kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #124792 from mjudeikis/mjudeikis/ctx.wiring 

Wire in ctx into rbac plugins

Kubernetes-commit: 6f1583990a6ad0acec1d8a418eab977fee586076
This commit is contained in:
Kubernetes Publisher 2024-09-18 08:26:44 +01:00
parent 87a949c64a 07be2984cd
commit 7e60e39b7b
7 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -52,7 +52,7 @@ require (
k8s.io/api v0.0.0-20240918001733-e14a61a8c7c2 k8s.io/api v0.0.0-20240918001733-e14a61a8c7c2
k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce
k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b
k8s.io/component-base v0.0.0-20240918003629-2a1fb6841426 k8s.io/component-base v0.0.0-20240918042634-49269eb05058
k8s.io/klog/v2 v2.130.1 k8s.io/klog/v2 v2.130.1
k8s.io/kms v0.0.0-20240912041232-273c893e4e51 k8s.io/kms v0.0.0-20240912041232-273c893e4e51
k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2 k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2

4
go.sum
View File

@ -377,8 +377,8 @@ k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce h1:/8pGA195j4uJHrstvUPo9Y
k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce/go.mod h1:5rKPDwwN9qm//xASFCZ83nyYEanHxxhc7pZ8AC4lukY= k8s.io/apimachinery v0.0.0-20240913152823-0fc0110cc2ce/go.mod h1:5rKPDwwN9qm//xASFCZ83nyYEanHxxhc7pZ8AC4lukY=
k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b h1:qNJBkiH/PYHfreCjRi5e9yoCDlb2p4htEvMJeD8GK3Q= k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b h1:qNJBkiH/PYHfreCjRi5e9yoCDlb2p4htEvMJeD8GK3Q=
k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b/go.mod h1:SHqrcQOS6L0CtlGn8DlOEAVxhSHlLqbNwD15CEqWSKU= k8s.io/client-go v0.0.0-20240917205444-4f57ad32047b/go.mod h1:SHqrcQOS6L0CtlGn8DlOEAVxhSHlLqbNwD15CEqWSKU=
k8s.io/component-base v0.0.0-20240918003629-2a1fb6841426 h1:rWVMw7vGnNfEK3/u1GpO0NsA11B2ryY0QP96M+nzV9c= k8s.io/component-base v0.0.0-20240918042634-49269eb05058 h1:8soliJr5YLVB+pJtR12WtJFL1TWoFYBw5ANH3tp9j+s=
k8s.io/component-base v0.0.0-20240918003629-2a1fb6841426/go.mod h1:0TUNldelE6cElcpnJjf1+LVBIZkcUsVXDbj1Xsqj+EI= k8s.io/component-base v0.0.0-20240918042634-49269eb05058/go.mod h1:0TUNldelE6cElcpnJjf1+LVBIZkcUsVXDbj1Xsqj+EI=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kms v0.0.0-20240912041232-273c893e4e51 h1:mbESnbnzpJyRVv9XDJ7eV+F33qap+hKv/kPEkzVPCoE= k8s.io/kms v0.0.0-20240912041232-273c893e4e51 h1:mbESnbnzpJyRVv9XDJ7eV+F33qap+hKv/kPEkzVPCoE=

2
pkg/authorization/authorizer/interfaces.go
View File

@ -92,7 +92,7 @@ func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision,
// RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace. // RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace.
type RuleResolver interface { type RuleResolver interface {
// RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors. // RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors.
RulesFor(user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) RulesFor(ctx context.Context, user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error)
} }
// RequestAttributesGetter provides a function that extracts Attributes from an http.Request // RequestAttributesGetter provides a function that extracts Attributes from an http.Request

4
pkg/authorization/authorizerfactory/builtin.go
View File

@ -33,7 +33,7 @@ func (alwaysAllowAuthorizer) Authorize(ctx context.Context, a authorizer.Attribu
return authorizer.DecisionAllow, "", nil return authorizer.DecisionAllow, "", nil
} }
func (alwaysAllowAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (alwaysAllowAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
return []authorizer.ResourceRuleInfo{ return []authorizer.ResourceRuleInfo{
&authorizer.DefaultResourceRuleInfo{ &authorizer.DefaultResourceRuleInfo{
Verbs: []string{"*"}, Verbs: []string{"*"},
@ -61,7 +61,7 @@ func (alwaysDenyAuthorizer) Authorize(ctx context.Context, a authorizer.Attribut
return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil
} }
func (alwaysDenyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (alwaysDenyAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil
} }

4
pkg/authorization/union/union.go
View File

@ -77,7 +77,7 @@ func NewRuleResolvers(authorizationHandlers ...authorizer.RuleResolver) authoriz
} }
// RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful // RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful
func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (authzHandler unionAuthzRulesHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
var ( var (
errList []error errList []error
resourceRulesList []authorizer.ResourceRuleInfo resourceRulesList []authorizer.ResourceRuleInfo
@ -86,7 +86,7 @@ func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace st
incompleteStatus := false incompleteStatus := false
for _, currAuthzHandler := range authzHandler { for _, currAuthzHandler := range authzHandler {
resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(user, namespace) resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(ctx, user, namespace)
if incomplete { if incomplete {
incompleteStatus = true incompleteStatus = true

7
pkg/authorization/union/union_test.go
View File

@ -25,6 +25,7 @@ import (
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
) )
type mockAuthzHandler struct { type mockAuthzHandler struct {
@ -86,7 +87,7 @@ type mockAuthzRuleHandler struct {
err error err error
} }
func (mock *mockAuthzRuleHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (mock *mockAuthzRuleHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
if mock.err != nil { if mock.err != nil {
return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, mock.err return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, mock.err
} }
@ -150,7 +151,7 @@ func TestAuthorizationResourceRules(t *testing.T) {
authzRulesHandler := NewRuleResolvers(handler1, handler2) authzRulesHandler := NewRuleResolvers(handler1, handler2)
rules, _, _, _ := authzRulesHandler.RulesFor(nil, "") rules, _, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "")
actual := getResourceRules(rules) actual := getResourceRules(rules)
if !reflect.DeepEqual(expected, actual) { if !reflect.DeepEqual(expected, actual) {
t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual)
@ -189,7 +190,7 @@ func TestAuthorizationNonResourceRules(t *testing.T) {
authzRulesHandler := NewRuleResolvers(handler1, handler2) authzRulesHandler := NewRuleResolvers(handler1, handler2)
_, rules, _, _ := authzRulesHandler.RulesFor(nil, "") _, rules, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "")
actual := getNonResourceRules(rules) actual := getNonResourceRules(rules)
if !reflect.DeepEqual(expected, actual) { if !reflect.DeepEqual(expected, actual) {
t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual)

2
plugin/pkg/authorizer/webhook/webhook.go
View File

@ -402,7 +402,7 @@ func labelSelectorToAuthorizationAPI(attr authorizer.Attributes) ([]metav1.Label
} }
// TODO: need to finish the method to get the rules when using webhook mode // TODO: need to finish the method to get the rules when using webhook mode
func (w *WebhookAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (w *WebhookAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
var ( var (
resourceRules []authorizer.ResourceRuleInfo resourceRules []authorizer.ResourceRuleInfo
nonResourceRules []authorizer.NonResourceRuleInfo nonResourceRules []authorizer.NonResourceRuleInfo