diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index eb4791b04..56111c720 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -786,6 +786,10 @@ "ImportPath": "k8s.io/component-base", "Rev": "3b346c3e8128" }, + { + "ImportPath": "k8s.io/component-helpers", + "Rev": "f4b28bd014f1" + }, { "ImportPath": "k8s.io/gengo", "Rev": "8167cfdcfc14" diff --git a/go.mod b/go.mod index 3f6ea003a..d691a1bf4 100644 --- a/go.mod +++ b/go.mod @@ -39,6 +39,7 @@ require ( k8s.io/cli-runtime v0.0.0-20201102204136-d0f4150e4c60 k8s.io/client-go v0.0.0-20201103122446-534b10dd0412 k8s.io/component-base v0.0.0-20201102202913-3b346c3e8128 + k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1 k8s.io/klog/v2 v2.2.0 k8s.io/kube-openapi v0.0.0-20200923155610-8b5066479488 k8s.io/metrics v0.0.0-20201102204027-de1a3d1600b4 @@ -54,7 +55,6 @@ replace ( k8s.io/client-go => k8s.io/client-go v0.0.0-20201103122446-534b10dd0412 k8s.io/code-generator => k8s.io/code-generator v0.0.0-20201102201853-e7a6809e9fe3 k8s.io/component-base => k8s.io/component-base v0.0.0-20201102202913-3b346c3e8128 + k8s.io/component-helpers => k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1 k8s.io/metrics => k8s.io/metrics v0.0.0-20201102204027-de1a3d1600b4 ) - -replace k8s.io/component-helpers => k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1 diff --git a/go.sum b/go.sum index bbaab90ae..ffe60395d 100644 --- a/go.sum +++ b/go.sum @@ -514,6 +514,7 @@ k8s.io/cli-runtime v0.0.0-20201102204136-d0f4150e4c60/go.mod h1:BPUgo08u37PddGZF k8s.io/client-go v0.0.0-20201103122446-534b10dd0412/go.mod h1:eZXqnPJiVVWY2+7NwTdK2FTjO8hczO3Dyc4NYU9HPOs= k8s.io/code-generator v0.0.0-20201102201853-e7a6809e9fe3/go.mod h1:oioc17TXBB973K4R+ytm5k9jY1BktboxJc7qu3i29V0= k8s.io/component-base v0.0.0-20201102202913-3b346c3e8128/go.mod h1:/nWuTBUUN0ayOy6M2gPPEbJLcu3pBzdQG+RvOeE0nr8= +k8s.io/component-helpers v0.0.0-20201103005013-f4b28bd014f1/go.mod h1:fATLiMczVsWPiRQBF/4Bmb9j64XsZEKugK1o4RHjFoI= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20200428234225-8167cfdcfc14/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= diff --git a/pkg/cmd/auth/OWNERS b/pkg/cmd/auth/OWNERS new file mode 100644 index 000000000..7b3130fdc --- /dev/null +++ b/pkg/cmd/auth/OWNERS @@ -0,0 +1,9 @@ +# See the OWNERS docs at https://go.k8s.io/owners + +approvers: +- sig-auth-authorizers-approvers +reviewers: +- sig-auth-authorizers-reviewers +labels: +- sig/auth + diff --git a/pkg/cmd/auth/auth.go b/pkg/cmd/auth/auth.go new file mode 100644 index 000000000..79968f5b2 --- /dev/null +++ b/pkg/cmd/auth/auth.go @@ -0,0 +1,40 @@ +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "github.com/spf13/cobra" + "k8s.io/cli-runtime/pkg/genericclioptions" + + cmdutil "k8s.io/kubectl/pkg/cmd/util" +) + +// NewCmdAuth returns an initialized Command instance for 'auth' sub command +func NewCmdAuth(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command { + // Parent command to which all subcommands are added. + cmds := &cobra.Command{ + Use: "auth", + Short: "Inspect authorization", + Long: `Inspect authorization`, + Run: cmdutil.DefaultSubCommandRun(streams.ErrOut), + } + + cmds.AddCommand(NewCmdCanI(f, streams)) + cmds.AddCommand(NewCmdReconcile(f, streams)) + + return cmds +} diff --git a/pkg/cmd/auth/cani.go b/pkg/cmd/auth/cani.go new file mode 100644 index 000000000..ca7899cfb --- /dev/null +++ b/pkg/cmd/auth/cani.go @@ -0,0 +1,413 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "context" + "errors" + "fmt" + "io" + "io/ioutil" + "os" + "sort" + "strings" + + "github.com/spf13/cobra" + + authorizationv1 "k8s.io/api/authorization/v1" + rbacv1 "k8s.io/api/rbac/v1" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + utilerrors "k8s.io/apimachinery/pkg/util/errors" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/cli-runtime/pkg/printers" + discovery "k8s.io/client-go/discovery" + authorizationv1client "k8s.io/client-go/kubernetes/typed/authorization/v1" + cmdutil "k8s.io/kubectl/pkg/cmd/util" + "k8s.io/kubectl/pkg/describe" + rbacutil "k8s.io/kubectl/pkg/util/rbac" + "k8s.io/kubectl/pkg/util/templates" +) + +// CanIOptions is the start of the data required to perform the operation. As new fields are added, add them here instead of +// referencing the cmd.Flags() +type CanIOptions struct { + AllNamespaces bool + Quiet bool + NoHeaders bool + Namespace string + AuthClient authorizationv1client.AuthorizationV1Interface + DiscoveryClient discovery.DiscoveryInterface + + Verb string + Resource schema.GroupVersionResource + NonResourceURL string + Subresource string + ResourceName string + List bool + + genericclioptions.IOStreams +} + +var ( + canILong = templates.LongDesc(` + Check whether an action is allowed. + + VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. + TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. + NONRESOURCEURL is a partial URL starts with "/". + NAME is the name of a particular Kubernetes resource.`) + + canIExample = templates.Examples(` + # Check to see if I can create pods in any namespace + kubectl auth can-i create pods --all-namespaces + + # Check to see if I can list deployments in my current namespace + kubectl auth can-i list deployments.apps + + # Check to see if I can do everything in my current namespace ("*" means all) + kubectl auth can-i '*' '*' + + # Check to see if I can get the job named "bar" in namespace "foo" + kubectl auth can-i list jobs.batch/bar -n foo + + # Check to see if I can read pod logs + kubectl auth can-i get pods --subresource=log + + # Check to see if I can access the URL /logs/ + kubectl auth can-i get /logs/ + + # List all allowed actions in namespace "foo" + kubectl auth can-i --list --namespace=foo`) + + resourceVerbs = sets.NewString("get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "use", "bind", "impersonate", "*") + nonResourceURLVerbs = sets.NewString("get", "put", "post", "head", "options", "delete", "patch", "*") +) + +// NewCmdCanI returns an initialized Command for 'auth can-i' sub command +func NewCmdCanI(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command { + o := &CanIOptions{ + IOStreams: streams, + } + + cmd := &cobra.Command{ + Use: "can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]", + DisableFlagsInUseLine: true, + Short: "Check whether an action is allowed", + Long: canILong, + Example: canIExample, + Run: func(cmd *cobra.Command, args []string) { + cmdutil.CheckErr(o.Complete(f, args)) + cmdutil.CheckErr(o.Validate()) + var err error + if o.List { + err = o.RunAccessList() + } else { + var allowed bool + allowed, err = o.RunAccessCheck() + if err == nil { + if !allowed { + os.Exit(1) + } + } + } + cmdutil.CheckErr(err) + }, + } + + cmd.Flags().BoolVarP(&o.AllNamespaces, "all-namespaces", "A", o.AllNamespaces, "If true, check the specified action in all namespaces.") + cmd.Flags().BoolVarP(&o.Quiet, "quiet", "q", o.Quiet, "If true, suppress output and just return the exit code.") + cmd.Flags().StringVar(&o.Subresource, "subresource", o.Subresource, "SubResource such as pod/log or deployment/scale") + cmd.Flags().BoolVar(&o.List, "list", o.List, "If true, prints all allowed actions.") + cmd.Flags().BoolVar(&o.NoHeaders, "no-headers", o.NoHeaders, "If true, prints allowed actions without headers") + return cmd +} + +// Complete completes all the required options +func (o *CanIOptions) Complete(f cmdutil.Factory, args []string) error { + if o.List { + if len(args) != 0 { + return errors.New("list option must be specified with no arguments") + } + } else { + if o.Quiet { + o.Out = ioutil.Discard + } + + switch len(args) { + case 2: + o.Verb = args[0] + if strings.HasPrefix(args[1], "/") { + o.NonResourceURL = args[1] + break + } + resourceTokens := strings.SplitN(args[1], "/", 2) + restMapper, err := f.ToRESTMapper() + if err != nil { + return err + } + o.Resource = o.resourceFor(restMapper, resourceTokens[0]) + if len(resourceTokens) > 1 { + o.ResourceName = resourceTokens[1] + } + default: + return errors.New("you must specify two or three arguments: verb, resource, and optional resourceName") + } + } + + var err error + client, err := f.KubernetesClientSet() + if err != nil { + return err + } + o.AuthClient = client.AuthorizationV1() + o.DiscoveryClient = client.Discovery() + o.Namespace = "" + if !o.AllNamespaces { + o.Namespace, _, err = f.ToRawKubeConfigLoader().Namespace() + if err != nil { + return err + } + } + + return nil +} + +// Validate makes sure provided values for CanIOptions are valid +func (o *CanIOptions) Validate() error { + if o.List { + if o.Quiet || o.AllNamespaces || o.Subresource != "" { + return errors.New("list option can't be specified with neither quiet, all-namespaces nor subresource options") + } + return nil + } + + if o.NonResourceURL != "" { + if o.Subresource != "" { + return fmt.Errorf("--subresource can not be used with NonResourceURL") + } + if o.Resource != (schema.GroupVersionResource{}) || o.ResourceName != "" { + return fmt.Errorf("NonResourceURL and ResourceName can not specified together") + } + if !isKnownNonResourceVerb(o.Verb) { + fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb) + } + } else if !o.Resource.Empty() && !o.AllNamespaces && o.DiscoveryClient != nil { + if namespaced, err := isNamespaced(o.Resource, o.DiscoveryClient); err == nil && !namespaced { + if len(o.Resource.Group) == 0 { + fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped\n", o.Resource.Resource) + } else { + fmt.Fprintf(o.ErrOut, "Warning: resource '%s' is not namespace scoped in group '%s'\n", o.Resource.Resource, o.Resource.Group) + } + } + if !isKnownResourceVerb(o.Verb) { + fmt.Fprintf(o.ErrOut, "Warning: verb '%s' is not a known verb\n", o.Verb) + } + + } + + if o.NoHeaders { + return fmt.Errorf("--no-headers cannot be set without --list specified") + } + return nil +} + +// RunAccessList lists all the access current user has +func (o *CanIOptions) RunAccessList() error { + sar := &authorizationv1.SelfSubjectRulesReview{ + Spec: authorizationv1.SelfSubjectRulesReviewSpec{ + Namespace: o.Namespace, + }, + } + response, err := o.AuthClient.SelfSubjectRulesReviews().Create(context.TODO(), sar, metav1.CreateOptions{}) + if err != nil { + return err + } + + return o.printStatus(response.Status) +} + +// RunAccessCheck checks if user has access to a certain resource or non resource URL +func (o *CanIOptions) RunAccessCheck() (bool, error) { + var sar *authorizationv1.SelfSubjectAccessReview + if o.NonResourceURL == "" { + sar = &authorizationv1.SelfSubjectAccessReview{ + Spec: authorizationv1.SelfSubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ + Namespace: o.Namespace, + Verb: o.Verb, + Group: o.Resource.Group, + Resource: o.Resource.Resource, + Subresource: o.Subresource, + Name: o.ResourceName, + }, + }, + } + } else { + sar = &authorizationv1.SelfSubjectAccessReview{ + Spec: authorizationv1.SelfSubjectAccessReviewSpec{ + NonResourceAttributes: &authorizationv1.NonResourceAttributes{ + Verb: o.Verb, + Path: o.NonResourceURL, + }, + }, + } + } + + response, err := o.AuthClient.SelfSubjectAccessReviews().Create(context.TODO(), sar, metav1.CreateOptions{}) + if err != nil { + return false, err + } + if response.Status.Allowed { + fmt.Fprintln(o.Out, "yes") + } else { + fmt.Fprint(o.Out, "no") + if len(response.Status.Reason) > 0 { + fmt.Fprintf(o.Out, " - %v", response.Status.Reason) + } + if len(response.Status.EvaluationError) > 0 { + fmt.Fprintf(o.Out, " - %v", response.Status.EvaluationError) + } + fmt.Fprintln(o.Out) + } + + return response.Status.Allowed, nil +} + +func (o *CanIOptions) resourceFor(mapper meta.RESTMapper, resourceArg string) schema.GroupVersionResource { + if resourceArg == "*" { + return schema.GroupVersionResource{Resource: resourceArg} + } + + fullySpecifiedGVR, groupResource := schema.ParseResourceArg(strings.ToLower(resourceArg)) + gvr := schema.GroupVersionResource{} + if fullySpecifiedGVR != nil { + gvr, _ = mapper.ResourceFor(*fullySpecifiedGVR) + } + if gvr.Empty() { + var err error + gvr, err = mapper.ResourceFor(groupResource.WithVersion("")) + if err != nil { + if len(groupResource.Group) == 0 { + fmt.Fprintf(o.ErrOut, "Warning: the server doesn't have a resource type '%s'\n", groupResource.Resource) + } else { + fmt.Fprintf(o.ErrOut, "Warning: the server doesn't have a resource type '%s' in group '%s'\n", groupResource.Resource, groupResource.Group) + } + return schema.GroupVersionResource{Resource: resourceArg} + } + } + + return gvr +} + +func (o *CanIOptions) printStatus(status authorizationv1.SubjectRulesReviewStatus) error { + if status.Incomplete { + fmt.Fprintf(o.ErrOut, "warning: the list may be incomplete: %v\n", status.EvaluationError) + } + + breakdownRules := []rbacv1.PolicyRule{} + for _, rule := range convertToPolicyRule(status) { + breakdownRules = append(breakdownRules, rbacutil.BreakdownRule(rule)...) + } + + compactRules, err := rbacutil.CompactRules(breakdownRules) + if err != nil { + return err + } + sort.Stable(rbacutil.SortableRuleSlice(compactRules)) + + w := printers.GetNewTabWriter(o.Out) + defer w.Flush() + + allErrs := []error{} + if !o.NoHeaders { + if err := printAccessHeaders(w); err != nil { + allErrs = append(allErrs, err) + } + } + + if err := printAccess(w, compactRules); err != nil { + allErrs = append(allErrs, err) + } + return utilerrors.NewAggregate(allErrs) +} + +func convertToPolicyRule(status authorizationv1.SubjectRulesReviewStatus) []rbacv1.PolicyRule { + ret := []rbacv1.PolicyRule{} + for _, resource := range status.ResourceRules { + ret = append(ret, rbacv1.PolicyRule{ + Verbs: resource.Verbs, + APIGroups: resource.APIGroups, + Resources: resource.Resources, + ResourceNames: resource.ResourceNames, + }) + } + + for _, nonResource := range status.NonResourceRules { + ret = append(ret, rbacv1.PolicyRule{ + Verbs: nonResource.Verbs, + NonResourceURLs: nonResource.NonResourceURLs, + }) + } + + return ret +} + +func printAccessHeaders(out io.Writer) error { + columnNames := []string{"Resources", "Non-Resource URLs", "Resource Names", "Verbs"} + _, err := fmt.Fprintf(out, "%s\n", strings.Join(columnNames, "\t")) + return err +} + +func printAccess(out io.Writer, rules []rbacv1.PolicyRule) error { + for _, r := range rules { + if _, err := fmt.Fprintf(out, "%s\t%v\t%v\t%v\n", describe.CombineResourceGroup(r.Resources, r.APIGroups), r.NonResourceURLs, r.ResourceNames, r.Verbs); err != nil { + return err + } + } + return nil +} + +func isNamespaced(gvr schema.GroupVersionResource, discoveryClient discovery.DiscoveryInterface) (bool, error) { + if gvr.Resource == "*" { + return true, nil + } + apiResourceList, err := discoveryClient.ServerResourcesForGroupVersion(schema.GroupVersion{ + Group: gvr.Group, Version: gvr.Version, + }.String()) + if err != nil { + return true, err + } + + for _, resource := range apiResourceList.APIResources { + if resource.Name == gvr.Resource { + return resource.Namespaced, nil + } + } + + return false, fmt.Errorf("the server doesn't have a resource type '%s' in group '%s'", gvr.Resource, gvr.Group) +} + +func isKnownResourceVerb(s string) bool { + return resourceVerbs.Has(s) +} + +func isKnownNonResourceVerb(s string) bool { + return nonResourceURLVerbs.Has(s) +} diff --git a/pkg/cmd/auth/cani_test.go b/pkg/cmd/auth/cani_test.go new file mode 100644 index 000000000..34f167956 --- /dev/null +++ b/pkg/cmd/auth/cani_test.go @@ -0,0 +1,252 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "bytes" + "fmt" + "io/ioutil" + "net/http" + "strings" + "testing" + + authorizationv1 "k8s.io/api/authorization/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/cli-runtime/pkg/genericclioptions" + restclient "k8s.io/client-go/rest" + "k8s.io/client-go/rest/fake" + cmdtesting "k8s.io/kubectl/pkg/cmd/testing" + "k8s.io/kubectl/pkg/scheme" +) + +func TestRunAccessCheck(t *testing.T) { + tests := []struct { + name string + o *CanIOptions + args []string + allowed bool + serverErr error + + expectedBodyStrings []string + }{ + { + name: "restmapping for args", + o: &CanIOptions{}, + args: []string{"get", "replicaset"}, + allowed: true, + expectedBodyStrings: []string{ + `{"resourceAttributes":{"namespace":"test","verb":"get","group":"extensions","resource":"replicasets"}}`, + }, + }, + { + name: "simple success", + o: &CanIOptions{}, + args: []string{"get", "deployments.extensions/foo"}, + allowed: true, + expectedBodyStrings: []string{ + `{"resourceAttributes":{"namespace":"test","verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`, + }, + }, + { + name: "all namespaces", + o: &CanIOptions{ + AllNamespaces: true, + }, + args: []string{"get", "deployments.extensions/foo"}, + allowed: true, + expectedBodyStrings: []string{ + `{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`, + }, + }, + { + name: "disallowed", + o: &CanIOptions{ + AllNamespaces: true, + }, + args: []string{"get", "deployments.extensions/foo"}, + allowed: false, + expectedBodyStrings: []string{ + `{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`, + }, + }, + { + name: "forcedError", + o: &CanIOptions{ + AllNamespaces: true, + }, + args: []string{"get", "deployments.extensions/foo"}, + allowed: false, + serverErr: fmt.Errorf("forcedError"), + expectedBodyStrings: []string{ + `{"resourceAttributes":{"verb":"get","group":"extensions","resource":"deployments","name":"foo"}}`, + }, + }, + { + name: "sub resource", + o: &CanIOptions{ + AllNamespaces: true, + Subresource: "log", + }, + args: []string{"get", "pods"}, + allowed: true, + expectedBodyStrings: []string{ + `{"resourceAttributes":{"verb":"get","resource":"pods","subresource":"log"}}`, + }, + }, + { + name: "nonResourceURL", + o: &CanIOptions{}, + args: []string{"get", "/logs"}, + allowed: true, + expectedBodyStrings: []string{ + `{"nonResourceAttributes":{"path":"/logs","verb":"get"}}`, + }, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + test.o.Out = ioutil.Discard + test.o.ErrOut = ioutil.Discard + + tf := cmdtesting.NewTestFactory().WithNamespace("test") + defer tf.Cleanup() + + ns := scheme.Codecs.WithoutConversion() + + tf.Client = &fake.RESTClient{ + GroupVersion: schema.GroupVersion{Group: "", Version: "v1"}, + NegotiatedSerializer: ns, + Client: fake.CreateHTTPClient(func(req *http.Request) (*http.Response, error) { + expectPath := "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews" + if req.URL.Path != expectPath { + t.Errorf("%s: expected %v, got %v", test.name, expectPath, req.URL.Path) + return nil, nil + } + bodyBits, err := ioutil.ReadAll(req.Body) + if err != nil { + t.Errorf("%s: %v", test.name, err) + return nil, nil + } + body := string(bodyBits) + + for _, expectedBody := range test.expectedBodyStrings { + if !strings.Contains(body, expectedBody) { + t.Errorf("%s expecting %s in %s", test.name, expectedBody, body) + } + } + + return &http.Response{ + StatusCode: http.StatusOK, + Body: ioutil.NopCloser(bytes.NewBufferString( + fmt.Sprintf(`{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","status":{"allowed":%v}}`, test.allowed), + )), + }, + test.serverErr + }), + } + tf.ClientConfigVal = &restclient.Config{ContentConfig: restclient.ContentConfig{GroupVersion: &schema.GroupVersion{Group: "", Version: "v1"}}} + + if err := test.o.Complete(tf, test.args); err != nil { + t.Errorf("%s: %v", test.name, err) + return + } + + actualAllowed, err := test.o.RunAccessCheck() + switch { + case test.serverErr == nil && err == nil: + // pass + case err != nil && test.serverErr != nil && strings.Contains(err.Error(), test.serverErr.Error()): + // pass + default: + t.Errorf("%s: expected %v, got %v", test.name, test.serverErr, err) + return + } + if actualAllowed != test.allowed { + t.Errorf("%s: expected %v, got %v", test.name, test.allowed, actualAllowed) + return + } + }) + } +} + +func TestRunAccessList(t *testing.T) { + t.Run("test access list", func(t *testing.T) { + options := &CanIOptions{List: true} + expectedOutput := "Resources Non-Resource URLs Resource Names Verbs\n" + + "job.* [] [test-resource] [get list]\n" + + "pod.* [] [test-resource] [get list]\n" + + " [/apis/*] [] [get]\n" + + " [/version] [] [get]\n" + + tf := cmdtesting.NewTestFactory().WithNamespace("test") + defer tf.Cleanup() + + ns := scheme.Codecs.WithoutConversion() + codec := scheme.Codecs.LegacyCodec(scheme.Scheme.PrioritizedVersionsAllGroups()...) + + tf.Client = &fake.RESTClient{ + GroupVersion: schema.GroupVersion{Group: "", Version: "v1"}, + NegotiatedSerializer: ns, + Client: fake.CreateHTTPClient(func(req *http.Request) (*http.Response, error) { + switch req.URL.Path { + case "/apis/authorization.k8s.io/v1/selfsubjectrulesreviews": + body := ioutil.NopCloser(bytes.NewReader([]byte(runtime.EncodeOrDie(codec, getSelfSubjectRulesReview())))) + return &http.Response{StatusCode: http.StatusOK, Body: body}, nil + default: + t.Fatalf("unexpected request: %#v\n%#v", req.URL, req) + return nil, nil + } + }), + } + ioStreams, _, buf, _ := genericclioptions.NewTestIOStreams() + options.IOStreams = ioStreams + if err := options.Complete(tf, []string{}); err != nil { + t.Errorf("got unexpected error when do Complete(): %v", err) + return + } + + err := options.RunAccessList() + if err != nil { + t.Errorf("got unexpected error when do RunAccessList(): %v", err) + } else if buf.String() != expectedOutput { + t.Errorf("expected %v\n but got %v\n", expectedOutput, buf.String()) + } + }) +} + +func getSelfSubjectRulesReview() *authorizationv1.SelfSubjectRulesReview { + return &authorizationv1.SelfSubjectRulesReview{ + Status: authorizationv1.SubjectRulesReviewStatus{ + ResourceRules: []authorizationv1.ResourceRule{ + { + Verbs: []string{"get", "list"}, + APIGroups: []string{"*"}, + Resources: []string{"pod", "job"}, + ResourceNames: []string{"test-resource"}, + }, + }, + NonResourceRules: []authorizationv1.NonResourceRule{ + { + Verbs: []string{"get"}, + NonResourceURLs: []string{"/apis/*", "/version"}, + }, + }, + }, + } +} diff --git a/pkg/cmd/auth/reconcile.go b/pkg/cmd/auth/reconcile.go new file mode 100644 index 000000000..1e31d7733 --- /dev/null +++ b/pkg/cmd/auth/reconcile.go @@ -0,0 +1,343 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "errors" + "fmt" + + "github.com/spf13/cobra" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/klog/v2" + + rbacv1 "k8s.io/api/rbac/v1" + rbacv1alpha1 "k8s.io/api/rbac/v1alpha1" + rbacv1beta1 "k8s.io/api/rbac/v1beta1" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/cli-runtime/pkg/printers" + "k8s.io/cli-runtime/pkg/resource" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" + rbacv1client "k8s.io/client-go/kubernetes/typed/rbac/v1" + "k8s.io/component-helpers/auth/rbac/reconciliation" + cmdutil "k8s.io/kubectl/pkg/cmd/util" + "k8s.io/kubectl/pkg/scheme" + "k8s.io/kubectl/pkg/util/templates" +) + +// ReconcileOptions is the start of the data required to perform the operation. As new fields are added, add them here instead of +// referencing the cmd.Flags() +type ReconcileOptions struct { + PrintFlags *genericclioptions.PrintFlags + FilenameOptions *resource.FilenameOptions + DryRun bool + RemoveExtraPermissions bool + RemoveExtraSubjects bool + + Visitor resource.Visitor + RBACClient rbacv1client.RbacV1Interface + NamespaceClient corev1client.CoreV1Interface + + PrintObject printers.ResourcePrinterFunc + + genericclioptions.IOStreams +} + +var ( + reconcileLong = templates.LongDesc(` + Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects. + + Missing objects are created, and the containing namespace is created for namespaced objects, if required. + + Existing roles are updated to include the permissions in the input objects, + and remove extra permissions if --remove-extra-permissions is specified. + + Existing bindings are updated to include the subjects in the input objects, + and remove extra subjects if --remove-extra-subjects is specified. + + This is preferred to 'apply' for RBAC resources so that semantically-aware merging of rules and subjects is done.`) + + reconcileExample = templates.Examples(` + # Reconcile rbac resources from a file + kubectl auth reconcile -f my-rbac-rules.yaml`) +) + +// NewReconcileOptions returns a new ReconcileOptions instance +func NewReconcileOptions(ioStreams genericclioptions.IOStreams) *ReconcileOptions { + return &ReconcileOptions{ + FilenameOptions: &resource.FilenameOptions{}, + PrintFlags: genericclioptions.NewPrintFlags("reconciled").WithTypeSetter(scheme.Scheme), + IOStreams: ioStreams, + } +} + +// NewCmdReconcile holds the options for 'auth reconcile' sub command +func NewCmdReconcile(f cmdutil.Factory, streams genericclioptions.IOStreams) *cobra.Command { + o := NewReconcileOptions(streams) + + cmd := &cobra.Command{ + Use: "reconcile -f FILENAME", + DisableFlagsInUseLine: true, + Short: "Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and ClusterRole binding objects", + Long: reconcileLong, + Example: reconcileExample, + Run: func(cmd *cobra.Command, args []string) { + cmdutil.CheckErr(o.Complete(cmd, f, args)) + cmdutil.CheckErr(o.Validate()) + cmdutil.CheckErr(o.RunReconcile()) + }, + } + + o.PrintFlags.AddFlags(cmd) + + cmdutil.AddFilenameOptionFlags(cmd, o.FilenameOptions, "identifying the resource to reconcile.") + cmd.Flags().BoolVar(&o.RemoveExtraPermissions, "remove-extra-permissions", o.RemoveExtraPermissions, "If true, removes extra permissions added to roles") + cmd.Flags().BoolVar(&o.RemoveExtraSubjects, "remove-extra-subjects", o.RemoveExtraSubjects, "If true, removes extra subjects added to rolebindings") + cmdutil.AddDryRunFlag(cmd) + + return cmd +} + +// Complete completes all the required options +func (o *ReconcileOptions) Complete(cmd *cobra.Command, f cmdutil.Factory, args []string) error { + if err := o.FilenameOptions.RequireFilenameOrKustomize(); err != nil { + return err + } + + if len(args) > 0 { + return errors.New("no arguments are allowed") + } + + o.DryRun = getClientSideDryRun(cmd) + + namespace, enforceNamespace, err := f.ToRawKubeConfigLoader().Namespace() + if err != nil { + return err + } + + r := f.NewBuilder(). + WithScheme(scheme.Scheme, scheme.Scheme.PrioritizedVersionsAllGroups()...). + ContinueOnError(). + NamespaceParam(namespace).DefaultNamespace(). + FilenameParam(enforceNamespace, o.FilenameOptions). + Flatten(). + Do() + + if err := r.Err(); err != nil { + return err + } + o.Visitor = r + + clientConfig, err := f.ToRESTConfig() + if err != nil { + return err + } + o.RBACClient, err = rbacv1client.NewForConfig(clientConfig) + if err != nil { + return err + } + o.NamespaceClient, err = corev1client.NewForConfig(clientConfig) + if err != nil { + return err + } + + if o.DryRun { + o.PrintFlags.Complete("%s (dry run)") + } + printer, err := o.PrintFlags.ToPrinter() + if err != nil { + return err + } + + o.PrintObject = printer.PrintObj + return nil +} + +// Validate makes sure provided values for ReconcileOptions are valid +func (o *ReconcileOptions) Validate() error { + if o.Visitor == nil { + return errors.New("ReconcileOptions.Visitor must be set") + } + if o.RBACClient == nil { + return errors.New("ReconcileOptions.RBACClient must be set") + } + if o.NamespaceClient == nil { + return errors.New("ReconcileOptions.NamespaceClient must be set") + } + if o.PrintObject == nil { + return errors.New("ReconcileOptions.Print must be set") + } + if o.Out == nil { + return errors.New("ReconcileOptions.Out must be set") + } + if o.ErrOut == nil { + return errors.New("ReconcileOptions.Err must be set") + } + return nil +} + +// RunReconcile performs the execution +func (o *ReconcileOptions) RunReconcile() error { + return o.Visitor.Visit(func(info *resource.Info, err error) error { + if err != nil { + return err + } + + switch t := info.Object.(type) { + case *rbacv1.Role: + reconcileOptions := reconciliation.ReconcileRoleOptions{ + Confirm: !o.DryRun, + RemoveExtraPermissions: o.RemoveExtraPermissions, + Role: reconciliation.RoleRuleOwner{Role: t}, + Client: reconciliation.RoleModifier{ + NamespaceClient: o.NamespaceClient.Namespaces(), + Client: o.RBACClient, + }, + } + result, err := reconcileOptions.Run() + if err != nil { + return err + } + o.printResults(result.Role.GetObject(), nil, nil, result.MissingRules, result.ExtraRules, result.Operation, result.Protected) + + case *rbacv1.ClusterRole: + reconcileOptions := reconciliation.ReconcileRoleOptions{ + Confirm: !o.DryRun, + RemoveExtraPermissions: o.RemoveExtraPermissions, + Role: reconciliation.ClusterRoleRuleOwner{ClusterRole: t}, + Client: reconciliation.ClusterRoleModifier{ + Client: o.RBACClient.ClusterRoles(), + }, + } + result, err := reconcileOptions.Run() + if err != nil { + return err + } + o.printResults(result.Role.GetObject(), nil, nil, result.MissingRules, result.ExtraRules, result.Operation, result.Protected) + + case *rbacv1.RoleBinding: + reconcileOptions := reconciliation.ReconcileRoleBindingOptions{ + Confirm: !o.DryRun, + RemoveExtraSubjects: o.RemoveExtraSubjects, + RoleBinding: reconciliation.RoleBindingAdapter{RoleBinding: t}, + Client: reconciliation.RoleBindingClientAdapter{ + Client: o.RBACClient, + NamespaceClient: o.NamespaceClient.Namespaces(), + }, + } + result, err := reconcileOptions.Run() + if err != nil { + return err + } + o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected) + + case *rbacv1.ClusterRoleBinding: + reconcileOptions := reconciliation.ReconcileRoleBindingOptions{ + Confirm: !o.DryRun, + RemoveExtraSubjects: o.RemoveExtraSubjects, + RoleBinding: reconciliation.ClusterRoleBindingAdapter{ClusterRoleBinding: t}, + Client: reconciliation.ClusterRoleBindingClientAdapter{ + Client: o.RBACClient.ClusterRoleBindings(), + }, + } + result, err := reconcileOptions.Run() + if err != nil { + return err + } + o.printResults(result.RoleBinding.GetObject(), result.MissingSubjects, result.ExtraSubjects, nil, nil, result.Operation, result.Protected) + + case *rbacv1beta1.Role, + *rbacv1beta1.RoleBinding, + *rbacv1beta1.ClusterRole, + *rbacv1beta1.ClusterRoleBinding, + *rbacv1alpha1.Role, + *rbacv1alpha1.RoleBinding, + *rbacv1alpha1.ClusterRole, + *rbacv1alpha1.ClusterRoleBinding: + return fmt.Errorf("only rbac.authorization.k8s.io/v1 is supported: not %T", t) + + default: + klog.V(1).Infof("skipping %#v", info.Object.GetObjectKind()) + // skip ignored resources + } + + return nil + }) +} + +func (o *ReconcileOptions) printResults(object runtime.Object, + missingSubjects, extraSubjects []rbacv1.Subject, + missingRules, extraRules []rbacv1.PolicyRule, + operation reconciliation.ReconcileOperation, + protected bool) { + + o.PrintObject(object, o.Out) + + caveat := "" + if protected { + caveat = ", but object opted out (rbac.authorization.kubernetes.io/autoupdate: false)" + } + switch operation { + case reconciliation.ReconcileNone: + return + case reconciliation.ReconcileCreate: + fmt.Fprintf(o.ErrOut, "\treconciliation required create%s\n", caveat) + case reconciliation.ReconcileUpdate: + fmt.Fprintf(o.ErrOut, "\treconciliation required update%s\n", caveat) + case reconciliation.ReconcileRecreate: + fmt.Fprintf(o.ErrOut, "\treconciliation required recreate%s\n", caveat) + } + + if len(missingSubjects) > 0 { + fmt.Fprintf(o.ErrOut, "\tmissing subjects added:\n") + for _, s := range missingSubjects { + fmt.Fprintf(o.ErrOut, "\t\t%+v\n", s) + } + } + if o.RemoveExtraSubjects { + if len(extraSubjects) > 0 { + fmt.Fprintf(o.ErrOut, "\textra subjects removed:\n") + for _, s := range extraSubjects { + fmt.Fprintf(o.ErrOut, "\t\t%+v\n", s) + } + } + } + if len(missingRules) > 0 { + fmt.Fprintf(o.ErrOut, "\tmissing rules added:\n") + for _, r := range missingRules { + fmt.Fprintf(o.ErrOut, "\t\t%+v\n", r) + } + } + if o.RemoveExtraPermissions { + if len(extraRules) > 0 { + fmt.Fprintf(o.ErrOut, "\textra rules removed:\n") + for _, r := range extraRules { + fmt.Fprintf(o.ErrOut, "\t\t%+v\n", r) + } + } + } +} + +func getClientSideDryRun(cmd *cobra.Command) bool { + dryRunStrategy, err := cmdutil.GetDryRunStrategy(cmd) + if err != nil { + klog.Fatalf("error accessing --dry-run flag for command %s: %v", cmd.Name(), err) + } + if dryRunStrategy == cmdutil.DryRunServer { + klog.Fatalf("--dry-run=server for command %s is not supported yet", cmd.Name()) + } + return dryRunStrategy == cmdutil.DryRunClient +}