linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linkerd2/pkg
History
Andrew Seigner 024a77ec16
Use correct resource names for authz checks (#2496) 
The `linkerd check` command was using TitleCase resource names (e.g.
"ConfigMaps") for SelfSubjectAccessReview requests. These were not
valid, they were only passing because SSARs requests return `allowed`
for unknown resource types unless explicitly restricted.

Modify the `linkerd check` authorization requests to use the correct
resource names.

Steps to reproduce:
- default AKS cluster
- running inside a pod

```bash
$ kubectl proxy
```

Fails:

```bash
$ curl -k -v -XPOST -d'{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","spec":{"resourceAttributes":{"namespace":"default","verb":"create","version":"v1","resource":
"Namespace"}}}'  -H "Accept: application/json, */*" -H "Content-Type: application/json" http://127.0.0.1:8001/apis/authorization.k8s.io/v1/selfsubjectaccessreviews

...

{
  "kind": "SelfSubjectAccessReview",
  "apiVersion": "authorization.k8s.io/v1",
  "metadata": {
    "creationTimestamp": null
  },
  "spec": {
    "resourceAttributes": {
      "namespace": "default",
      "verb": "create",
      "version": "v1",
      "resource": "Namespace"
    }
  },
  "status": {
    "allowed": false
  }
}
```

Works:

```bash
curl -k -v -XPOST -d'{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","spec":{"resourceAttributes":{"namespace":"default","verb":"create","version":"v1","resource":
"namespaces"}}}'  -H "Accept: application/json, */*" -H "Content-Type: application/json" http://127.0.0.1:8001/apis/authorization.k8s.io/v1/selfsubjectaccessreviews

...

{
  "kind": "SelfSubjectAccessReview",
  "apiVersion": "authorization.k8s.io/v1",
  "metadata": {
    "creationTimestamp": null
  },
  "spec": {
    "resourceAttributes": {
      "namespace": "default",
      "verb": "create",
      "version": "v1",
      "resource": "namespaces"
    }
  },
  "status": {
    "allowed": true,
    "reason": "RBAC: allowed by ClusterRoleBinding \"docker-build\" of ClusterRole \"docker-build\" to ServiceAccount \"docker-build/docker-build\""
  }
}
```

Signed-off-by: Andrew Seigner <siggy@buoyant.io>
 		2019-03-14 10:20:09 -07:00
..
addr lint: Enable scopelint (#2364) 2019-02-24 08:59:51 -08:00
admin lint: Enable unparam (#2369) 2019-02-27 10:34:02 -08:00
config Public API endpoint `Config()` (#2455) 2019-03-07 17:37:46 -05:00
filesonly Enable lint check for comments (#2023) 2019-01-02 14:03:59 -08:00
flags Lessen klog for security (#2386) 2019-02-26 16:00:26 -08:00
healthcheck Use correct resource names for authz checks (#2496) 2019-03-14 10:20:09 -07:00
inject Support Auto-Inject Configs Overrides Via Annotations (#2471) 2019-03-14 08:42:12 -07:00
k8s Support Auto-Inject Configs Overrides Via Annotations (#2471) 2019-03-14 08:42:12 -07:00
profiles Authorization-aware control-plane components (#2349) 2019-02-26 11:54:52 -08:00
prometheus Instrument k8s clients (#2243) 2019-02-18 09:10:02 -08:00
tls Enable gosimple linter, fix issues (#2356) 2019-02-22 17:19:07 -08:00
util Add go linting to CI config (#2018) 2018-12-20 15:33:09 -08:00
version lint: Enable unparam (#2369) 2019-02-27 10:34:02 -08:00