feat: validate Talos API access roles in machine config

Make sure that machine config rejects unknown roles in Talos API access config if the feature is enabled. Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
siderolabs · Dec 15, 2022 · b3aebfa · b3aebfa
1 parent 40761e1
commit b3aebfa
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 5 deletions.
diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go
@@ -26,6 +26,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/kubelet"
 	"github.com/siderolabs/talos/pkg/machinery/labels"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
+	"github.com/siderolabs/talos/pkg/machinery/role"
 )
 
 var (
@@ -270,12 +271,20 @@ func (c *Config) Validate(mode config.RuntimeMode, options ...config.ValidationO
 		result = multierror.Append(result, fmt.Errorf("invalid machine node labels: %w", err))
 	}
 
-	if c.Machine().Features().KubernetesTalosAPIAccess().Enabled() && !c.Machine().Features().RBACEnabled() {
-		result = multierror.Append(result, fmt.Errorf("feature API RBAC should be enabled when Kubernetes Talos API Access feature is enabled"))
-	}
+	if c.Machine().Features().KubernetesTalosAPIAccess().Enabled() {
+		if !c.Machine().Features().RBACEnabled() {
+			result = multierror.Append(result, fmt.Errorf("feature API RBAC should be enabled when Kubernetes Talos API Access feature is enabled"))
+		}
+
+		if !c.Machine().Type().IsControlPlane() {
+			result = multierror.Append(result, fmt.Errorf("feature Kubernetes Talos API Access can only be enabled on control plane machines"))
+		}
 
-	if c.Machine().Features().KubernetesTalosAPIAccess().Enabled() && !c.Machine().Type().IsControlPlane() {
-		result = multierror.Append(result, fmt.Errorf("feature Kubernetes Talos API Access can only be enabled on control plane machines"))
+		for _, r := range c.Machine().Features().KubernetesTalosAPIAccess().AllowedRoles() {
+			if !role.All.Includes(role.Role(r)) {
+				result = multierror.Append(result, fmt.Errorf("invalid role %q in allowed roles for Kubernetes Talos API Access", r))
+			}
+		}
 	}
 
 	if opts.Strict {

diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation_test.go
@@ -1216,6 +1216,37 @@ func TestValidate(t *testing.T) {
 			},
 			expectedError: "1 error occurred:\n\t* feature Kubernetes Talos API Access can only be enabled on control plane machines\n\n",
 		},
+		{
+			name: "TalosAPIAccessInvalidRole",
+			config: &v1alpha1.Config{
+				ConfigVersion: "v1alpha1",
+				MachineConfig: &v1alpha1.MachineConfig{
+					MachineType: "controlplane",
+					MachineFeatures: &v1alpha1.FeaturesConfig{
+						RBAC: pointer.To(true),
+						KubernetesTalosAPIAccessConfig: &v1alpha1.KubernetesTalosAPIAccessConfig{
+							AccessEnabled: pointer.To(true),
+							AccessAllowedRoles: []string{
+								"os:reader",
+								"invalid:role1",
+								"os:etcd:backup",
+								"invalid:role2",
+							},
+						},
+					},
+				},
+				ClusterConfig: &v1alpha1.ClusterConfig{
+					ControlPlane: &v1alpha1.ControlPlaneConfig{
+						Endpoint: &v1alpha1.Endpoint{
+							endpointURL,
+						},
+					},
+				},
+			},
+			expectedError: "2 errors occurred:\n\t* invalid role \"invalid:role1\" in allowed roles for " +
+				"Kubernetes Talos API Access\n\t* invalid role \"invalid:role2\" in allowed roles for " +
+				"Kubernetes Talos API Access\n\n",
+		},
 		{
 			name: "NodeLabels",
 			config: &v1alpha1.Config{