Skip to content

Commit

Permalink
Perform all namespace access check (#333)
Browse files Browse the repository at this point in the history
Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
tamalsaha authored Sep 11, 2024
1 parent 2c8ce06 commit 92935e4
Show file tree
Hide file tree
Showing 8 changed files with 115 additions and 55 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ require (
kmodules.xyz/custom-resources v0.30.0
kmodules.xyz/go-containerregistry v0.0.12
kmodules.xyz/monitoring-agent-api v0.29.0
kmodules.xyz/resource-metadata v0.18.13-0.20240908185540-fa8ef486973e
kmodules.xyz/resource-metadata v0.18.13-0.20240911040707-0451a5c4bbeb
kmodules.xyz/resource-metrics v0.30.4
kmodules.xyz/resource-metrics/utils v0.30.4
kmodules.xyz/sets v0.29.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -922,8 +922,8 @@ kmodules.xyz/monitoring-agent-api v0.29.0 h1:gpFl6OZrlMLb/ySMHdREI9EwGtnJ91oZBn9
kmodules.xyz/monitoring-agent-api v0.29.0/go.mod h1:iNbvaMTgVFOI5q2LJtGK91j4Dmjv4ZRiRdasGmWLKQI=
kmodules.xyz/offshoot-api v0.30.0 h1:dq9F93pu4Q8rL9oTcCk+vGGy8vpS7RNt0GSwx7Bvhec=
kmodules.xyz/offshoot-api v0.30.0/go.mod h1:o9VoA3ImZMDBp3lpLb8+kc2d/KBxioRwCpaKDfLIyDw=
kmodules.xyz/resource-metadata v0.18.13-0.20240908185540-fa8ef486973e h1:PcKUBcb60nuswPKqb7SsVZ04Qk2S8sTyq200eX88dZ8=
kmodules.xyz/resource-metadata v0.18.13-0.20240908185540-fa8ef486973e/go.mod h1:t1tu60j9i2EduufyYBjz7h3vPymfHb9mqv5a+EvSjzo=
kmodules.xyz/resource-metadata v0.18.13-0.20240911040707-0451a5c4bbeb h1:7744OQAOxB96MYUa5op80/zC8KYXmtrN8AmbUwGqEmc=
kmodules.xyz/resource-metadata v0.18.13-0.20240911040707-0451a5c4bbeb/go.mod h1:t1tu60j9i2EduufyYBjz7h3vPymfHb9mqv5a+EvSjzo=
kmodules.xyz/resource-metrics v0.30.4 h1:8HBPtYmo9ETY91gsc55JE8Z986+3ZuRq57M0wZ9npqI=
kmodules.xyz/resource-metrics v0.30.4/go.mod h1:w9+rz7/s/kGP1GWzYSuRdCn+l7EwpesmESSEHkLBnIQ=
kmodules.xyz/resource-metrics/utils v0.30.4 h1:bJS/x0Qr7N1FFdxugFbzZ/Es6HVs4ptsFlhkmgj3jac=
Expand Down
136 changes: 87 additions & 49 deletions pkg/registry/identity/selfsubjectnamespaceaccessreview/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/registry/rest"
"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -95,65 +96,37 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat

allowedNs := make([]core.Namespace, 0, len(list.Items))
for _, ns := range list.Items {
allowed := true

for _, attr := range in.Spec.ResourceAttributes {
attr.Namespace = ns.Name
review := &authorization.LocalSubjectAccessReview{
ObjectMeta: metav1.ObjectMeta{
Namespace: ns.Name,
},
Spec: authorization.SubjectAccessReviewSpec{
ResourceAttributes: &attr,
NonResourceAttributes: nil,
User: user.GetName(),
Groups: user.GetGroups(),
Extra: extra,
UID: user.GetUID(),
},
}
review, err = r.kc.AuthorizationV1().LocalSubjectAccessReviews(ns.Name).Create(ctx, review, metav1.CreateOptions{})
if err != nil {
return nil, err
}
if !review.Status.Allowed {
allowed = false
break
}
allowed, err := r.hasNamespaceResourceAccess(ctx, in, ns, user, extra)
if err != nil {
return nil, err
}
for _, attr := range in.Spec.NonResourceAttributes {
review := &authorization.LocalSubjectAccessReview{
ObjectMeta: metav1.ObjectMeta{
Namespace: ns.Name,
},
Spec: authorization.SubjectAccessReviewSpec{
ResourceAttributes: nil,
NonResourceAttributes: &attr,
User: user.GetName(),
Groups: user.GetGroups(),
Extra: extra,
UID: user.GetUID(),
},
}
review, err = r.kc.AuthorizationV1().LocalSubjectAccessReviews(ns.Name).Create(ctx, review, metav1.CreateOptions{})
if err != nil {
return nil, err
}
if !review.Status.Allowed {
allowed = false
break
}
if allowed {
allowedNs = append(allowedNs, ns)
}
}

// check for all namespaces
{
allowed, err := r.hasAllNamespaceResourceAccess(ctx, in)
if err != nil {
return nil, err
}
if allowed {
allowedNs = append(allowedNs, ns)
allowed, err = r.hasNonResourceAccess(ctx, in)
if err != nil {
return nil, err
}
}
in.Status.AllNamespaces = allowed
}

if clustermeta.IsRancherManaged(r.rtc.RESTMapper()) {
projects := map[string][]string{}
for _, ns := range allowedNs {
projectId := ns.Labels[clustermeta.LabelKeyRancherFieldProjectId]
projectId, exists := ns.Labels[clustermeta.LabelKeyRancherFieldProjectId]
if !exists {
projectId = clustermeta.FakeRancherProjectId
}
projects[projectId] = append(projects[projectId], ns.Name)
}

Expand All @@ -174,3 +147,68 @@ func (r *Storage) Create(ctx context.Context, obj runtime.Object, _ rest.Validat

return in, nil
}

func (r *Storage) hasNonResourceAccess(ctx context.Context, in *identityapi.SelfSubjectNamespaceAccessReview) (bool, error) {
for _, attr := range in.Spec.NonResourceAttributes {
review := &authorization.SelfSubjectAccessReview{
Spec: authorization.SelfSubjectAccessReviewSpec{
NonResourceAttributes: &attr,
},
}
review, err := r.kc.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
if err != nil {
return false, err
}
if !review.Status.Allowed {
return false, nil
}
}
return true, nil
}

func (r *Storage) hasAllNamespaceResourceAccess(ctx context.Context, in *identityapi.SelfSubjectNamespaceAccessReview) (bool, error) {
for _, attr := range in.Spec.ResourceAttributes {
attr.Namespace = ""
review := &authorization.SelfSubjectAccessReview{
Spec: authorization.SelfSubjectAccessReviewSpec{
ResourceAttributes: &attr,
NonResourceAttributes: nil,
},
}
review, err := r.kc.AuthorizationV1().SelfSubjectAccessReviews().Create(ctx, review, metav1.CreateOptions{})
if err != nil {
return false, err
}
if !review.Status.Allowed {
return false, nil
}
}
return true, nil
}

func (r *Storage) hasNamespaceResourceAccess(ctx context.Context, in *identityapi.SelfSubjectNamespaceAccessReview, ns core.Namespace, user user.Info, extra map[string]authorization.ExtraValue) (bool, error) {
for _, attr := range in.Spec.ResourceAttributes {
attr.Namespace = ns.Name
review := &authorization.LocalSubjectAccessReview{
ObjectMeta: metav1.ObjectMeta{
Namespace: ns.Name,
},
Spec: authorization.SubjectAccessReviewSpec{
ResourceAttributes: &attr,
NonResourceAttributes: nil,
User: user.GetName(),
Groups: user.GetGroups(),
Extra: extra,
UID: user.GetUID(),
},
}
review, err := r.kc.AuthorizationV1().LocalSubjectAccessReviews(ns.Name).Create(ctx, review, metav1.CreateOptions{})
if err != nil {
return false, err
}
if !review.Status.Allowed {
return false, nil
}
}
return true, nil
}

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,9 @@ type SelfSubjectNamespaceAccessReviewSpec struct {
}

type SubjectAccessNamespaceReviewStatus struct {
Namespaces []string `json:"namespaces,omitempty"`
Projects map[string][]string `json:"projects,omitempty"`
AllNamespaces bool `json:"allNamespaces"`
Namespaces []string `json:"namespaces,omitempty"`
Projects map[string][]string `json:"projects,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,8 @@ spec:
description: Status is filled in by the server and indicates whether the
request is allowed or not
properties:
allNamespaces:
type: boolean
namespaces:
items:
type: string
Expand All @@ -106,6 +108,8 @@ spec:
type: string
type: array
type: object
required:
- allNamespaces
type: object
required:
- spec
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,12 @@ spec:
name: clickhousebindings
scope: Namespaced
version: v1alpha1
ui:
editor:
name: catalogappscodecom-clickhousebinding-editor
sourceRef:
apiGroup: source.toolkit.fluxcd.io
kind: HelmRepository
name: appscode-charts-oci
version: v0.5.0
enforceQuota: false
2 changes: 1 addition & 1 deletion vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2011,7 +2011,7 @@ kmodules.xyz/monitoring-agent-api/client
## explicit; go 1.22.0
kmodules.xyz/offshoot-api/api/v1
kmodules.xyz/offshoot-api/api/v2
# kmodules.xyz/resource-metadata v0.18.13-0.20240908185540-fa8ef486973e
# kmodules.xyz/resource-metadata v0.18.13-0.20240911040707-0451a5c4bbeb
## explicit; go 1.22.1
kmodules.xyz/resource-metadata/apis/core/install
kmodules.xyz/resource-metadata/apis/core/v1alpha1
Expand Down

0 comments on commit 92935e4

Please sign in to comment.