github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Authorize Node reads via name, not graph

Browse Source
This commit is contained in:
Jordan Liggitt
2024-07-21 15:01:46 -04:00
parent 69eee1c4a2
commit c75c07c8e1
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
plugin/pkg/auth/authorizer/node/node_authorizer.go
View File

@@ -368,7 +368,18 @@ func (r *NodeAuthorizer) authorizeNode(nodeName string, attrs authorizer.Attribu
// Use the NodeRestriction admission plugin to limit a node to creating/updating its own API object.
return authorizer.DecisionAllow, "", nil
case "get", "list", "watch":
return r.authorize(nodeName, nodeVertexType, attrs)
// Compare the name directly, rather than using the graph,
// so kubelets can attempt a read of their Node API object prior to creation.
switch attrs.GetName() {
case nodeName:
return authorizer.DecisionAllow, "", nil
case "":
klog.V(2).Infof("NODE DENY: '%s' %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, fmt.Sprintf("node '%s' cannot read all nodes, only its own Node object", nodeName), nil
default:
klog.V(2).Infof("NODE DENY: '%s' %#v", nodeName, attrs)
return authorizer.DecisionNoOpinion, fmt.Sprintf("node '%s' cannot read '%s', only its own Node object", nodeName, attrs.GetName()), nil
}
}
case "status":
switch attrs.GetVerb() {