generated from vshn/go-bootstrap
/
privileged_user.go
59 lines (48 loc) · 1.59 KB
/
privileged_user.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
package skipper
import (
"context"
"github.com/minio/pkg/wildcard"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
"github.com/appuio/appuio-cloud-agent/skipper/userinfo"
)
var _ Skipper = &PrivilegedUserSkipper{}
// PrivilegedUserSkipper skips request validations for privileged users.
type PrivilegedUserSkipper struct {
Client client.Reader
PrivilegedGroups []string
PrivilegedUsers []string
// PrivilegedClusterRoles is a list cluster roles allowed to bypass restrictions.
// Wildcards are supported (e.g. "system:serviceaccount:default:*" or "cluster-*-operator").
// ClusterRoles are only ever matched if they are bound through a ClusterRoleBinding,
// this is different from the behavior of Kyverno.
// This is done to prevent a user from wrongly configuring a low-privileged ClusterRole which users
// can then bind to themselves to bypass the restrictions.
PrivilegedClusterRoles []string
}
func (s *PrivilegedUserSkipper) Skip(ctx context.Context, req admission.Request) (bool, error) {
for _, pu := range s.PrivilegedUsers {
if wildcard.Match(pu, req.UserInfo.Username) {
return true, nil
}
}
for _, pg := range s.PrivilegedGroups {
for _, ug := range req.UserInfo.Groups {
if wildcard.Match(pg, ug) {
return true, nil
}
}
}
clusterroles, err := userinfo.ClusterRoleRefsForUser(ctx, s.Client, req.UserInfo)
if err != nil {
return false, err
}
for _, pcr := range s.PrivilegedClusterRoles {
for _, cr := range clusterroles {
if wildcard.Match(pcr, cr) {
return true, nil
}
}
}
return false, nil
}