run authorization from a cache
This commit is contained in:
deads2k
@@ -39,7 +39,6 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/apis/autoscaling"
|
"k8s.io/kubernetes/pkg/apis/autoscaling"
|
||||||
"k8s.io/kubernetes/pkg/apis/batch"
|
"k8s.io/kubernetes/pkg/apis/batch"
|
||||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||||
"k8s.io/kubernetes/pkg/apis/rbac"
|
|
||||||
"k8s.io/kubernetes/pkg/apiserver"
|
"k8s.io/kubernetes/pkg/apiserver"
|
||||||
"k8s.io/kubernetes/pkg/apiserver/authenticator"
|
"k8s.io/kubernetes/pkg/apiserver/authenticator"
|
||||||
"k8s.io/kubernetes/pkg/apiserver/openapi"
|
"k8s.io/kubernetes/pkg/apiserver/openapi"
|
||||||
@@ -52,20 +51,10 @@ import (
|
|||||||
generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
|
generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
|
||||||
"k8s.io/kubernetes/pkg/genericapiserver"
|
"k8s.io/kubernetes/pkg/genericapiserver"
|
||||||
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||||
genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
|
|
||||||
genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
|
genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
|
||||||
kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
|
kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
|
||||||
"k8s.io/kubernetes/pkg/master"
|
"k8s.io/kubernetes/pkg/master"
|
||||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||||
"k8s.io/kubernetes/pkg/registry/generic"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
|
|
||||||
clusterroleetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
|
|
||||||
clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/role"
|
|
||||||
roleetcd "k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
|
|
||||||
rolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||||
"k8s.io/kubernetes/pkg/util/wait"
|
"k8s.io/kubernetes/pkg/util/wait"
|
||||||
authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
|
authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
|
||||||
@@ -246,48 +235,7 @@ func Run(s *options.APIServer) error {
|
|||||||
glog.Fatalf("Invalid Authentication Config: %v", err)
|
glog.Fatalf("Invalid Authentication Config: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
|
|
||||||
|
|
||||||
modeEnabled := func(mode string) bool {
|
|
||||||
for _, m := range authorizationModeNames {
|
|
||||||
if m == mode {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
authorizationConfig := authorizer.AuthorizationConfig{
|
|
||||||
PolicyFile: s.AuthorizationPolicyFile,
|
|
||||||
WebhookConfigFile: s.AuthorizationWebhookConfigFile,
|
|
||||||
WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL,
|
|
||||||
WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
|
|
||||||
RBACSuperUser: s.AuthorizationRBACSuperUser,
|
|
||||||
}
|
|
||||||
if modeEnabled(genericoptions.ModeRBAC) {
|
|
||||||
mustGetRESTOptions := func(resource string) generic.RESTOptions {
|
|
||||||
config, err := storageFactory.NewConfig(rbac.Resource(resource))
|
|
||||||
if err != nil {
|
|
||||||
glog.Fatalf("Unable to get %s storage: %v", resource, err)
|
|
||||||
}
|
|
||||||
return generic.RESTOptions{StorageConfig: config, Decorator: generic.UndecoratedStorage, ResourcePrefix: storageFactory.ResourcePrefix(rbac.Resource(resource))}
|
|
||||||
}
|
|
||||||
|
|
||||||
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
|
|
||||||
authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
|
|
||||||
authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
|
|
||||||
authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
|
|
||||||
authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
|
|
||||||
}
|
|
||||||
|
|
||||||
apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
|
|
||||||
if err != nil {
|
|
||||||
glog.Fatalf("Invalid Authorization Config: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
|
|
||||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||||
|
|
||||||
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
|
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Fatalf("Failed to create clientset: %v", err)
|
glog.Fatalf("Failed to create clientset: %v", err)
|
||||||
@@ -296,6 +244,23 @@ func Run(s *options.APIServer) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Errorf("Failed to create clientset: %v", err)
|
glog.Errorf("Failed to create clientset: %v", err)
|
||||||
}
|
}
|
||||||
|
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
|
||||||
|
|
||||||
|
authorizationConfig := authorizer.AuthorizationConfig{
|
||||||
|
PolicyFile: s.AuthorizationPolicyFile,
|
||||||
|
WebhookConfigFile: s.AuthorizationWebhookConfigFile,
|
||||||
|
WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL,
|
||||||
|
WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
|
||||||
|
RBACSuperUser: s.AuthorizationRBACSuperUser,
|
||||||
|
InformerFactory: sharedInformers,
|
||||||
|
}
|
||||||
|
authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
|
||||||
|
apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
|
||||||
|
if err != nil {
|
||||||
|
glog.Fatalf("Invalid Authorization Config: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
|
||||||
|
|
||||||
// TODO(dims): We probably need to add an option "EnableLoopbackToken"
|
// TODO(dims): We probably need to add an option "EnableLoopbackToken"
|
||||||
if apiAuthenticator != nil {
|
if apiAuthenticator != nil {
|
||||||
@@ -314,7 +279,6 @@ func Run(s *options.APIServer) error {
|
|||||||
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
|
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
|
||||||
}
|
}
|
||||||
|
|
||||||
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
|
|
||||||
pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
|
pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
|
||||||
|
|
||||||
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
|
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
|
||||||
|
|||||||
@@ -32,7 +32,6 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/admission"
|
"k8s.io/kubernetes/pkg/admission"
|
||||||
"k8s.io/kubernetes/pkg/api"
|
"k8s.io/kubernetes/pkg/api"
|
||||||
"k8s.io/kubernetes/pkg/api/unversioned"
|
"k8s.io/kubernetes/pkg/api/unversioned"
|
||||||
"k8s.io/kubernetes/pkg/apis/rbac"
|
|
||||||
"k8s.io/kubernetes/pkg/apiserver/authenticator"
|
"k8s.io/kubernetes/pkg/apiserver/authenticator"
|
||||||
apiserveropenapi "k8s.io/kubernetes/pkg/apiserver/openapi"
|
apiserveropenapi "k8s.io/kubernetes/pkg/apiserver/openapi"
|
||||||
authorizerunion "k8s.io/kubernetes/pkg/auth/authorizer/union"
|
authorizerunion "k8s.io/kubernetes/pkg/auth/authorizer/union"
|
||||||
@@ -41,19 +40,10 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/generated/openapi"
|
"k8s.io/kubernetes/pkg/generated/openapi"
|
||||||
"k8s.io/kubernetes/pkg/genericapiserver"
|
"k8s.io/kubernetes/pkg/genericapiserver"
|
||||||
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||||
genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
|
|
||||||
genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
|
genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
|
||||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||||
"k8s.io/kubernetes/pkg/registry/generic"
|
"k8s.io/kubernetes/pkg/registry/generic"
|
||||||
"k8s.io/kubernetes/pkg/registry/generic/registry"
|
"k8s.io/kubernetes/pkg/registry/generic/registry"
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
|
|
||||||
clusterroleetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrole/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
|
|
||||||
clusterrolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/role"
|
|
||||||
roleetcd "k8s.io/kubernetes/pkg/registry/rbac/role/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
|
|
||||||
rolebindingetcd "k8s.io/kubernetes/pkg/registry/rbac/rolebinding/etcd"
|
|
||||||
"k8s.io/kubernetes/pkg/routes"
|
"k8s.io/kubernetes/pkg/routes"
|
||||||
"k8s.io/kubernetes/pkg/util/wait"
|
"k8s.io/kubernetes/pkg/util/wait"
|
||||||
authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
|
authenticatorunion "k8s.io/kubernetes/plugin/pkg/auth/authenticator/request/union"
|
||||||
@@ -136,48 +126,7 @@ func Run(s *options.ServerRunOptions) error {
|
|||||||
glog.Fatalf("Invalid Authentication Config: %v", err)
|
glog.Fatalf("Invalid Authentication Config: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
|
|
||||||
|
|
||||||
modeEnabled := func(mode string) bool {
|
|
||||||
for _, m := range authorizationModeNames {
|
|
||||||
if m == mode {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
authorizationConfig := authorizer.AuthorizationConfig{
|
|
||||||
PolicyFile: s.AuthorizationPolicyFile,
|
|
||||||
WebhookConfigFile: s.AuthorizationWebhookConfigFile,
|
|
||||||
WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL,
|
|
||||||
WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
|
|
||||||
RBACSuperUser: s.AuthorizationRBACSuperUser,
|
|
||||||
}
|
|
||||||
if modeEnabled(genericoptions.ModeRBAC) {
|
|
||||||
mustGetRESTOptions := func(resource string) generic.RESTOptions {
|
|
||||||
config, err := storageFactory.NewConfig(rbac.Resource(resource))
|
|
||||||
if err != nil {
|
|
||||||
glog.Fatalf("Unable to get %s storage: %v", resource, err)
|
|
||||||
}
|
|
||||||
return generic.RESTOptions{StorageConfig: config, Decorator: generic.UndecoratedStorage, ResourcePrefix: storageFactory.ResourcePrefix(rbac.Resource(resource))}
|
|
||||||
}
|
|
||||||
|
|
||||||
// For initial bootstrapping go directly to etcd to avoid privillege escalation check.
|
|
||||||
authorizationConfig.RBACRoleRegistry = role.NewRegistry(roleetcd.NewREST(mustGetRESTOptions("roles")))
|
|
||||||
authorizationConfig.RBACRoleBindingRegistry = rolebinding.NewRegistry(rolebindingetcd.NewREST(mustGetRESTOptions("rolebindings")))
|
|
||||||
authorizationConfig.RBACClusterRoleRegistry = clusterrole.NewRegistry(clusterroleetcd.NewREST(mustGetRESTOptions("clusterroles")))
|
|
||||||
authorizationConfig.RBACClusterRoleBindingRegistry = clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(mustGetRESTOptions("clusterrolebindings")))
|
|
||||||
}
|
|
||||||
|
|
||||||
apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
|
|
||||||
if err != nil {
|
|
||||||
glog.Fatalf("Invalid Authorization Config: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
|
|
||||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||||
|
|
||||||
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
|
selfClientConfig, err := s.NewSelfClientConfig(privilegedLoopbackToken)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Fatalf("Failed to create clientset: %v", err)
|
glog.Fatalf("Failed to create clientset: %v", err)
|
||||||
@@ -186,6 +135,23 @@ func Run(s *options.ServerRunOptions) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Errorf("Failed to create clientset: %v", err)
|
glog.Errorf("Failed to create clientset: %v", err)
|
||||||
}
|
}
|
||||||
|
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
|
||||||
|
|
||||||
|
authorizationConfig := authorizer.AuthorizationConfig{
|
||||||
|
PolicyFile: s.AuthorizationPolicyFile,
|
||||||
|
WebhookConfigFile: s.AuthorizationWebhookConfigFile,
|
||||||
|
WebhookCacheAuthorizedTTL: s.AuthorizationWebhookCacheAuthorizedTTL,
|
||||||
|
WebhookCacheUnauthorizedTTL: s.AuthorizationWebhookCacheUnauthorizedTTL,
|
||||||
|
RBACSuperUser: s.AuthorizationRBACSuperUser,
|
||||||
|
InformerFactory: sharedInformers,
|
||||||
|
}
|
||||||
|
authorizationModeNames := strings.Split(s.AuthorizationMode, ",")
|
||||||
|
apiAuthorizer, err := authorizer.NewAuthorizerFromAuthorizationConfig(authorizationModeNames, authorizationConfig)
|
||||||
|
if err != nil {
|
||||||
|
glog.Fatalf("Invalid Authorization Config: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
admissionControlPluginNames := strings.Split(s.AdmissionControl, ",")
|
||||||
|
|
||||||
// TODO(dims): We probably need to add an option "EnableLoopbackToken"
|
// TODO(dims): We probably need to add an option "EnableLoopbackToken"
|
||||||
if apiAuthenticator != nil {
|
if apiAuthenticator != nil {
|
||||||
@@ -204,7 +170,6 @@ func Run(s *options.ServerRunOptions) error {
|
|||||||
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
|
apiAuthorizer = authorizerunion.New(tokenAuthorizer, apiAuthorizer)
|
||||||
}
|
}
|
||||||
|
|
||||||
sharedInformers := informers.NewSharedInformerFactory(client, 10*time.Minute)
|
|
||||||
pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
|
pluginInitializer := admission.NewPluginInitializer(sharedInformers, apiAuthorizer)
|
||||||
|
|
||||||
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
|
admissionController, err := admission.NewFromPlugins(client, admissionControlPluginNames, s.AdmissionControlConfigFile, pluginInitializer)
|
||||||
|
|||||||
@@ -24,11 +24,8 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/auth/authorizer"
|
"k8s.io/kubernetes/pkg/auth/authorizer"
|
||||||
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
|
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
|
||||||
"k8s.io/kubernetes/pkg/auth/authorizer/union"
|
"k8s.io/kubernetes/pkg/auth/authorizer/union"
|
||||||
|
"k8s.io/kubernetes/pkg/controller/informers"
|
||||||
"k8s.io/kubernetes/pkg/genericapiserver/options"
|
"k8s.io/kubernetes/pkg/genericapiserver/options"
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/role"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
|
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
|
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
|
||||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
|
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/webhook"
|
||||||
)
|
)
|
||||||
@@ -117,10 +114,7 @@ type AuthorizationConfig struct {
|
|||||||
// User which can bootstrap role policies
|
// User which can bootstrap role policies
|
||||||
RBACSuperUser string
|
RBACSuperUser string
|
||||||
|
|
||||||
RBACClusterRoleRegistry clusterrole.Registry
|
InformerFactory informers.SharedInformerFactory
|
||||||
RBACClusterRoleBindingRegistry clusterrolebinding.Registry
|
|
||||||
RBACRoleRegistry role.Registry
|
|
||||||
RBACRoleBindingRegistry rolebinding.Registry
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects
|
// NewAuthorizerFromAuthorizationConfig returns the right sort of union of multiple authorizer.Authorizer objects
|
||||||
@@ -167,10 +161,10 @@ func NewAuthorizerFromAuthorizationConfig(authorizationModes []string, config Au
|
|||||||
authorizers = append(authorizers, webhookAuthorizer)
|
authorizers = append(authorizers, webhookAuthorizer)
|
||||||
case options.ModeRBAC:
|
case options.ModeRBAC:
|
||||||
rbacAuthorizer := rbac.New(
|
rbacAuthorizer := rbac.New(
|
||||||
config.RBACRoleRegistry,
|
config.InformerFactory.Roles().Lister(),
|
||||||
config.RBACRoleBindingRegistry,
|
config.InformerFactory.RoleBindings().Lister(),
|
||||||
config.RBACClusterRoleRegistry,
|
config.InformerFactory.ClusterRoles().Lister(),
|
||||||
config.RBACClusterRoleBindingRegistry,
|
config.InformerFactory.ClusterRoleBindings().Lister(),
|
||||||
config.RBACSuperUser,
|
config.RBACSuperUser,
|
||||||
)
|
)
|
||||||
authorizers = append(authorizers, rbacAuthorizer)
|
authorizers = append(authorizers, rbacAuthorizer)
|
||||||
|
|||||||
@@ -22,10 +22,6 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/apis/rbac/validation"
|
"k8s.io/kubernetes/pkg/apis/rbac/validation"
|
||||||
"k8s.io/kubernetes/pkg/auth/authorizer"
|
"k8s.io/kubernetes/pkg/auth/authorizer"
|
||||||
"k8s.io/kubernetes/pkg/auth/user"
|
"k8s.io/kubernetes/pkg/auth/user"
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrole"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/clusterrolebinding"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/role"
|
|
||||||
"k8s.io/kubernetes/pkg/registry/rbac/rolebinding"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type RequestToRuleMapper interface {
|
type RequestToRuleMapper interface {
|
||||||
@@ -55,14 +51,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
|
|||||||
return false, "", ruleResolutionError
|
return false, "", ruleResolutionError
|
||||||
}
|
}
|
||||||
|
|
||||||
func New(roleRegistry role.Registry, roleBindingRegistry rolebinding.Registry, clusterRoleRegistry clusterrole.Registry, clusterRoleBindingRegistry clusterrolebinding.Registry, superUser string) *RBACAuthorizer {
|
func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister, superUser string) *RBACAuthorizer {
|
||||||
authorizer := &RBACAuthorizer{
|
authorizer := &RBACAuthorizer{
|
||||||
superUser: superUser,
|
superUser: superUser,
|
||||||
authorizationRuleResolver: validation.NewDefaultRuleResolver(
|
authorizationRuleResolver: validation.NewDefaultRuleResolver(
|
||||||
role.AuthorizerAdapter{Registry: roleRegistry},
|
roles, roleBindings, clusterRoles, clusterRoleBindings,
|
||||||
rolebinding.AuthorizerAdapter{Registry: roleBindingRegistry},
|
|
||||||
clusterrole.AuthorizerAdapter{Registry: clusterRoleRegistry},
|
|
||||||
clusterrolebinding.AuthorizerAdapter{Registry: clusterRoleBindingRegistry},
|
|
||||||
),
|
),
|
||||||
}
|
}
|
||||||
return authorizer
|
return authorizer
|
||||||
|
|||||||
Reference in New Issue
Block a user