diff --git a/main.go b/main.go index 71881398a..0a7a3ab42 100644 --- a/main.go +++ b/main.go @@ -48,7 +48,6 @@ import ( "github.com/brancz/kube-rbac-proxy/pkg/authn" "github.com/brancz/kube-rbac-proxy/pkg/authz" - "github.com/brancz/kube-rbac-proxy/pkg/hardcodedauthorizer" "github.com/brancz/kube-rbac-proxy/pkg/proxy" rbac_proxy_tls "github.com/brancz/kube-rbac-proxy/pkg/tls" ) @@ -192,7 +191,6 @@ func main() { sarClient := kubeClient.AuthorizationV1().SubjectAccessReviews() sarAuthorizer, err := authz.NewSarAuthorizer(sarClient) - if err != nil { klog.Fatalf("Failed to create sar authorizer: %v", err) } @@ -205,8 +203,6 @@ func main() { authorizer := union.New( // prefix the authorizer with the permissions for metrics scraping which are well known. // openshift RBAC policy will always allow this user to read metrics. - // TODO: remove this, once CMO lands static authorizer configuration. - hardcodedauthorizer.NewHardCodedMetricsAuthorizer(), staticAuthorizer, sarAuthorizer, ) @@ -416,14 +412,14 @@ func initKubeConfig(kcLocation string) *rest.Config { if kcLocation != "" { kubeConfig, err := clientcmd.BuildConfigFromFlags("", kcLocation) if err != nil { - klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v", err) + klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v",err) } return kubeConfig } kubeConfig, err := rest.InClusterConfig() if err != nil { - klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v", err) + klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v",err) } return kubeConfig diff --git a/pkg/hardcodedauthorizer/metrics.go b/pkg/hardcodedauthorizer/metrics.go deleted file mode 100644 index 67891c85f..000000000 --- a/pkg/hardcodedauthorizer/metrics.go +++ /dev/null @@ -1,58 +0,0 @@ -/* -Copyright 2021 Frederic Branczyk All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// this is copied from library-go to avoid a hard dependency -package hardcodedauthorizer - -import ( - "context" - - "k8s.io/apiserver/pkg/authorization/authorizer" -) - -type metricsAuthorizer struct{} - -// GetUser() user.Info - checked -// GetVerb() string - checked -// IsReadOnly() bool - na -// GetNamespace() string - na -// GetResource() string - na -// GetSubresource() string - na -// GetName() string - na -// GetAPIGroup() string - na -// GetAPIVersion() string - na -// IsResourceRequest() bool - checked -// GetPath() string - checked -func (metricsAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { - if a.GetUser() == nil { - return authorizer.DecisionNoOpinion, "", nil - } - if a.GetUser().GetName() != "system:serviceaccount:openshift-monitoring:prometheus-k8s" { - return authorizer.DecisionNoOpinion, "", nil - } - if !a.IsResourceRequest() && - a.GetVerb() == "get" && - a.GetPath() == "/metrics" { - return authorizer.DecisionAllow, "requesting metrics is allowed", nil - } - - return authorizer.DecisionNoOpinion, "", nil -} - -// NewHardCodedMetricsAuthorizer returns a hardcoded authorizer for checking metrics. -func NewHardCodedMetricsAuthorizer() *metricsAuthorizer { - return new(metricsAuthorizer) -} diff --git a/pkg/hardcodedauthorizer/metrics_test.go b/pkg/hardcodedauthorizer/metrics_test.go deleted file mode 100644 index a57eaf79f..000000000 --- a/pkg/hardcodedauthorizer/metrics_test.go +++ /dev/null @@ -1,67 +0,0 @@ -/* -Copyright 2021 Frederic Branczyk All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package hardcodedauthorizer - -import ( - "context" - "testing" - - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" -) - -func TestAuthorizer(t *testing.T) { - tests := []struct { - name string - authorizer authorizer.Authorizer - - shouldPass []authorizer.Attributes - shouldNoOpinion []authorizer.Attributes - }{ - { - name: "metrics", - authorizer: NewHardCodedMetricsAuthorizer(), - shouldPass: []authorizer.Attributes{ - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/metrics"}, - }, - shouldNoOpinion: []authorizer.Attributes{ - // wrong user - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "other"}, Verb: "get", Path: "/metrics"}, - // wrong verb - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "update", Path: "/metrics"}, - - // wrong path - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/api"}, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - for _, attr := range tt.shouldPass { - if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionAllow { - t.Errorf("incorrectly restricted %v", attr) - } - } - - for _, attr := range tt.shouldNoOpinion { - if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionNoOpinion { - t.Errorf("incorrectly opinionated %v", attr) - } - } - }) - } -}