WIP

Signed-off-by: Peter Hunt <[email protected]>
openshift · Dec 5, 2024 · 886e123 · 886e123
1 parent f9dd6fa
commit 886e123
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go b/openshift-kube-apiserver/authorization/minimumkubeletversion/minimum_kubelet_version.go
@@ -13,6 +13,7 @@ import (
 	v1listers "k8s.io/client-go/listers/core/v1"
 	cache "k8s.io/client-go/tools/cache"
 	"k8s.io/component-base/featuregate"
+	"k8s.io/klog/v2"
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
 )
@@ -53,10 +54,12 @@ func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authori
 	nodeName, isNode := m.nodeIdentifier.NodeIdentity(attrs.GetUser())
 	if !isNode {
 		// ignore requests from non-nodes
+		klog.Infof("XXXXXXXX not a node %v", attrs.GetUser())
 		return authorizer.DecisionNoOpinion, "", nil
 	}
 
 	if len(nodeName) == 0 {
+		klog.Infof("XXXXXXXX empty node name %v", attrs.GetUser())
 		return authorizer.DecisionNoOpinion, fmt.Sprintf("unknown node for user %q", attrs.GetUser().GetName()), nil
 	}
 
@@ -67,26 +70,32 @@ func (m *minimumKubeletVersionAuth) Authorize(ctx context.Context, attrs authori
 		switch requestResource {
 		case api.Resource("nodes"):
 			if v := attrs.GetVerb(); v == "get" || v == "update" {
+				klog.Infof("XXXXXXXX node get or update %v", attrs.GetUser())
 				return authorizer.DecisionNoOpinion, "", nil
 			}
 		// TODO(haircommander): do we need other flavors of access reviews here?
 		case api.Resource("subjectaccessreviews"):
+			klog.Infof("XXXXXXXX SAR %v", attrs.GetUser())
 			return authorizer.DecisionNoOpinion, "", nil
 		}
 	}
 
 	if !m.hasNodeInformerSyncedFn() {
+		klog.Infof("XXXXXXXX not synced %v", attrs.GetUser())
 		return authorizer.DecisionNoOpinion, fmt.Sprintf("node informer not synced, cannot check if node %s is new enough", nodeName), nil
 	}
 
 	node, err := m.nodeLister.Get(nodeName)
 	if err != nil {
+		klog.Infof("XXXXXXXX failed to get node %s %v", nodeName, attrs.GetUser())
 		return authorizer.DecisionNoOpinion, fmt.Sprintf("failed to get node %s: %v", nodeName, err), nil
 	}
 
 	if err := nodelib.IsNodeTooOld(node, m.minVersion); err != nil {
+		klog.Infof("XXXXXXXX node too old %s %v", nodeName, attrs.GetUser())
 		return authorizer.DecisionDeny, err.Error(), nil
 	}
 
+	klog.Infof("XXXXXXXX OK %s", attrs.GetUser())
 	return authorizer.DecisionNoOpinion, "", nil
 }
diff --git a/pkg/kubeapiserver/authorizer/reload.go b/pkg/kubeapiserver/authorizer/reload.go
@@ -176,6 +176,7 @@ func (r *reloadableAuthorizerResolver) newForConfig(authzConfig *authzconfig.Aut
 			// no browsersafeauthorizer here becase that rewrites the resources.  This authorizer matches no matter which resource matches.
 			authorizers = append(authorizers, authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup))
 		case authzconfig.AuthorizerType(modes.ModeMinimumKubeletVersion):
+			klog.Infof("XXXXX have min kubelet verison")
 			// Add MinimumKubeletVerison authorizer, to block a node from being able to access most resources if it's not new enough.
 			// We must do so here instead of in pkg/apiserver because it relies on a node informer, which is not present in generic control planes.
 			authorizers = append(authorizers, minimumkubeletversion.NewMinimumKubeletVersion(