-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add generic webhook handler implementation for SubjectAccessReviews
- Loading branch information
Showing
8 changed files
with
883 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package authorization | ||
|
||
import ( | ||
"testing" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" | ||
|
||
"sigs.k8s.io/controller-runtime/pkg/envtest/printer" | ||
logf "sigs.k8s.io/controller-runtime/pkg/log" | ||
"sigs.k8s.io/controller-runtime/pkg/log/zap" | ||
) | ||
|
||
func TestAuthorizationWebhook(t *testing.T) { | ||
RegisterFailHandler(Fail) | ||
suiteName := "Authorization Webhook Suite" | ||
RunSpecsWithDefaultAndCustomReporters(t, suiteName, []Reporter{printer.NewlineReporter{}, printer.NewProwReporter(suiteName)}) | ||
} | ||
|
||
var _ = BeforeSuite(func(done Done) { | ||
logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true))) | ||
|
||
close(done) | ||
}, 60) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
/* | ||
Package authorization provides implementation for authorization webhook and | ||
methods to implement authorization webhook handlers. | ||
See examples/subjectaccessreview/ for an example of authorization webhooks. | ||
*/ | ||
package authorization | ||
|
||
import ( | ||
logf "sigs.k8s.io/controller-runtime/pkg/internal/log" | ||
) | ||
|
||
var log = logf.RuntimeLog.WithName("authorization") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
/* | ||
Copyright 2021 The Kubernetes Authors. | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package authorization | ||
|
||
import ( | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"io" | ||
"io/ioutil" | ||
"net/http" | ||
|
||
authorizationv1 "k8s.io/api/authorization/v1" | ||
authorizationv1beta1 "k8s.io/api/authorization/v1beta1" | ||
"k8s.io/apimachinery/pkg/runtime" | ||
"k8s.io/apimachinery/pkg/runtime/schema" | ||
"k8s.io/apimachinery/pkg/runtime/serializer" | ||
utilruntime "k8s.io/apimachinery/pkg/util/runtime" | ||
) | ||
|
||
var authorizationScheme = runtime.NewScheme() | ||
var authorizationCodecs = serializer.NewCodecFactory(authorizationScheme) | ||
|
||
func init() { | ||
utilruntime.Must(authorizationv1.AddToScheme(authorizationScheme)) | ||
utilruntime.Must(authorizationv1beta1.AddToScheme(authorizationScheme)) | ||
} | ||
|
||
var _ http.Handler = &Webhook{} | ||
|
||
func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) { | ||
var body []byte | ||
var err error | ||
ctx := r.Context() | ||
if wh.WithContextFunc != nil { | ||
ctx = wh.WithContextFunc(ctx, r) | ||
} | ||
|
||
var reviewResponse Response | ||
if r.Body == nil { | ||
err = errors.New("request body is empty") | ||
wh.log.Error(err, "bad request") | ||
reviewResponse = Errored(err) | ||
wh.writeResponse(w, reviewResponse) | ||
return | ||
} | ||
|
||
defer r.Body.Close() | ||
if body, err = ioutil.ReadAll(r.Body); err != nil { | ||
wh.log.Error(err, "unable to read the body from the incoming request") | ||
reviewResponse = Errored(err) | ||
wh.writeResponse(w, reviewResponse) | ||
return | ||
} | ||
|
||
// verify the content type is accurate | ||
contentType := r.Header.Get("Content-Type") | ||
if contentType != "application/json" { | ||
err = fmt.Errorf("contentType=%s, expected application/json", contentType) | ||
wh.log.Error(err, "unable to process a request with an unknown content type", "content type", contentType) | ||
reviewResponse = Errored(err) | ||
wh.writeResponse(w, reviewResponse) | ||
return | ||
} | ||
|
||
// Decode request body into authorizationv1.SubjectAccessReviewSpec structure | ||
sar, actualTokRevGVK, err := wh.decodeRequestBody(body) | ||
if err != nil { | ||
wh.log.Error(err, "unable to decode the request") | ||
reviewResponse = Errored(err) | ||
wh.writeResponse(w, reviewResponse) | ||
return | ||
} | ||
wh.log.V(1).Info("received request", "UID", sar.UID, "kind", sar.Kind) | ||
|
||
reviewResponse = wh.Handle(ctx, Request{sar.SubjectAccessReview}) | ||
wh.writeResponseTyped(w, reviewResponse, actualTokRevGVK) | ||
} | ||
|
||
// writeResponse writes response to w generically, i.e. without encoding GVK information. | ||
func (wh *Webhook) writeResponse(w io.Writer, response Response) { | ||
wh.writeSubjectAccessReviewResponse(w, response.SubjectAccessReview) | ||
} | ||
|
||
// writeResponseTyped writes response to w with GVK set to subjRevGVK, which is necessary | ||
// if multiple SubjectAccessReview versions are permitted by the webhook. | ||
func (wh *Webhook) writeResponseTyped(w io.Writer, response Response, subjRevGVK *schema.GroupVersionKind) { | ||
ar := response.SubjectAccessReview | ||
|
||
// Default to a v1 SubjectAccessReview, otherwise the API server may not recognize the request | ||
// if multiple SubjectAccessReview versions are permitted by the webhook config. | ||
if subjRevGVK == nil || *subjRevGVK == (schema.GroupVersionKind{}) { | ||
ar.SetGroupVersionKind(authorizationv1.SchemeGroupVersion.WithKind("SubjectAccessReview")) | ||
} else { | ||
ar.SetGroupVersionKind(*subjRevGVK) | ||
} | ||
wh.writeSubjectAccessReviewResponse(w, ar) | ||
} | ||
|
||
// writeSubjectAccessReviewResponse writes ar to w. | ||
func (wh *Webhook) writeSubjectAccessReviewResponse(w io.Writer, ar authorizationv1.SubjectAccessReview) { | ||
if err := json.NewEncoder(w).Encode(ar); err != nil { | ||
wh.log.Error(err, "unable to encode the response") | ||
wh.writeResponse(w, Errored(err)) | ||
} | ||
res := ar | ||
if log := wh.log; log.V(1).Enabled() { | ||
log.V(1).Info("wrote response", "UID", res.UID, "authorized", res.Status.Allowed) | ||
} | ||
return | ||
} | ||
|
||
func (wh *Webhook) decodeRequestBody(body []byte) (unversionedSubjectAccessReview, *schema.GroupVersionKind, error) { | ||
// v1 and v1beta1 SubjectAccessReview types are almost exactly the same (the only difference is the JSON key for the | ||
// 'Groups' field).The v1beta1 api is deprecated as of 1.19 and will be removed in authorization as of v1.22. We | ||
// decode the object into a v1 type and "manually" convert the 'Groups' field (see below). | ||
// However, the runtime codec's decoder guesses which type to decode into by type name if an Object's TypeMeta | ||
// isn't set. By setting TypeMeta of an unregistered type to the v1 GVK, the decoder will coerce a v1beta1 | ||
// SubjectAccessReview to v1. | ||
var obj unversionedSubjectAccessReview | ||
obj.SetGroupVersionKind(authorizationv1.SchemeGroupVersion.WithKind("SubjectAccessReview")) | ||
|
||
_, gvk, err := authorizationCodecs.UniversalDeserializer().Decode(body, nil, &obj) | ||
if err != nil { | ||
return obj, nil, err | ||
} | ||
if gvk == nil { | ||
return obj, nil, fmt.Errorf("could not determine GVK for object in the request body") | ||
} | ||
|
||
// The only difference in v1beta1 is that the JSON key name of the 'Groups' field is different. Hence, when we | ||
// detect that v1beta1 was sent, we decode it once again into the "correct" type and manually "convert" the 'Groups' | ||
// information. | ||
switch *gvk { | ||
case authorizationv1beta1.SchemeGroupVersion.WithKind("SubjectAccessReview"): | ||
var tmp authorizationv1beta1.SubjectAccessReview | ||
if _, _, err := authorizationCodecs.UniversalDeserializer().Decode(body, nil, &tmp); err != nil { | ||
return obj, gvk, err | ||
} | ||
obj.Spec.Groups = tmp.Spec.Groups | ||
} | ||
|
||
return obj, gvk, nil | ||
} | ||
|
||
// unversionedSubjectAccessReview is used to decode both v1 and v1beta1 SubjectAccessReview types. | ||
type unversionedSubjectAccessReview struct { | ||
authorizationv1.SubjectAccessReview | ||
} | ||
|
||
var _ runtime.Object = &unversionedSubjectAccessReview{} |
Oops, something went wrong.