From 83c8e657ed99ee744090d9db0b6ad0b5d0029336 Mon Sep 17 00:00:00 2001 From: David Eads Date: Mon, 5 Nov 2018 16:23:20 -0500 Subject: [PATCH] allow delegated authorization to have privileged groups Kubernetes-commit: 0b70b7a7c975589f7019e5017c334cf0ee6b819f --- pkg/server/options/authorization.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/server/options/authorization.go b/pkg/server/options/authorization.go index 7c65dd391..6d8cfb841 100644 --- a/pkg/server/options/authorization.go +++ b/pkg/server/options/authorization.go @@ -56,6 +56,9 @@ type DelegatingAuthorizationOptions struct { // AlwaysAllowPaths are HTTP paths which are excluded from authorization. They can be plain // paths or end in * in which case prefix-match is applied. A leading / is optional. AlwaysAllowPaths []string + + // AlwaysAllowGroups are groups which are allowed to take any actions. In kube, this is system:masters. + AlwaysAllowGroups []string } func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { @@ -66,6 +69,12 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { } } +// WithAlwaysAllowGroups appends the list of paths to AlwaysAllowGroups +func (s *DelegatingAuthorizationOptions) WithAlwaysAllowGroups(groups ...string) *DelegatingAuthorizationOptions { + s.AlwaysAllowGroups = append(s.AlwaysAllowGroups, groups...) + return s +} + func (s *DelegatingAuthorizationOptions) Validate() []error { allErrors := []error{} return allErrors @@ -115,6 +124,10 @@ func (s *DelegatingAuthorizationOptions) ApplyTo(c *server.AuthorizationInfo) er func (s *DelegatingAuthorizationOptions) toAuthorizer(client kubernetes.Interface) (authorizer.Authorizer, error) { var authorizers []authorizer.Authorizer + if len(s.AlwaysAllowGroups) > 0 { + authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(s.AlwaysAllowGroups...)) + } + if len(s.AlwaysAllowPaths) > 0 { a, err := path.NewAuthorizer(s.AlwaysAllowPaths) if err != nil {