From 8167d7aec57cccae99d1afa87ff4e6d2675fab37 Mon Sep 17 00:00:00 2001 From: Prashant Balachandran Date: Mon, 20 Sep 2021 12:59:57 +0530 Subject: [PATCH] Revert "Merge pull request #43 from deads2k/authz" This reverts commit 794f9de6f4bdd95129cf4a73cb31aedcc93b7286, reversing changes made to 6ea32943bbcef4aa27b176da8559dec84fed7cfc. --- main.go | 22 +------- pkg/hardcodedauthorizer/metrics.go | 58 --------------------- pkg/hardcodedauthorizer/metrics_test.go | 67 ------------------------- 3 files changed, 2 insertions(+), 145 deletions(-) delete mode 100644 pkg/hardcodedauthorizer/metrics.go delete mode 100644 pkg/hardcodedauthorizer/metrics_test.go diff --git a/main.go b/main.go index 70fb9b175..c77991548 100644 --- a/main.go +++ b/main.go @@ -191,12 +191,6 @@ func main() { if err != nil { klog.Fatalf("Failed to create sar authorizer: %v", err) } - - staticAuthorizer, err := authz.NewStaticAuthorizer(cfg.auth.Authorization.Static) - if err != nil { - klog.Fatalf("Failed to create static authorizer: %v", err) - } - authorizer := union.New( // prefix the authorizer with the permissions for metrics scraping which are well known. // openshift RBAC policy will always allow this user to read metrics. @@ -206,23 +200,11 @@ func main() { sarAuthorizer, ) - auth, err := proxy.New(kubeClient, cfg.auth, authorizer, authenticator) - if err != nil { - klog.Fatalf("Failed to create rbac-proxy: %v", err) - } - upstreamTransport, err := initTransport(cfg.upstreamCAFile) - if err != nil { klog.Fatalf("Failed to set up upstream TLS connection: %v", err) - } - if len(cfg.allowPaths) > 0 && len(cfg.ignorePaths) > 0 { - klog.Fatal("Cannot use --allow-paths and --ignore-paths together.") - } - proxy := httputil.NewSingleHostReverseProxy(upstreamURL) - proxy.Transport = upstreamTransport mux := http.NewServeMux() mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { found := len(cfg.allowPaths) == 0 @@ -391,14 +373,14 @@ func initKubeConfig(kcLocation string) *rest.Config { if kcLocation != "" { kubeConfig, err := clientcmd.BuildConfigFromFlags("", kcLocation) if err != nil { - klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v", err) + klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v",err) } return kubeConfig } kubeConfig, err := rest.InClusterConfig() if err != nil { - klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v", err) + klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v",err) } return kubeConfig diff --git a/pkg/hardcodedauthorizer/metrics.go b/pkg/hardcodedauthorizer/metrics.go deleted file mode 100644 index 67891c85f..000000000 --- a/pkg/hardcodedauthorizer/metrics.go +++ /dev/null @@ -1,58 +0,0 @@ -/* -Copyright 2021 Frederic Branczyk All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// this is copied from library-go to avoid a hard dependency -package hardcodedauthorizer - -import ( - "context" - - "k8s.io/apiserver/pkg/authorization/authorizer" -) - -type metricsAuthorizer struct{} - -// GetUser() user.Info - checked -// GetVerb() string - checked -// IsReadOnly() bool - na -// GetNamespace() string - na -// GetResource() string - na -// GetSubresource() string - na -// GetName() string - na -// GetAPIGroup() string - na -// GetAPIVersion() string - na -// IsResourceRequest() bool - checked -// GetPath() string - checked -func (metricsAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { - if a.GetUser() == nil { - return authorizer.DecisionNoOpinion, "", nil - } - if a.GetUser().GetName() != "system:serviceaccount:openshift-monitoring:prometheus-k8s" { - return authorizer.DecisionNoOpinion, "", nil - } - if !a.IsResourceRequest() && - a.GetVerb() == "get" && - a.GetPath() == "/metrics" { - return authorizer.DecisionAllow, "requesting metrics is allowed", nil - } - - return authorizer.DecisionNoOpinion, "", nil -} - -// NewHardCodedMetricsAuthorizer returns a hardcoded authorizer for checking metrics. -func NewHardCodedMetricsAuthorizer() *metricsAuthorizer { - return new(metricsAuthorizer) -} diff --git a/pkg/hardcodedauthorizer/metrics_test.go b/pkg/hardcodedauthorizer/metrics_test.go deleted file mode 100644 index a57eaf79f..000000000 --- a/pkg/hardcodedauthorizer/metrics_test.go +++ /dev/null @@ -1,67 +0,0 @@ -/* -Copyright 2021 Frederic Branczyk All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package hardcodedauthorizer - -import ( - "context" - "testing" - - "k8s.io/apiserver/pkg/authentication/user" - "k8s.io/apiserver/pkg/authorization/authorizer" -) - -func TestAuthorizer(t *testing.T) { - tests := []struct { - name string - authorizer authorizer.Authorizer - - shouldPass []authorizer.Attributes - shouldNoOpinion []authorizer.Attributes - }{ - { - name: "metrics", - authorizer: NewHardCodedMetricsAuthorizer(), - shouldPass: []authorizer.Attributes{ - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/metrics"}, - }, - shouldNoOpinion: []authorizer.Attributes{ - // wrong user - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "other"}, Verb: "get", Path: "/metrics"}, - // wrong verb - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "update", Path: "/metrics"}, - - // wrong path - authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/api"}, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - for _, attr := range tt.shouldPass { - if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionAllow { - t.Errorf("incorrectly restricted %v", attr) - } - } - - for _, attr := range tt.shouldNoOpinion { - if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionNoOpinion { - t.Errorf("incorrectly opinionated %v", attr) - } - } - }) - } -}