cmd/kube-rbac-proxy/app: use only authorizers that have been configured

Also, add a unit test to verify that RewriteAttributesConfig is nil if not configured
brancz · Jun 6, 2023 · a24945c · a24945c
1 parent 0c10f9c
commit a24945c
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 13 deletions.
diff --git a/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go b/cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
@@ -287,25 +287,26 @@ func secureServerRunner(
 	return runner, interrupter
 }
 
-func setupAuthorizer(krbInfo *server.KubeRBACProxyInfo, delegatedAuthz *serverconfig.AuthorizationInfo) (authorizer.Authorizer, error) {
-	staticAuthorizer, err := static.NewStaticAuthorizer(krbInfo.Authorization.Static)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create static authorizer: %w", err)
+func setupAuthorizer(krpInfo *server.KubeRBACProxyInfo, delegatedAuthz *serverconfig.AuthorizationInfo) (authorizer.Authorizer, error) {
+	authz := delegatedAuthz.Authorizer
+
+	if len(krpInfo.Authorization.Static) > 0 {
+		staticAuthorizer, err := static.NewStaticAuthorizer(krpInfo.Authorization.Static)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create static authorizer: %w", err)
+		}
+		authz = union.New(staticAuthorizer, authz)
 	}
 
-	var authz authorizer.Authorizer = rewrite.NewRewritingAuthorizer(
-		union.New(
-			staticAuthorizer,
-			delegatedAuthz.Authorizer,
-		),
-		krbInfo.Authorization.RewriteAttributesConfig,
-	)
+	if krpInfo.Authorization.RewriteAttributesConfig != nil {
+		authz = rewrite.NewRewritingAuthorizer(authz, krpInfo.Authorization.RewriteAttributesConfig)
+	}
 
-	if allowPaths := krbInfo.AllowPaths; len(allowPaths) > 0 {
+	if allowPaths := krpInfo.AllowPaths; len(allowPaths) > 0 {
 		authz = union.New(path.NewAllowPathAuthorizer(allowPaths), authz)
 	}
 
-	if ignorePaths := krbInfo.IgnorePaths; len(ignorePaths) > 0 {
+	if ignorePaths := krpInfo.IgnorePaths; len(ignorePaths) > 0 {
 		authz = union.New(path.NewAlwaysAllowPathAuthorizer(ignorePaths), authz)
 	}
 

diff --git a/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go b/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go
@@ -84,6 +84,32 @@ func Test_parseAuthorizationConfigFile(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "resources without rewrites",
+			fileContent: `authorization:
+  static:
+    - user:
+        name: system:serviceaccount:default:default
+      resourceRequest: true
+      resource: namespaces
+      subresource: metrics
+      namespace: default
+      verb: get`,
+			want: &authz.AuthzConfig{
+				Static: []static.StaticAuthorizationConfig{
+					{
+						User: static.UserConfig{
+							Name: "system:serviceaccount:default:default",
+						},
+						ResourceRequest: true,
+						Resource:        "namespaces",
+						Subresource:     "metrics",
+						Namespace:       "default",
+						Verb:            "get",
+					},
+				},
+			},
+		},
 		{
 			name: "non-resources",
 			fileContent: `authorization: