...

Source file src/k8s.io/kubernetes/pkg/registry/admissionregistration/validatingadmissionpolicy/authz.go

Documentation: k8s.io/kubernetes/pkg/registry/admissionregistration/validatingadmissionpolicy 

     1  /*
     2  Copyright 2022 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package validatingadmissionpolicy
    18  
    19  import (
    20  	"context"
    21  	"fmt"
    22  
    23  	"k8s.io/apimachinery/pkg/runtime"
    24  	"k8s.io/apimachinery/pkg/runtime/schema"
    25  	"k8s.io/apiserver/pkg/authorization/authorizer"
    26  	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
    27  	"k8s.io/kubernetes/pkg/apis/admissionregistration"
    28  	rbacregistry "k8s.io/kubernetes/pkg/registry/rbac"
    29  )
    30  
    31  func (v *validatingAdmissionPolicyStrategy) authorizeCreate(ctx context.Context, obj runtime.Object) error {
    32  	policy := obj.(*admissionregistration.ValidatingAdmissionPolicy)
    33  	if policy.Spec.ParamKind == nil {
    34  		// no paramRef in new object
    35  		return nil
    36  	}
    37  
    38  	return v.authorize(ctx, policy)
    39  }
    40  
    41  func (v *validatingAdmissionPolicyStrategy) authorizeUpdate(ctx context.Context, obj, old runtime.Object) error {
    42  	policy := obj.(*admissionregistration.ValidatingAdmissionPolicy)
    43  	if policy.Spec.ParamKind == nil {
    44  		// no paramRef in new object
    45  		return nil
    46  	}
    47  
    48  	oldPolicy := old.(*admissionregistration.ValidatingAdmissionPolicy)
    49  	if oldPolicy.Spec.ParamKind != nil && *oldPolicy.Spec.ParamKind == *policy.Spec.ParamKind {
    50  		// identical paramKind to old object
    51  		return nil
    52  	}
    53  
    54  	return v.authorize(ctx, policy)
    55  }
    56  
    57  func (v *validatingAdmissionPolicyStrategy) authorize(ctx context.Context, policy *admissionregistration.ValidatingAdmissionPolicy) error {
    58  	if v.authorizer == nil || policy.Spec.ParamKind == nil {
    59  		return nil
    60  	}
    61  
    62  	// for superuser, skip all checks
    63  	if rbacregistry.EscalationAllowed(ctx) {
    64  		return nil
    65  	}
    66  
    67  	user, ok := genericapirequest.UserFrom(ctx)
    68  	if !ok {
    69  		return fmt.Errorf("cannot identify user to authorize read access to paramKind resources")
    70  	}
    71  
    72  	paramKind := policy.Spec.ParamKind
    73  	// default to requiring permissions on all group/version/resources
    74  	resource, apiGroup, apiVersion := "*", "*", "*"
    75  	if gv, err := schema.ParseGroupVersion(paramKind.APIVersion); err == nil {
    76  		// we only need to authorize the parsed group/version
    77  		apiGroup = gv.Group
    78  		apiVersion = gv.Version
    79  		if gvr, err := v.resourceResolver.Resolve(gv.WithKind(paramKind.Kind)); err == nil {
    80  			// we only need to authorize the resolved resource
    81  			resource = gvr.Resource
    82  		}
    83  	}
    84  
    85  	// require that the user can read (verb "get") the referred kind.
    86  	attrs := authorizer.AttributesRecord{
    87  		User:            user,
    88  		Verb:            "get",
    89  		ResourceRequest: true,
    90  		Name:            "*",
    91  		Namespace:       "*",
    92  		APIGroup:        apiGroup,
    93  		APIVersion:      apiVersion,
    94  		Resource:        resource,
    95  	}
    96  
    97  	d, _, err := v.authorizer.Authorize(ctx, attrs)
    98  	if err != nil {
    99  		return err
   100  	}
   101  	if d != authorizer.DecisionAllow {
   102  		return fmt.Errorf(`user %v must have "get" permission on all objects of the referenced paramKind (kind=%s, apiVersion=%s)`, user, paramKind.Kind, paramKind.APIVersion)
   103  	}
   104  	return nil
   105  }
   106  

View as plain text