAccessSetAuthorizer(asl accesscontrol.AccessSetLookup) *AccessSetAuthorizer {
+	return &AccessSetAuthorizer{
+		asl: asl,
+	}
+}
+
+// Authorize implements [authorizer.Authorizer].
+func (a *AccessSetAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+	if !attrs.IsResourceRequest() {
+		// XXX: Implement
+		return authorizer.DecisionDeny, "AccessSetAuthorizer does not support nonResourceURLs requests", nil
+	}
+
+	verb := attrs.GetVerb()
+	namespace := attrs.GetNamespace()
+	name := attrs.GetName()
+	gr := schema.GroupResource{
+		Group:    attrs.GetAPIGroup(),
+		Resource: attrs.GetResource(),
+	}
+
+	accessSet := a.asl.AccessFor(attrs.GetUser())
+	if accessSet.Grants(verb, gr, namespace, name) {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	// An empty string reason will still provide enough information such as:
+	//
+	//     testtypes.ext.cattle.io is forbidden: User "unknown-user" cannot list resource "testtypes" in API group "ext.cattle.io" at the cluster scope
+	return authorizer.DecisionDeny, "", nil
+}