Created
August 8, 2022 09:44
-
-
Save sttts/e4cb8e0cad2c4fa2cf222663fa9bdbdd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/pkg/authorization/toplevel_org_authorizer.go b/pkg/authorization/toplevel_org_authorizer.go | |
index 9f24d3243..f635b9f2e 100644 | |
--- a/pkg/authorization/toplevel_org_authorizer.go | |
+++ b/pkg/authorization/toplevel_org_authorizer.go | |
@@ -36,6 +36,7 @@ import ( | |
tenancyv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/tenancy/v1alpha1" | |
tenancyv1 "github.com/kcp-dev/kcp/pkg/client/listers/tenancy/v1alpha1" | |
rbacwrapper "github.com/kcp-dev/kcp/pkg/virtual/framework/wrappers/rbac" | |
+ authorizationv1 "k8s.io/api/authorization/v1" | |
) | |
// NewTopLevelOrganizationAccessAuthorizer returns an authorizer that checks for access+member verb in | |
@@ -69,8 +70,8 @@ type topLevelOrgAccessAuthorizer struct { | |
} | |
func (a *topLevelOrgAccessAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { | |
- if DeepSubjectAccessReviewFrom(ctx) { | |
- return authorizer.DecisionAllow, "", nil | |
+ if DeepSubjectAccessReviewFrom(ctx) && attr.GetAPIGroup() != authorizationv1.GroupName && attr.GetResource() != "subjectaccessreview" { | |
+ return a.delegate.Authorize(ctx, attr) | |
} | |
cluster, err := genericapirequest.ValidClusterFrom(ctx) | |
diff --git a/pkg/authorization/workspace_content_authorizer.go b/pkg/authorization/workspace_content_authorizer.go | |
index 5ba6582b9..b43725689 100644 | |
--- a/pkg/authorization/workspace_content_authorizer.go | |
+++ b/pkg/authorization/workspace_content_authorizer.go | |
@@ -22,6 +22,7 @@ import ( | |
"github.com/kcp-dev/logicalcluster/v2" | |
+ authorizationv1 "k8s.io/api/authorization/v1" | |
"k8s.io/apimachinery/pkg/api/errors" | |
utilerrors "k8s.io/apimachinery/pkg/util/errors" | |
"k8s.io/apimachinery/pkg/util/sets" | |
@@ -73,10 +74,6 @@ type workspaceContentAuthorizer struct { | |
} | |
func (a *workspaceContentAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) { | |
- if DeepSubjectAccessReviewFrom(ctx) { | |
- return authorizer.DecisionAllow, "", nil | |
- } | |
- | |
cluster, err := genericapirequest.ValidClusterFrom(ctx) | |
if err != nil { | |
return authorizer.DecisionNoOpinion, WorkspaceAcccessNotPermittedReason, err | |
@@ -96,6 +93,18 @@ func (a *workspaceContentAuthorizer) Authorize(ctx context.Context, attr authori | |
isServiceAccountFromRootCluster := subjectClusters[tenancyv1alpha1.RootCluster] | |
isServiceAccountFromCluster := subjectClusters[cluster.Name] | |
+ if DeepSubjectAccessReviewFrom(ctx) && attr.GetAPIGroup() != authorizationv1.GroupName && attr.GetResource() != "subjectaccessreviews" { | |
+ if isAuthenticated && !isUser && !isServiceAccountFromCluster { | |
+ // anonymize service accounts from other workspaces | |
+ attr := deepCopyAttributes(attr) | |
+ attr.User = &user.DefaultInfo{ | |
+ Name: "system:anonymous", | |
+ Groups: []string{"system:authenticated"}, | |
+ } | |
+ } | |
+ return a.delegate.Authorize(ctx, attr) | |
+ } | |
+ | |
// Every authenticated user has access to the root workspace but not every service account. | |
// For root, only service accounts declared in root have access. | |
if cluster.Name == tenancyv1alpha1.RootCluster { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment