Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add superuser fallback to authorizer #111558

Merged
merged 5 commits into from Oct 19, 2022
Merged

add superuser fallback to authorizer #111558

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8f826e1
add superuser fallback to authorizer
mzkhan Jul 30, 2022
4a4233b
change the order of authorizers
mzkhan Sep 13, 2022
894b94b
change the order of authorizers
mzkhan Sep 13, 2022
7a61eeb
remove the duplicate superuser authorizer
mzkhan Sep 22, 2022
bcc6240
add integration test for superuser permissions
mzkhan Sep 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions pkg/kubeapiserver/authorizer/config.go
View file
Open in desktop
Expand Up @@ -23,6 +23,7 @@ import (

utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union"
Expand Down Expand Up @@ -79,6 +80,10 @@ func (config Config) New() (authorizer.Authorizer, authorizer.RuleResolver, erro
ruleResolvers []authorizer.RuleResolver
)

// Add SystemPrivilegedGroup as an authorizing group
superuserAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
authorizers = append(authorizers, superuserAuthorizer)

for _, authorizationMode := range config.AuthorizationModes {
// Keep cases in sync with constant list in k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes/modes.go.
switch authorizationMode {
Expand Down
5 changes: 0 additions & 5 deletions staging/src/k8s.io/apiserver/pkg/server/config.go
View file
Open in desktop
Expand Up @@ -45,8 +45,6 @@ import (
authenticatorunion "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
authorizerunion "k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/pkg/endpoints/discovery"
"k8s.io/apiserver/pkg/endpoints/filterlatency"
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
Expand Down Expand Up @@ -960,7 +958,4 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati

tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)
authn.Authenticator = authenticatorunion.New(tokenAuthenticator, authn.Authenticator)

tokenAuthorizer := authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup)
authz.Authorizer = authorizerunion.New(tokenAuthorizer, authz.Authorizer)
}
11 changes: 11 additions & 0 deletions test/integration/certificates/admission_sign_test.go
View file
Open in desktop
Expand Up @@ -60,6 +60,11 @@ func TestCSRSignerNameSigningPlugin(t *testing.T) {
defer s.TearDownFn()
client := clientset.NewForConfigOrDie(s.ClientConfig)

// Drop the default RBAC superuser permissions to rely on the internal superuser authorizer
if err := client.RbacV1().ClusterRoleBindings().Delete(context.TODO(), "cluster-admin", metav1.DeleteOptions{}); err != nil {
t.Fatal(err)
}

// Grant 'test-user' permission to sign CertificateSigningRequests with the specified signerName.
const username = "test-user"
grantUserPermissionToSignFor(t, client, username, test.allowedSignerName)
Expand Down Expand Up @@ -100,6 +105,12 @@ dgA7Fe4tMAoGCCqGSM49BAMCA0gAMEUCIQCTT1YWQZaAqfQ2oBxzOkJE2BqLFxhz
-----END CERTIFICATE-----
Trailing non-PEM content
`)

// superuser should always have permission to sign; dry-run so we don't actually modify the CSR so the non-superuser can attempt as well
if _, err := client.CertificatesV1().CertificateSigningRequests().UpdateStatus(context.TODO(), csr, metav1.UpdateOptions{DryRun: []string{metav1.DryRunAll}}); err != nil {
t.Errorf("expected no superuser error but got: %v", err)
}

_, err := testuserClient.CertificatesV1().CertificateSigningRequests().UpdateStatus(context.TODO(), csr, metav1.UpdateOptions{})
if err != nil && test.error != err.Error() {
t.Errorf("expected error %q but got: %v", test.error, err)
Expand Down