Unverified Commit 8f71d6d8 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #58598 from WanLinghao/rbac_improve

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. add a comment on specical case on authorization In file /staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go, function WithAuthorization() returns DecisionAllow before error check. It is intentional to avoid leaking authorization errors to attackers. This patch add a comment here to give a hint **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
parents 97196078 983435bd
...@@ -47,6 +47,7 @@ func WithAuthorization(handler http.Handler, requestContextMapper request.Reques ...@@ -47,6 +47,7 @@ func WithAuthorization(handler http.Handler, requestContextMapper request.Reques
return return
} }
authorized, reason, err := a.Authorize(attributes) authorized, reason, err := a.Authorize(attributes)
// an authorizer like RBAC could encounter evaluation errors and still allow the request, so authorizer decision is checked before error here.
if authorized == authorizer.DecisionAllow { if authorized == authorizer.DecisionAllow {
handler.ServeHTTP(w, req) handler.ServeHTTP(w, req)
return return
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment