From 274e9f5f7d6373dc30cfd50ded87b6878be5a754 Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Thu, 29 Oct 2020 13:55:58 +0100 Subject: [PATCH] UPSTREAM: : bootstrap-rbac-policy: move over .well-known rules Origin-commit: 45f159f05b92c893c175ffe968f89a34f5581f5b --- .../authorizer/rbac/bootstrappolicy/policy.go | 10 ++++++++++ .../testdata/cluster-role-bindings.yaml | 20 +++++++++++++++++++ .../testdata/cluster-roles.yaml | 15 ++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go index 50ba7a3d6717..6df527b8606a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go @@ -217,6 +217,15 @@ func clusterRoles() []rbacv1.ClusterRole { ).RuleOrDie(), }, }, + { + // a role which provides unauthenticated access. + ObjectMeta: metav1.ObjectMeta{Name: "system:openshift:public-info-viewer"}, + Rules: []rbacv1.PolicyRule{ + rbacv1helpers.NewRule("get").URLs( + "/.well-known", "/.well-known/*", + ).RuleOrDie(), + }, + }, { // a role which provides minimal resource access to allow a "normal" user to learn information about themselves ObjectMeta: metav1.ObjectMeta{Name: "system:basic-user"}, @@ -576,6 +585,7 @@ func clusterRoleBindings() []rbacv1.ClusterRoleBinding { rbacv1helpers.NewClusterBinding("system:discovery").Groups(user.AllAuthenticated).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:basic-user").Groups(user.AllAuthenticated).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:public-info-viewer").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(), + rbacv1helpers.NewClusterBinding("system:openshift:public-info-viewer").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:node-proxier").Users(user.KubeProxy).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:kube-controller-manager").Users(user.KubeControllerManager).BindingOrDie(), rbacv1helpers.NewClusterBinding("system:kube-dns").SAs("kube-system", "kube-dns").BindingOrDie(), diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml index 6edfde1ba4f0..8c09f5a9aa9a 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml @@ -149,6 +149,26 @@ items: - apiGroup: rbac.authorization.k8s.io kind: User name: system:kube-proxy +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:openshift:public-info-viewer + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:openshift:public-info-viewer + subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:authenticated + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: system:unauthenticated - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml index 1aee17d485f5..482f7eae834b 100644 --- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml +++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml @@ -1182,6 +1182,21 @@ items: verbs: - list - watch +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + creationTimestamp: null + labels: + kubernetes.io/bootstrapping: rbac-defaults + name: system:openshift:public-info-viewer + rules: + - nonResourceURLs: + - /.well-known + - /.well-known/* + verbs: + - get - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: