Merge pull request #43 from deads2k/authz

add hardcoded authorizer to approve /metrics for metrics scraper

main.go

@@ -38,6 +38,7 @@ import (
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authorization/union"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
@@ -47,6 +48,7 @@ import (
 
 	"github.com/brancz/kube-rbac-proxy/pkg/authn"
 	"github.com/brancz/kube-rbac-proxy/pkg/authz"
+	"github.com/brancz/kube-rbac-proxy/pkg/hardcodedauthorizer"
 	"github.com/brancz/kube-rbac-proxy/pkg/proxy"
 	rbac_proxy_tls "github.com/brancz/kube-rbac-proxy/pkg/tls"
 )
@@ -199,10 +201,15 @@ func main() {
 
 	sarClient := kubeClient.AuthorizationV1().SubjectAccessReviews()
 	authorizer, err := authz.NewAuthorizer(sarClient)
-
 	if err != nil {
 		klog.Fatalf("Failed to create authorizer: %v", err)
 	}
+	authorizer = union.New(
+		// prefix the authorizer with the permissions for metrics scraping which are well known.
+		// openshift RBAC policy will always allow this user to read metrics.
+		hardcodedauthorizer.NewHardCodedMetricsAuthorizer(),
+		authorizer,
+	)
 
 	auth, err := proxy.New(kubeClient, cfg.auth, authorizer, authenticator)
 
@@ -388,14 +395,14 @@ func initKubeConfig(kcLocation string) *rest.Config {
 	if kcLocation != "" {
 		kubeConfig, err := clientcmd.BuildConfigFromFlags("", kcLocation)
 		if err != nil {
-			klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v",err)
+			klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v", err)
 		}
 		return kubeConfig
 	}
 
 	kubeConfig, err := rest.InClusterConfig()
 	if err != nil {
-		klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v",err)
+		klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v", err)
 	}
 
 	return kubeConfig

pkg/hardcodedauthorizer/metrics.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2021 Frederic Branczyk All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// this is copied from library-go to avoid a hard dependency
+package hardcodedauthorizer
+
+import (
+	"context"
+
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+type metricsAuthorizer struct{}
+
+// GetUser() user.Info - checked
+// GetVerb() string - checked
+// IsReadOnly() bool - na
+// GetNamespace() string - na
+// GetResource() string - na
+// GetSubresource() string - na
+// GetName() string - na
+// GetAPIGroup() string - na
+// GetAPIVersion() string - na
+// IsResourceRequest() bool - checked
+// GetPath() string - checked
+func (metricsAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+	if a.GetUser() == nil {
+		return authorizer.DecisionNoOpinion, "", nil
+	}
+	if a.GetUser().GetName() != "system:serviceaccount:openshift-monitoring:prometheus-k8s" {
+		return authorizer.DecisionNoOpinion, "", nil
+	}
+	if !a.IsResourceRequest() &&
+		a.GetVerb() == "get" &&
+		a.GetPath() == "/metrics" {
+		return authorizer.DecisionAllow, "requesting metrics is allowed", nil
+	}
+
+	return authorizer.DecisionNoOpinion, "", nil
+}
+
+// NewHardCodedMetricsAuthorizer returns a hardcoded authorizer for checking metrics.
+func NewHardCodedMetricsAuthorizer() *metricsAuthorizer {
+	return new(metricsAuthorizer)
+}

pkg/hardcodedauthorizer/metrics_test.go

@@ -0,0 +1,67 @@
+/*
+Copyright 2021 Frederic Branczyk All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package hardcodedauthorizer
+
+import (
+	"context"
+	"testing"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+func TestAuthorizer(t *testing.T) {
+	tests := []struct {
+		name       string
+		authorizer authorizer.Authorizer
+
+		shouldPass      []authorizer.Attributes
+		shouldNoOpinion []authorizer.Attributes
+	}{
+		{
+			name:       "metrics",
+			authorizer: NewHardCodedMetricsAuthorizer(),
+			shouldPass: []authorizer.Attributes{
+				authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/metrics"},
+			},
+			shouldNoOpinion: []authorizer.Attributes{
+				// wrong user
+				authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "other"}, Verb: "get", Path: "/metrics"},
+				// wrong verb
+				authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "update", Path: "/metrics"},
+
+				// wrong path
+				authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/api"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			for _, attr := range tt.shouldPass {
+				if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionAllow {
+					t.Errorf("incorrectly restricted %v", attr)
+				}
+			}
+
+			for _, attr := range tt.shouldNoOpinion {
+				if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionNoOpinion {
+					t.Errorf("incorrectly opinionated %v", attr)
+				}
+			}
+		})
+	}
+}

vendor/modules.txt

@@ -324,6 +324,7 @@ k8s.io/apiserver/pkg/authentication/token/tokenfile
 k8s.io/apiserver/pkg/authentication/user
 k8s.io/apiserver/pkg/authorization/authorizer
 k8s.io/apiserver/pkg/authorization/authorizerfactory
+k8s.io/apiserver/pkg/authorization/union
 k8s.io/apiserver/pkg/endpoints/request
 k8s.io/apiserver/pkg/server/dynamiccertificates
 k8s.io/apiserver/pkg/server/egressselector