...

Source file src/k8s.io/kubernetes/plugin/pkg/admission/certificates/approval/admission.go

Documentation: k8s.io/kubernetes/plugin/pkg/admission/certificates/approval 

     1  /*
     2  Copyright 2020 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package approval
    18  
    19  import (
    20  	"context"
    21  	"fmt"
    22  	"io"
    23  
    24  	"k8s.io/klog/v2"
    25  
    26  	"k8s.io/apiserver/pkg/admission"
    27  	genericadmissioninit "k8s.io/apiserver/pkg/admission/initializer"
    28  	"k8s.io/apiserver/pkg/authorization/authorizer"
    29  
    30  	api "k8s.io/kubernetes/pkg/apis/certificates"
    31  	"k8s.io/kubernetes/plugin/pkg/admission/certificates"
    32  )
    33  
    34  // PluginName is a string with the name of the plugin
    35  const PluginName = "CertificateApproval"
    36  
    37  // Register registers a plugin
    38  func Register(plugins *admission.Plugins) {
    39  	plugins.Register(PluginName, func(config io.Reader) (admission.Interface, error) {
    40  		return NewPlugin(), nil
    41  	})
    42  }
    43  
    44  // Plugin holds state for and implements the admission plugin.
    45  type Plugin struct {
    46  	*admission.Handler
    47  	authz authorizer.Authorizer
    48  }
    49  
    50  // SetAuthorizer sets the authorizer.
    51  func (p *Plugin) SetAuthorizer(authz authorizer.Authorizer) {
    52  	p.authz = authz
    53  }
    54  
    55  // ValidateInitialization ensures an authorizer is set.
    56  func (p *Plugin) ValidateInitialization() error {
    57  	if p.authz == nil {
    58  		return fmt.Errorf("%s requires an authorizer", PluginName)
    59  	}
    60  	return nil
    61  }
    62  
    63  var _ admission.ValidationInterface = &Plugin{}
    64  var _ genericadmissioninit.WantsAuthorizer = &Plugin{}
    65  
    66  // NewPlugin creates a new CSR approval admission plugin
    67  func NewPlugin() *Plugin {
    68  	return &Plugin{
    69  		Handler: admission.NewHandler(admission.Update),
    70  	}
    71  }
    72  
    73  var csrGroupResource = api.Resource("certificatesigningrequests")
    74  
    75  // Validate verifies that the requesting user has permission to approve
    76  // CertificateSigningRequests for the specified signerName.
    77  func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error {
    78  	// Ignore all calls to anything other than 'certificatesigningrequests/approval'.
    79  	// Ignore all operations other than UPDATE.
    80  	if a.GetSubresource() != "approval" ||
    81  		a.GetResource().GroupResource() != csrGroupResource {
    82  		return nil
    83  	}
    84  
    85  	// We check permissions against the *old* version of the resource, in case
    86  	// a user is attempting to update the SignerName when calling the approval
    87  	// endpoint (which is an invalid/not allowed operation)
    88  	csr, ok := a.GetOldObject().(*api.CertificateSigningRequest)
    89  	if !ok {
    90  		return admission.NewForbidden(a, fmt.Errorf("expected type CertificateSigningRequest, got: %T", a.GetOldObject()))
    91  	}
    92  
    93  	if !certificates.IsAuthorizedForSignerName(ctx, p.authz, a.GetUserInfo(), "approve", csr.Spec.SignerName) {
    94  		klog.V(4).Infof("user not permitted to approve CertificateSigningRequest %q with signerName %q", csr.Name, csr.Spec.SignerName)
    95  		return admission.NewForbidden(a, fmt.Errorf("user not permitted to approve requests with signerName %q", csr.Spec.SignerName))
    96  	}
    97  
    98  	return nil
    99  }
   100  

View as plain text