Skip to content

Commit

Permalink
WIP
Browse files Browse the repository at this point in the history
Signed-off-by: Peter Hunt <[email protected]>
  • Loading branch information
haircommander committed Nov 25, 2024
1 parent 81b6e0a commit 7b5c4a2
Showing 1 changed file with 10 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"k8s.io/apiserver/pkg/authorization/authorizer"
v1listers "k8s.io/client-go/listers/core/v1"
cache "k8s.io/client-go/tools/cache"
"k8s.io/klog/v2"
"k8s.io/kubernetes/openshift-kube-apiserver/enablement"
api "k8s.io/kubernetes/pkg/apis/core"
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
Expand Down Expand Up @@ -44,16 +45,19 @@ func NewMinimumKubeletVersion(nodeIdentifier nodeidentifier.NodeIdentifier,

func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
if m.minVersion == nil {
klog.Infof("min version nil")
return authorizer.DecisionNoOpinion, "", nil
}

nodeName, isNode := m.nodeIdentifier.NodeIdentity(attrs.GetUser())
if !isNode {
// ignore requests from non-nodes
klog.Infof("not a node %v", attrs.GetUser())
return authorizer.DecisionNoOpinion, "", nil
}

if len(nodeName) == 0 {
klog.Infof("empty node name", attrs.GetUser())
return authorizer.DecisionNoOpinion, fmt.Sprintf("unknown node for user %q", attrs.GetUser().GetName()), nil
}

Expand All @@ -64,22 +68,28 @@ func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authori
switch requestResource {
case api.Resource("nodes"):
if v := attrs.GetVerb(); v == "get" || v == "update" {
klog.Infof("node get or update")
return authorizer.DecisionNoOpinion, "", nil
}
// TODO(haircommander): do we need other flavors of access reviews here?
case api.Resource("subjectaccessreviews"):
klog.Infof("SAR")
return authorizer.DecisionNoOpinion, "", nil
}
}

node, err := m.nodeLister.Get(nodeName)
if err != nil {
klog.Infof("failed to get node %s", nodeName)
return authorizer.DecisionNoOpinion, fmt.Sprintf("failed to get node %s: %v", nodeName, err), nil
}

if err := nodelib.IsNodeTooOld(node, m.minVersion); err != nil {
klog.Infof("node too old", nodeName)
return authorizer.DecisionDeny, err.Error(), nil
}

klog.Infof("OK")
return authorizer.DecisionDeny, err.Error(), nil
return authorizer.DecisionNoOpinion, "", nil
}

0 comments on commit 7b5c4a2

Please sign in to comment.