feat: add auth check when listing kinds (#325)

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

backend/pkg/auth/auth.go

@@ -0,0 +1,34 @@
+package auth
+
+import (
+	"context"
+
+	authorizationv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
+)
+
+// AuthResult contains authorization check result
+type AuthResult struct {
+	Allowed         bool
+	Reason          string
+	EvaluationError string
+}
+
+// AuthChecker provides utility to check authorization
+type AuthChecker interface {
+	// Check checks if the caller can perform an operation
+	Check(ctx context.Context, group, version, resource, subresource, namespace, verb string) (*AuthResult, error)
+}
+
+func NewSelfChecker(client authorizationv1client.SelfSubjectAccessReviewInterface) AuthChecker {
+	return self{
+		client: client,
+	}
+}
+
+func NewSubjectChecker(client authorizationv1client.SubjectAccessReviewInterface, user string, groups []string) AuthChecker {
+	return subject{
+		client: client,
+		user:   user,
+		groups: groups,
+	}
+}

backend/pkg/auth/helpers.go

@@ -0,0 +1,18 @@
+package auth
+
+import (
+	"context"
+)
+
+func Check(ctx context.Context, checker AuthChecker, group, version, resource, subresource, namespace string, verbs ...string) (bool, error) {
+	for _, verb := range verbs {
+		result, err := checker.Check(ctx, group, version, resource, subresource, namespace, verb)
+		if err != nil {
+			return false, err
+		}
+		if !result.Allowed {
+			return false, nil
+		}
+	}
+	return true, nil
+}

backend/pkg/auth/self.go

@@ -0,0 +1,37 @@
+package auth
+
+import (
+	"context"
+
+	authorizationv1 "k8s.io/api/authorization/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	authorizationv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
+)
+
+type self struct {
+	client authorizationv1client.SelfSubjectAccessReviewInterface
+}
+
+func (c self) Check(ctx context.Context, group, version, resource, subresource, namespace, verb string) (*AuthResult, error) {
+	review := &authorizationv1.SelfSubjectAccessReview{
+		Spec: authorizationv1.SelfSubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Group:       group,
+				Version:     version,
+				Resource:    resource,
+				Subresource: subresource,
+				Namespace:   namespace,
+				Verb:        verb,
+			},
+		},
+	}
+	resp, err := c.client.Create(ctx, review, metav1.CreateOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return &AuthResult{
+		Allowed:         resp.Status.Allowed,
+		Reason:          resp.Status.Reason,
+		EvaluationError: resp.Status.EvaluationError,
+	}, nil
+}

backend/pkg/auth/subject.go

@@ -0,0 +1,41 @@
+package auth
+
+import (
+	"context"
+
+	authorizationv1 "k8s.io/api/authorization/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	authorizationv1client "k8s.io/client-go/kubernetes/typed/authorization/v1"
+)
+
+type subject struct {
+	client authorizationv1client.SubjectAccessReviewInterface
+	user   string
+	groups []string
+}
+
+func (c subject) Check(ctx context.Context, group, version, resource, subresource, namespace, verb string) (*AuthResult, error) {
+	review := &authorizationv1.SubjectAccessReview{
+		Spec: authorizationv1.SubjectAccessReviewSpec{
+			ResourceAttributes: &authorizationv1.ResourceAttributes{
+				Group:       group,
+				Version:     version,
+				Resource:    resource,
+				Subresource: subresource,
+				Namespace:   namespace,
+				Verb:        verb,
+			},
+			User:   c.user,
+			Groups: c.groups,
+		},
+	}
+	resp, err := c.client.Create(ctx, review, metav1.CreateOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return &AuthResult{
+		Allowed:         resp.Status.Allowed,
+		Reason:          resp.Status.Reason,
+		EvaluationError: resp.Status.EvaluationError,
+	}, nil
+}

backend/pkg/cluster/cluster.go

@@ -16,6 +16,8 @@ import (
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+
+	"github.com/kyverno/playground/backend/pkg/auth"
 )
 
 type SearchResult struct {
@@ -65,10 +67,11 @@ func New(restConfig *rest.Config) (Cluster, error) {
 	return cluster{kubeClient, kyvernoClient, NewWrapper(dClient)}, nil
 }
 
-func (c cluster) Kinds(_ context.Context, excludeGroups ...string) ([]Resource, error) {
+func (c cluster) Kinds(ctx context.Context, excludeGroups ...string) ([]Resource, error) {
 	excluded := sets.New(excludeGroups...)
 	disco := c.kubeClient.Discovery()
 	_, resources, err := disco.ServerGroupsAndResources()
+	checker := auth.NewSelfChecker(c.kubeClient.AuthorizationV1().SelfSubjectAccessReviews())
 	var kinds []Resource
 	for _, group := range resources {
 		gv, err := schema.ParseGroupVersion(group.GroupVersion)
@@ -84,11 +87,17 @@ func (c cluster) Kinds(_ context.Context, excludeGroups ...string) ([]Resource,
 			}
 			verbs := sets.New(resource.Verbs...)
 			if verbs.Has("get") && verbs.Has("list") {
-				kinds = append(kinds, Resource{
-					APIVersion:    group.GroupVersion,
-					Kind:          resource.Kind,
-					ClusterScoped: !resource.Namespaced,
-				})
+				allowed, err := auth.Check(ctx, checker, gv.Group, gv.Version, resource.Name, "", "", "get", "list")
+				if err != nil {
+					continue
+				}
+				if allowed {
+					kinds = append(kinds, Resource{
+						APIVersion:    group.GroupVersion,
+						Kind:          resource.Kind,
+						ClusterScoped: !resource.Namespaced,
+					})
+				}
 			}
 		}
 	}

backend/pkg/utils/rest.go

@@ -8,5 +8,11 @@ import (
 func RestConfig(overrides clientcmd.ConfigOverrides) (*rest.Config, error) {
 	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
 	kubeConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &overrides)
-	return kubeConfig.ClientConfig()
+	config, err := kubeConfig.ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	config.QPS = 300
+	config.Burst = 300
+	return config, nil
 }