diff --git a/go.mod b/go.mod index 5b9008c5e..efc84ce24 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( k8s.io/api v0.0.0-20240918001733-e14a61a8c7c2 k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b - k8s.io/component-base v0.0.0-20240918003629-2a1fb6841426 + k8s.io/component-base v0.0.0-20240918042634-49269eb05058 k8s.io/klog/v2 v2.130.1 k8s.io/kms v0.0.0-20240912041232-273c893e4e51 k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2 diff --git a/go.sum b/go.sum index 103ef7e36..5b5473c5d 100644 --- a/go.sum +++ b/go.sum @@ -377,8 +377,8 @@ k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce h1:/8pGA195j4uJHrstvUPo9Y k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce/go.mod h1:5rKPDwwN9qm//xASFCZ83nyYEanHxxhc7pZ8AC4lukY= k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b h1:qNJBkiH/PYHfreCjRi5e9yoCDlb2p4htEvMJeD8GK3Q= k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b/go.mod h1:SHqrcQOS6L0CtlGn8DlOEAVxhSHlLqbNwD15CEqWSKU= -k8s.io/component-base v0.0.0-20240918003629-2a1fb6841426 h1:rWVMw7vGnNfEK3/u1GpO0NsA11B2ryY0QP96M+nzV9c= -k8s.io/component-base v0.0.0-20240918003629-2a1fb6841426/go.mod h1:0TUNldelE6cElcpnJjf1+LVBIZkcUsVXDbj1Xsqj+EI= +k8s.io/component-base v0.0.0-20240918042634-49269eb05058 h1:8soliJr5YLVB+pJtR12WtJFL1TWoFYBw5ANH3tp9j+s= +k8s.io/component-base v0.0.0-20240918042634-49269eb05058/go.mod h1:0TUNldelE6cElcpnJjf1+LVBIZkcUsVXDbj1Xsqj+EI= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kms v0.0.0-20240912041232-273c893e4e51 h1:mbESnbnzpJyRVv9XDJ7eV+F33qap+hKv/kPEkzVPCoE= diff --git a/pkg/authorization/authorizer/interfaces.go b/pkg/authorization/authorizer/interfaces.go index d39deb17e..2f5f65e22 100644 --- a/pkg/authorization/authorizer/interfaces.go +++ b/pkg/authorization/authorizer/interfaces.go @@ -92,7 +92,7 @@ func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision, // RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace. type RuleResolver interface { // RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors. - RulesFor(user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) + RulesFor(ctx context.Context, user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) } // RequestAttributesGetter provides a function that extracts Attributes from an http.Request diff --git a/pkg/authorization/authorizerfactory/builtin.go b/pkg/authorization/authorizerfactory/builtin.go index 6fe3fa96e..b3b1f09a6 100644 --- a/pkg/authorization/authorizerfactory/builtin.go +++ b/pkg/authorization/authorizerfactory/builtin.go @@ -33,7 +33,7 @@ func (alwaysAllowAuthorizer) Authorize(ctx context.Context, a authorizer.Attribu return authorizer.DecisionAllow, "", nil } -func (alwaysAllowAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (alwaysAllowAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { return []authorizer.ResourceRuleInfo{ &authorizer.DefaultResourceRuleInfo{ Verbs: []string{"*"}, @@ -61,7 +61,7 @@ func (alwaysDenyAuthorizer) Authorize(ctx context.Context, a authorizer.Attribut return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil } -func (alwaysDenyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (alwaysDenyAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil } diff --git a/pkg/authorization/union/union.go b/pkg/authorization/union/union.go index 460d9a4ab..0e5007cfa 100644 --- a/pkg/authorization/union/union.go +++ b/pkg/authorization/union/union.go @@ -77,7 +77,7 @@ func NewRuleResolvers(authorizationHandlers ...authorizer.RuleResolver) authoriz } // RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful -func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (authzHandler unionAuthzRulesHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { var ( errList []error resourceRulesList []authorizer.ResourceRuleInfo @@ -86,7 +86,7 @@ func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace st incompleteStatus := false for _, currAuthzHandler := range authzHandler { - resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(user, namespace) + resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(ctx, user, namespace) if incomplete { incompleteStatus = true diff --git a/pkg/authorization/union/union_test.go b/pkg/authorization/union/union_test.go index 057c1cefe..c8b467866 100644 --- a/pkg/authorization/union/union_test.go +++ b/pkg/authorization/union/union_test.go @@ -25,6 +25,7 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" + genericapirequest "k8s.io/apiserver/pkg/endpoints/request" ) type mockAuthzHandler struct { @@ -86,7 +87,7 @@ type mockAuthzRuleHandler struct { err error } -func (mock *mockAuthzRuleHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (mock *mockAuthzRuleHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { if mock.err != nil { return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, mock.err } @@ -150,7 +151,7 @@ func TestAuthorizationResourceRules(t *testing.T) { authzRulesHandler := NewRuleResolvers(handler1, handler2) - rules, _, _, _ := authzRulesHandler.RulesFor(nil, "") + rules, _, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "") actual := getResourceRules(rules) if !reflect.DeepEqual(expected, actual) { t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) @@ -189,7 +190,7 @@ func TestAuthorizationNonResourceRules(t *testing.T) { authzRulesHandler := NewRuleResolvers(handler1, handler2) - _, rules, _, _ := authzRulesHandler.RulesFor(nil, "") + _, rules, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "") actual := getNonResourceRules(rules) if !reflect.DeepEqual(expected, actual) { t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) diff --git a/plugin/pkg/authorizer/webhook/webhook.go b/plugin/pkg/authorizer/webhook/webhook.go index ebc4949d9..f70cce6e1 100644 --- a/plugin/pkg/authorizer/webhook/webhook.go +++ b/plugin/pkg/authorizer/webhook/webhook.go @@ -402,7 +402,7 @@ func labelSelectorToAuthorizationAPI(attr authorizer.Attributes) ([]metav1.Label } // TODO: need to finish the method to get the rules when using webhook mode -func (w *WebhookAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (w *WebhookAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { var ( resourceRules []authorizer.ResourceRuleInfo nonResourceRules []authorizer.NonResourceRuleInfo