Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorize PSP usage for pods without service accounts #43489

Merged
merged 1 commit into from Mar 22, 2017
Merged

Authorize PSP usage for pods without service accounts #43489

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 3 additions & 4 deletions plugin/pkg/admission/security/podsecuritypolicy/admission.go
View file
Open in desktop
Expand Up @@ -288,7 +288,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
}

for _, constraint := range list {
if authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) {
// if no user info exists then the API is being hit via the unsecured port. In this case authorize the request.
if user == nil || authorizedForPolicy(user, constraint, authz) || authorizedForPolicy(sa, constraint, authz) {
matchedPolicies = append(matchedPolicies, constraint)
}
}
Expand All @@ -298,10 +299,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user

// authorizedForPolicy returns true if info is authorized to perform a "get" on policy.
func authorizedForPolicy(info user.Info, policy *extensions.PodSecurityPolicy, authz authorizer.Authorizer) bool {
// if no info exists then the API is being hit via the unsecured port. In this case
// authorize the request.
if info == nil {
return true
return false
}
attr := buildAttributes(info, policy)
allowed, reason, err := authz.Authorize(attr)
Expand Down
7 changes: 3 additions & 4 deletions plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View file
Open in desktop
Expand Up @@ -1610,7 +1610,7 @@ func TestGetMatchingPolicies(t *testing.T) {
// (ie. a request hitting the unsecure port)
expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
},
"policies are allowed for nil sa info": {
"policies are not allowed for nil sa info": {
user: &user.DefaultInfo{Name: "user"},
sa: nil,
disallowedPolicies: map[string][]string{
Expand All @@ -1622,9 +1622,8 @@ func TestGetMatchingPolicies(t *testing.T) {
policyWithName("policy2"),
policyWithName("policy3"),
},
// all policies are allowed regardless of the permissions when sa info is nil
// (ie. a request hitting the unsecure port)
expectedPolicies: sets.NewString("policy1", "policy2", "policy3"),
// only the policies for the user are allowed when sa info is nil
expectedPolicies: sets.NewString("policy2"),
},
}
for k, v := range tests {
Expand Down