fix: inspect cluster without privilegedUsername

tkestack · Nov 23, 2022 · b0265ec · b0265ec
1 parent 477ea6b
commit b0265ec
Showing 1 changed file with 36 additions and 7 deletions.
diff --git a/pkg/auth/filter/inspector.go b/pkg/auth/filter/inspector.go
@@ -23,16 +23,15 @@ import (
 	"net/http"
 
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
-
-	platformv1 "tkestack.io/tke/api/client/clientset/versioned/typed/platform/v1"
-	"tkestack.io/tke/pkg/apiserver/authentication"
-	"tkestack.io/tke/pkg/util/log"
-
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	genericfilters "k8s.io/apiserver/pkg/endpoints/filters"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	genericapiserver "k8s.io/apiserver/pkg/server"
+	platformv1 "tkestack.io/tke/api/client/clientset/versioned/typed/platform/v1"
+	"tkestack.io/tke/pkg/apiserver/authentication"
+	"tkestack.io/tke/pkg/platform/apiserver/filter"
+	"tkestack.io/tke/pkg/util/log"
 )
 
 type Inspector interface {
@@ -59,8 +58,38 @@ func (i *clusterInspector) Inspect(handler http.Handler, c *genericapiserver.Con
 		}
 		ctx := req.Context()
 		username, tenantID := authentication.UsernameAndTenantID(ctx)
-		if (username == i.privilegedUsername || username == "system:apiserver" || username == "system:serviceaccount:clusternet-system:clusternet-app-deployer") && tenantID == "" {
-			handler.ServeHTTP(w, req)
+		if username == i.privilegedUsername || username == "system:apiserver" || username == "system:serviceaccount:clusternet-system:clusternet-app-deployer" {
+			if tenantID == "" {
+				handler.ServeHTTP(w, req)
+			} else {
+				ae := request.AuditEventFrom(ctx)
+				attributes, err := genericfilters.GetAuthorizerAttributes(ctx)
+				if err != nil {
+					responsewriters.InternalError(w, req, err)
+					return
+				}
+				tkeAttributes := ConvertTKEAttributes(ctx, attributes)
+				verb := tkeAttributes.GetVerb()
+				clusterNames := make([]string, 0)
+				clusterName := filter.ClusterFrom(ctx)
+				if len(clusterName) > 0 {
+					clusterNames = append(clusterNames, clusterName)
+				} else {
+					handler.ServeHTTP(w, req)
+					return
+				}
+
+				log.Infof("WithTKEAuthorization clusterNames: %+v, username: %+v, tenant: %+v, "+
+					"action: %+v, resource: %+v, name: %+v",
+					clusterNames, username, tenantID, tkeAttributes.GetVerb(),
+					tkeAttributes.GetResource(), tkeAttributes.GetName())
+				reason, valid := CheckClustersTenant(ctx, tenantID, clusterNames, i.platformClient, verb)
+				if !valid {
+					ForbiddenResponse(ctx, tkeAttributes, w, req, ae, c.Serializer, reason)
+					return
+				}
+				handler.ServeHTTP(w, req)
+			}
 			return
 		}
 		ae := request.AuditEventFrom(ctx)