From 7726e9f6d8c9bfb55ac4c1cdfd65ed50ee569f52 Mon Sep 17 00:00:00 2001
From: Chris Li <xiaosuiba@gmail.com>
Date: Wed, 2 Jun 2021 11:21:34 +0800
Subject: [PATCH] fix(auth): allow anyone to get cluster-info in kube-public

---
 pkg/auth/filter/filter.go          | 11 +++++++++++
 web/console/src/webApi/tkestack.ts |  6 +++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/pkg/auth/filter/filter.go b/pkg/auth/filter/filter.go
index 4c76ab517..d81b9e1d7 100644
--- a/pkg/auth/filter/filter.go
+++ b/pkg/auth/filter/filter.go
@@ -60,6 +60,8 @@ const (
 	decisionAllow  = "allow"
 	decisionForbid = "forbid"
 	reasonError    = "internal error"
+
+	kubePublicNS = "kube-public"
 )
 
 var (
@@ -182,6 +184,11 @@ func UnprotectedAuthorized(attributes authorizer.Attributes) authorizer.Decision
 		return authorizer.DecisionAllow
 	}
 
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	if attributes.GetNamespace() == kubePublicNS && isGetVerb(verb) {
+		return authorizer.DecisionAllow
+	}
+
 	return authorizer.DecisionNoOpinion
 }
 
@@ -323,3 +330,7 @@ func splitPath(path string) []string {
 	}
 	return strings.Split(path, "/")
 }
+
+func isGetVerb(verb string) bool {
+	return strings.HasPrefix(verb, "get")
+}
diff --git a/web/console/src/webApi/tkestack.ts b/web/console/src/webApi/tkestack.ts
index 497336592..cb17aa744 100644
--- a/web/console/src/webApi/tkestack.ts
+++ b/web/console/src/webApi/tkestack.ts
@@ -1,13 +1,13 @@
 import Request from './request';
 
 export const getTkeStackVersion = async () => {
-  const rsp = await Request.get<any, { items: Array<{ data?: { tkeVersion?: string } }> }>(
-    '/api/v1/namespaces/kube-public/configmaps',
+  const rsp = await Request.get<any, { data?: { tkeVersion: string } }>(
+    '/api/v1/namespaces/kube-public/configmaps/cluster-info',
     {
       headers: {
         'X-TKE-ClusterName': 'global'
       }
     }
   );
-  return rsp?.items?.[0]?.data?.tkeVersion ?? '';
+  return rsp?.data?.tkeVersion ?? '';
 };