fix(auth): allow anyone to get cluster-info in kube-public

tkestack · Jun 3, 2021 · 7726e9f · 7726e9f
1 parent c70a9cd
commit 7726e9f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/pkg/auth/filter/filter.go b/pkg/auth/filter/filter.go
@@ -60,6 +60,8 @@ const (
 	decisionAllow  = "allow"
 	decisionForbid = "forbid"
 	reasonError    = "internal error"
+
+	kubePublicNS = "kube-public"
 )
 
 var (
@@ -182,6 +184,11 @@ func UnprotectedAuthorized(attributes authorizer.Attributes) authorizer.Decision
 		return authorizer.DecisionAllow
 	}
 
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	if attributes.GetNamespace() == kubePublicNS && isGetVerb(verb) {
+		return authorizer.DecisionAllow
+	}
+
 	return authorizer.DecisionNoOpinion
 }
 
@@ -323,3 +330,7 @@ func splitPath(path string) []string {
 	}
 	return strings.Split(path, "/")
 }
+
+func isGetVerb(verb string) bool {
+	return strings.HasPrefix(verb, "get")
+}
diff --git a/web/console/src/webApi/tkestack.ts b/web/console/src/webApi/tkestack.ts
@@ -1,13 +1,13 @@
 import Request from './request';
 
 export const getTkeStackVersion = async () => {
-  const rsp = await Request.get<any, { items: Array<{ data?: { tkeVersion?: string } }> }>(
-    '/api/v1/namespaces/kube-public/configmaps',
+  const rsp = await Request.get<any, { data?: { tkeVersion: string } }>(
+    '/api/v1/namespaces/kube-public/configmaps/cluster-info',
     {
       headers: {
         'X-TKE-ClusterName': 'global'
       }
     }
   );
-  return rsp?.items?.[0]?.data?.tkeVersion ?? '';
+  return rsp?.data?.tkeVersion ?? '';
 };