k8s.io/kubernetes@v1.29.3/pkg/registry/admissionregistration/validatingadmissionpolicy/authz.go (about) 1 /* 2 Copyright 2022 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package validatingadmissionpolicy 18 19 import ( 20 "context" 21 "fmt" 22 23 "k8s.io/apimachinery/pkg/runtime" 24 "k8s.io/apimachinery/pkg/runtime/schema" 25 "k8s.io/apiserver/pkg/authorization/authorizer" 26 genericapirequest "k8s.io/apiserver/pkg/endpoints/request" 27 "k8s.io/kubernetes/pkg/apis/admissionregistration" 28 rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" 29 ) 30 31 func (v *validatingAdmissionPolicyStrategy) authorizeCreate(ctx context.Context, obj runtime.Object) error { 32 policy := obj.(*admissionregistration.ValidatingAdmissionPolicy) 33 if policy.Spec.ParamKind == nil { 34 // no paramRef in new object 35 return nil 36 } 37 38 return v.authorize(ctx, policy) 39 } 40 41 func (v *validatingAdmissionPolicyStrategy) authorizeUpdate(ctx context.Context, obj, old runtime.Object) error { 42 policy := obj.(*admissionregistration.ValidatingAdmissionPolicy) 43 if policy.Spec.ParamKind == nil { 44 // no paramRef in new object 45 return nil 46 } 47 48 oldPolicy := old.(*admissionregistration.ValidatingAdmissionPolicy) 49 if oldPolicy.Spec.ParamKind != nil && *oldPolicy.Spec.ParamKind == *policy.Spec.ParamKind { 50 // identical paramKind to old object 51 return nil 52 } 53 54 return v.authorize(ctx, policy) 55 } 56 57 func (v *validatingAdmissionPolicyStrategy) authorize(ctx context.Context, policy *admissionregistration.ValidatingAdmissionPolicy) error { 58 if v.authorizer == nil || policy.Spec.ParamKind == nil { 59 return nil 60 } 61 62 // for superuser, skip all checks 63 if rbacregistry.EscalationAllowed(ctx) { 64 return nil 65 } 66 67 user, ok := genericapirequest.UserFrom(ctx) 68 if !ok { 69 return fmt.Errorf("cannot identify user to authorize read access to paramKind resources") 70 } 71 72 paramKind := policy.Spec.ParamKind 73 // default to requiring permissions on all group/version/resources 74 resource, apiGroup, apiVersion := "*", "*", "*" 75 if gv, err := schema.ParseGroupVersion(paramKind.APIVersion); err == nil { 76 // we only need to authorize the parsed group/version 77 apiGroup = gv.Group 78 apiVersion = gv.Version 79 if gvr, err := v.resourceResolver.Resolve(gv.WithKind(paramKind.Kind)); err == nil { 80 // we only need to authorize the resolved resource 81 resource = gvr.Resource 82 } 83 } 84 85 // require that the user can read (verb "get") the referred kind. 86 attrs := authorizer.AttributesRecord{ 87 User: user, 88 Verb: "get", 89 ResourceRequest: true, 90 Name: "*", 91 Namespace: "*", 92 APIGroup: apiGroup, 93 APIVersion: apiVersion, 94 Resource: resource, 95 } 96 97 d, _, err := v.authorizer.Authorize(ctx, attrs) 98 if err != nil { 99 return err 100 } 101 if d != authorizer.DecisionAllow { 102 return fmt.Errorf(`user %v must have "get" permission on all objects of the referenced paramKind (kind=%s, apiVersion=%s)`, user, paramKind.Kind, paramKind.APIVersion) 103 } 104 return nil 105 }