Skip to content

Commit

Permalink
Merge pull request #43 from deads2k/authz
Browse files Browse the repository at this point in the history
add hardcoded authorizer to approve /metrics for metrics scraper
  • Loading branch information
openshift-merge-robot authored Mar 12, 2021
2 parents 6ea3294 + 3fea9a7 commit 794f9de
Show file tree
Hide file tree
Showing 5 changed files with 242 additions and 3 deletions.
13 changes: 10 additions & 3 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ import (
"golang.org/x/net/http2"
"golang.org/x/net/http2/h2c"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authorization/union"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/clientcmd"
Expand All @@ -47,6 +48,7 @@ import (

"github.com/brancz/kube-rbac-proxy/pkg/authn"
"github.com/brancz/kube-rbac-proxy/pkg/authz"
"github.com/brancz/kube-rbac-proxy/pkg/hardcodedauthorizer"
"github.com/brancz/kube-rbac-proxy/pkg/proxy"
rbac_proxy_tls "github.com/brancz/kube-rbac-proxy/pkg/tls"
)
Expand Down Expand Up @@ -199,10 +201,15 @@ func main() {

sarClient := kubeClient.AuthorizationV1().SubjectAccessReviews()
authorizer, err := authz.NewAuthorizer(sarClient)

if err != nil {
klog.Fatalf("Failed to create authorizer: %v", err)
}
authorizer = union.New(
// prefix the authorizer with the permissions for metrics scraping which are well known.
// openshift RBAC policy will always allow this user to read metrics.
hardcodedauthorizer.NewHardCodedMetricsAuthorizer(),
authorizer,
)

auth, err := proxy.New(kubeClient, cfg.auth, authorizer, authenticator)

Expand Down Expand Up @@ -388,14 +395,14 @@ func initKubeConfig(kcLocation string) *rest.Config {
if kcLocation != "" {
kubeConfig, err := clientcmd.BuildConfigFromFlags("", kcLocation)
if err != nil {
klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v",err)
klog.Fatalf("unable to build rest config based on provided path to kubeconfig file: %v", err)
}
return kubeConfig
}

kubeConfig, err := rest.InClusterConfig()
if err != nil {
klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v",err)
klog.Fatalf("cannot find Service Account in pod to build in-cluster rest config: %v", err)
}

return kubeConfig
Expand Down
58 changes: 58 additions & 0 deletions pkg/hardcodedauthorizer/metrics.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
/*
Copyright 2021 Frederic Branczyk All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// this is copied from library-go to avoid a hard dependency
package hardcodedauthorizer

import (
"context"

"k8s.io/apiserver/pkg/authorization/authorizer"
)

type metricsAuthorizer struct{}

// GetUser() user.Info - checked
// GetVerb() string - checked
// IsReadOnly() bool - na
// GetNamespace() string - na
// GetResource() string - na
// GetSubresource() string - na
// GetName() string - na
// GetAPIGroup() string - na
// GetAPIVersion() string - na
// IsResourceRequest() bool - checked
// GetPath() string - checked
func (metricsAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
if a.GetUser() == nil {
return authorizer.DecisionNoOpinion, "", nil
}
if a.GetUser().GetName() != "system:serviceaccount:openshift-monitoring:prometheus-k8s" {
return authorizer.DecisionNoOpinion, "", nil
}
if !a.IsResourceRequest() &&
a.GetVerb() == "get" &&
a.GetPath() == "/metrics" {
return authorizer.DecisionAllow, "requesting metrics is allowed", nil
}

return authorizer.DecisionNoOpinion, "", nil
}

// NewHardCodedMetricsAuthorizer returns a hardcoded authorizer for checking metrics.
func NewHardCodedMetricsAuthorizer() *metricsAuthorizer {
return new(metricsAuthorizer)
}
67 changes: 67 additions & 0 deletions pkg/hardcodedauthorizer/metrics_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
/*
Copyright 2021 Frederic Branczyk All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package hardcodedauthorizer

import (
"context"
"testing"

"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
)

func TestAuthorizer(t *testing.T) {
tests := []struct {
name string
authorizer authorizer.Authorizer

shouldPass []authorizer.Attributes
shouldNoOpinion []authorizer.Attributes
}{
{
name: "metrics",
authorizer: NewHardCodedMetricsAuthorizer(),
shouldPass: []authorizer.Attributes{
authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/metrics"},
},
shouldNoOpinion: []authorizer.Attributes{
// wrong user
authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "other"}, Verb: "get", Path: "/metrics"},
// wrong verb
authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "update", Path: "/metrics"},

// wrong path
authorizer.AttributesRecord{User: &user.DefaultInfo{Name: "system:serviceaccount:openshift-monitoring:prometheus-k8s"}, Verb: "get", Path: "/api"},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
for _, attr := range tt.shouldPass {
if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionAllow {
t.Errorf("incorrectly restricted %v", attr)
}
}

for _, attr := range tt.shouldNoOpinion {
if decision, _, _ := tt.authorizer.Authorize(context.Background(), attr); decision != authorizer.DecisionNoOpinion {
t.Errorf("incorrectly opinionated %v", attr)
}
}
})
}
}
106 changes: 106 additions & 0 deletions vendor/k8s.io/apiserver/pkg/authorization/union/union.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,7 @@ k8s.io/apiserver/pkg/authentication/token/tokenfile
k8s.io/apiserver/pkg/authentication/user
k8s.io/apiserver/pkg/authorization/authorizer
k8s.io/apiserver/pkg/authorization/authorizerfactory
k8s.io/apiserver/pkg/authorization/union
k8s.io/apiserver/pkg/endpoints/request
k8s.io/apiserver/pkg/server/dynamiccertificates
k8s.io/apiserver/pkg/server/egressselector
Expand Down

0 comments on commit 794f9de

Please sign in to comment.