Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
dd756180
Unverified
Commit
dd756180
authored
Mar 02, 2017
by
Jordan Liggitt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Authorize PSP usage for pods without service accounts
parent
2b6e318e
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
6 additions
and
8 deletions
+6
-8
admission.go
plugin/pkg/admission/security/podsecuritypolicy/admission.go
+3
-4
admission_test.go
...kg/admission/security/podsecuritypolicy/admission_test.go
+3
-4
No files found.
plugin/pkg/admission/security/podsecuritypolicy/admission.go
View file @
dd756180
...
@@ -288,7 +288,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
...
@@ -288,7 +288,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
}
}
for
_
,
constraint
:=
range
list
{
for
_
,
constraint
:=
range
list
{
if
authorizedForPolicy
(
user
,
constraint
,
authz
)
||
authorizedForPolicy
(
sa
,
constraint
,
authz
)
{
// if no user info exists then the API is being hit via the unsecured port. In this case authorize the request.
if
user
==
nil
||
authorizedForPolicy
(
user
,
constraint
,
authz
)
||
authorizedForPolicy
(
sa
,
constraint
,
authz
)
{
matchedPolicies
=
append
(
matchedPolicies
,
constraint
)
matchedPolicies
=
append
(
matchedPolicies
,
constraint
)
}
}
}
}
...
@@ -298,10 +299,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
...
@@ -298,10 +299,8 @@ func getMatchingPolicies(lister extensionslisters.PodSecurityPolicyLister, user
// authorizedForPolicy returns true if info is authorized to perform a "get" on policy.
// authorizedForPolicy returns true if info is authorized to perform a "get" on policy.
func
authorizedForPolicy
(
info
user
.
Info
,
policy
*
extensions
.
PodSecurityPolicy
,
authz
authorizer
.
Authorizer
)
bool
{
func
authorizedForPolicy
(
info
user
.
Info
,
policy
*
extensions
.
PodSecurityPolicy
,
authz
authorizer
.
Authorizer
)
bool
{
// if no info exists then the API is being hit via the unsecured port. In this case
// authorize the request.
if
info
==
nil
{
if
info
==
nil
{
return
tru
e
return
fals
e
}
}
attr
:=
buildAttributes
(
info
,
policy
)
attr
:=
buildAttributes
(
info
,
policy
)
allowed
,
reason
,
err
:=
authz
.
Authorize
(
attr
)
allowed
,
reason
,
err
:=
authz
.
Authorize
(
attr
)
...
...
plugin/pkg/admission/security/podsecuritypolicy/admission_test.go
View file @
dd756180
...
@@ -1610,7 +1610,7 @@ func TestGetMatchingPolicies(t *testing.T) {
...
@@ -1610,7 +1610,7 @@ func TestGetMatchingPolicies(t *testing.T) {
// (ie. a request hitting the unsecure port)
// (ie. a request hitting the unsecure port)
expectedPolicies
:
sets
.
NewString
(
"policy1"
,
"policy2"
,
"policy3"
),
expectedPolicies
:
sets
.
NewString
(
"policy1"
,
"policy2"
,
"policy3"
),
},
},
"policies are allowed for nil sa info"
:
{
"policies are
not
allowed for nil sa info"
:
{
user
:
&
user
.
DefaultInfo
{
Name
:
"user"
},
user
:
&
user
.
DefaultInfo
{
Name
:
"user"
},
sa
:
nil
,
sa
:
nil
,
disallowedPolicies
:
map
[
string
][]
string
{
disallowedPolicies
:
map
[
string
][]
string
{
...
@@ -1622,9 +1622,8 @@ func TestGetMatchingPolicies(t *testing.T) {
...
@@ -1622,9 +1622,8 @@ func TestGetMatchingPolicies(t *testing.T) {
policyWithName
(
"policy2"
),
policyWithName
(
"policy2"
),
policyWithName
(
"policy3"
),
policyWithName
(
"policy3"
),
},
},
// all policies are allowed regardless of the permissions when sa info is nil
// only the policies for the user are allowed when sa info is nil
// (ie. a request hitting the unsecure port)
expectedPolicies
:
sets
.
NewString
(
"policy2"
),
expectedPolicies
:
sets
.
NewString
(
"policy1"
,
"policy2"
,
"policy3"
),
},
},
}
}
for
k
,
v
:=
range
tests
{
for
k
,
v
:=
range
tests
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment