From b34e2724b5948c2f81563ca45b4cb5735e7f2dca Mon Sep 17 00:00:00 2001 From: changzhen Date: Wed, 29 Dec 2021 17:56:07 +0800 Subject: [PATCH] ignore some group with Impersonate-Group Signed-off-by: changzhen --- pkg/registry/cluster/storage/proxy.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/pkg/registry/cluster/storage/proxy.go b/pkg/registry/cluster/storage/proxy.go index 8ec0d91d9..d0a21b2b5 100644 --- a/pkg/registry/cluster/storage/proxy.go +++ b/pkg/registry/cluster/storage/proxy.go @@ -11,6 +11,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/proxy" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/apiserver/pkg/endpoints/request" genericregistry "k8s.io/apiserver/pkg/registry/generic/registry" @@ -101,7 +102,9 @@ func newProxyHandler(location *url.URL, transport http.RoundTripper, impersonate } req.Header.Set(authenticationv1.ImpersonateUserHeader, requester.GetName()) for _, group := range requester.GetGroups() { - req.Header.Add(authenticationv1.ImpersonateGroupHeader, group) + if !skipGroup(group) { + req.Header.Add(authenticationv1.ImpersonateGroupHeader, group) + } } req.Header.Set("Authorization", fmt.Sprintf("bearer %s", impersonateToken)) @@ -111,6 +114,15 @@ func newProxyHandler(location *url.URL, transport http.RoundTripper, impersonate }), nil } +func skipGroup(group string) bool { + switch group { + case user.AllAuthenticated, user.AllUnauthenticated: + return true + default: + return false + } +} + func newThrottledUpgradeAwareProxyHandler(location *url.URL, transport http.RoundTripper, wrapTransport, upgradeRequired bool, responder rest.Responder) *proxy.UpgradeAwareHandler { handler := proxy.NewUpgradeAwareHandler(location, transport, wrapTransport, upgradeRequired, proxy.NewErrorResponder(responder)) return handler