github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Run RBAC hook correctly when running from authz config file

Browse Source
This commit is contained in:
Jordan Liggitt
2023-11-08 11:05:56 -06:00
parent 1f40e0916e
commit 264cd64824
1 changed files with 21 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
pkg/controlplane/apiserver/config.go
View File

@@ -147,12 +147,13 @@ func BuildGenericConfig(
return return
} }
genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, genericConfig.EgressSelector, versionedInformers) var enablesRBAC bool
genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, enablesRBAC, err = BuildAuthorizer(s, genericConfig.EgressSelector, versionedInformers)
if err != nil { if err != nil {
lastErr = fmt.Errorf("invalid authorization config: %v", err) lastErr = fmt.Errorf("invalid authorization config: %v", err)
return return
} }
if s.Authorization != nil && !sets.NewString(s.Authorization.Modes...).Has(modes.ModeRBAC) { if s.Authorization != nil && !enablesRBAC {
genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName) genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName)
} }
@@ -168,25 +169,35 @@ func BuildGenericConfig(
return return
} }
// BuildAuthorizer constructs the authorizer. If authorization is not set in s, it returns nil, nil, nil // BuildAuthorizer constructs the authorizer. If authorization is not set in s, it returns nil, nil, false, nil
func BuildAuthorizer(s controlplaneapiserver.CompletedOptions, EgressSelector *egressselector.EgressSelector, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) { func BuildAuthorizer(s controlplaneapiserver.CompletedOptions, egressSelector *egressselector.EgressSelector, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, bool, error) {
authorizationConfig, err := s.Authorization.ToAuthorizationConfig(versionedInformers) authorizationConfig, err := s.Authorization.ToAuthorizationConfig(versionedInformers)
if err != nil { if err != nil {
return nil, nil, err return nil, nil, false, err
} }
if authorizationConfig == nil { if authorizationConfig == nil {
return nil, nil, nil return nil, nil, false, nil
} }
if EgressSelector != nil { if egressSelector != nil {
egressDialer, err := EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext()) egressDialer, err := egressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
if err != nil { if err != nil {
return nil, nil, err return nil, nil, false, err
} }
authorizationConfig.CustomDial = egressDialer authorizationConfig.CustomDial = egressDialer
} }
return authorizationConfig.New() enablesRBAC := false
for _, a := range authorizationConfig.AuthorizationConfiguration.Authorizers {
if string(a.Type) == modes.ModeRBAC {
enablesRBAC = true
break
}
}
authorizer, ruleResolver, err := authorizationConfig.New()
return authorizer, ruleResolver, enablesRBAC, err
} }
// CreatePeerEndpointLeaseReconciler creates a apiserver endpoint lease reconciliation loop // CreatePeerEndpointLeaseReconciler creates a apiserver endpoint lease reconciliation loop