/
authz.go
105 lines (88 loc) · 3.26 KB
/
authz.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package validatingadmissionpolicy
import (
"context"
"fmt"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/kubernetes/pkg/apis/admissionregistration"
rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
)
func (v *validatingAdmissionPolicyStrategy) authorizeCreate(ctx context.Context, obj runtime.Object) error {
policy := obj.(*admissionregistration.ValidatingAdmissionPolicy)
if policy.Spec.ParamKind == nil {
// no paramRef in new object
return nil
}
return v.authorize(ctx, policy)
}
func (v *validatingAdmissionPolicyStrategy) authorizeUpdate(ctx context.Context, obj, old runtime.Object) error {
policy := obj.(*admissionregistration.ValidatingAdmissionPolicy)
if policy.Spec.ParamKind == nil {
// no paramRef in new object
return nil
}
oldPolicy := old.(*admissionregistration.ValidatingAdmissionPolicy)
if oldPolicy.Spec.ParamKind != nil && *oldPolicy.Spec.ParamKind == *policy.Spec.ParamKind {
// identical paramKind to old object
return nil
}
return v.authorize(ctx, policy)
}
func (v *validatingAdmissionPolicyStrategy) authorize(ctx context.Context, policy *admissionregistration.ValidatingAdmissionPolicy) error {
if v.authorizer == nil || policy.Spec.ParamKind == nil {
return nil
}
// for superuser, skip all checks
if rbacregistry.EscalationAllowed(ctx) {
return nil
}
user, ok := genericapirequest.UserFrom(ctx)
if !ok {
return fmt.Errorf("cannot identify user to authorize read access to paramKind resources")
}
paramKind := policy.Spec.ParamKind
// default to requiring permissions on all group/version/resources
resource, apiGroup, apiVersion := "*", "*", "*"
if gv, err := schema.ParseGroupVersion(paramKind.APIVersion); err == nil {
// we only need to authorize the parsed group/version
apiGroup = gv.Group
apiVersion = gv.Version
if gvr, err := v.resourceResolver.Resolve(gv.WithKind(paramKind.Kind)); err == nil {
// we only need to authorize the resolved resource
resource = gvr.Resource
}
}
// require that the user can read (verb "get") the referred kind.
attrs := authorizer.AttributesRecord{
User: user,
Verb: "get",
ResourceRequest: true,
Name: "*",
Namespace: "*",
APIGroup: apiGroup,
APIVersion: apiVersion,
Resource: resource,
}
d, _, err := v.authorizer.Authorize(ctx, attrs)
if err != nil {
return err
}
if d != authorizer.DecisionAllow {
return fmt.Errorf(`user %v must have "get" permission on all objects of the referenced paramKind (kind=%s, apiVersion=%s)`, user, paramKind.Kind, paramKind.APIVersion)
}
return nil
}