server/config: assing system:apiserver user to system:authenticated group

Kubernetes-commit: 994aaf9073ba7966f1ba33b9815e74168c84f5cd
2024-10-07 17:39:10 +02:00 · 2024-10-07 17:39:10 +02:00 · c7b0cd857e
parent 2b2d066eda
commit c7b0cd857e
2 changed files with 31 additions and 1 deletions
--- a/pkg/server/config.go
+++ b/pkg/server/config.go
@ -1142,7 +1142,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati
 	tokens[privilegedLoopbackToken] = &user.DefaultInfo{
 		Name:   user.APIServerUser,
 		UID:    uid,
-		Groups: []string{user.SystemPrivilegedGroup},
+		Groups: []string{user.AllAuthenticated, user.SystemPrivilegedGroup},
 	}
 	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)
--- a/pkg/server/config_test.go
+++ b/pkg/server/config_test.go
@ -17,6 +17,7 @@ limitations under the License.
 package server
 import (
 	"context"
 	"fmt"
 	"io"
 	"net/http"
@ -36,6 +37,7 @@ import (
 	"k8s.io/apiserver/pkg/audit/policy"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/server/healthz"
 	"k8s.io/client-go/informers"
@ -78,6 +80,34 @@ func TestAuthorizeClientBearerTokenNoops(t *testing.T) {
 	}
 }
 func TestAuthorizeClientBearerTokenRequiredGroups(t *testing.T) {
 	fakeAuthenticator := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
 		return &authenticator.Response{User: &user.DefaultInfo{}}, false, nil
 	})
 	fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
 		return authorizer.DecisionAllow, "", nil
 	})
 	target := &rest.Config{BearerToken: "secretToken"}
 	authN := &AuthenticationInfo{Authenticator: fakeAuthenticator}
 	authC := &AuthorizationInfo{Authorizer: fakeAuthorizer}
 	AuthorizeClientBearerToken(target, authN, authC)
 	fakeRequest, err := http.NewRequest("", "", nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	fakeRequest.Header.Set("Authorization", "bearer secretToken")
 	rsp, _, err := authN.Authenticator.AuthenticateRequest(fakeRequest)
 	if err != nil {
 		t.Fatal(err)
 	}
 	expectedGroups := []string{user.AllAuthenticated, user.SystemPrivilegedGroup}
 	if !reflect.DeepEqual(expectedGroups, rsp.User.GetGroups()) {
 		t.Fatalf("unexpected groups = %v returned, expected = %v", rsp.User.GetGroups(), expectedGroups)
 	}
 }
 func TestNewWithDelegate(t *testing.T) {
 	delegateConfig := NewConfig(codecs)
 	delegateConfig.ExternalAddress = "192.168.10.4:443"