From 0e9a952d64ab86d8a728444473fff90d8d8c2f66 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Fri, 8 Nov 2019 18:56:24 -0800 Subject: [PATCH] get rbac info for an admission request --- pkg/webhooks/rbac.go | 363 +++++++++++++++++++++++++++++++++++++++++ pkg/webhooks/server.go | 11 +- 2 files changed, 372 insertions(+), 2 deletions(-) create mode 100644 pkg/webhooks/rbac.go diff --git a/pkg/webhooks/rbac.go b/pkg/webhooks/rbac.go new file mode 100644 index 0000000000..d456fb4741 --- /dev/null +++ b/pkg/webhooks/rbac.go @@ -0,0 +1,363 @@ +package webhooks + +import ( + "fmt" + "strings" + + "github.com/golang/glog" + client "github.com/nirmata/kyverno/pkg/dclient" + engine "github.com/nirmata/kyverno/pkg/engine" + v1beta1 "k8s.io/api/admission/v1beta1" + authenticationv1 "k8s.io/api/authentication/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" +) + +func getRoleRef(client *client.Client, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) { + nsList, err := client.ListResource("Namespace", "", metav1.ListOptions{}) + if err != nil { + return nil, nil, fmt.Errorf("failed to get namespace list: %v", err) + } + + // rolebindings + for _, ns := range nsList.Items { + roleBindings, err := client.ListResource("RoleBindings", ns.GetName(), metav1.ListOptions{}) + if err != nil { + return roles, clusterRoles, fmt.Errorf("failed to list rolebindings: %v", err) + } + + rs, crs, err := getRoleRefByRoleBindings(roleBindings, request.UserInfo) + if err != nil { + return roles, clusterRoles, err + } + roles = append(roles, rs...) + clusterRoles = append(clusterRoles, crs...) + } + + // clusterrolebindings + clusterroleBindings, err := client.ListResource("ClusterRoleBindings", "", metav1.ListOptions{}) + if err != nil { + return roles, clusterRoles, fmt.Errorf("failed to list clusterrolebindings: %v", err) + } + + crs, err := getRoleRefByClusterRoleBindings(clusterroleBindings, request.UserInfo) + if err != nil { + return roles, clusterRoles, err + } + clusterRoles = append(clusterRoles, crs...) + + return roles, clusterRoles, nil +} + +func getRoleRefByRoleBindings(roleBindings *unstructured.UnstructuredList, userInfo authenticationv1.UserInfo) (roles []string, clusterRoles []string, err error) { + for _, rolebinding := range roleBindings.Items { + rb := rolebinding.UnstructuredContent() + subjects, ok := rb["subjects"] + if !ok { + return nil, nil, fmt.Errorf("%s/%s/%s has no subjects field", rolebinding.GetKind(), rolebinding.GetNamespace(), rolebinding.GetName()) + } + + for _, subject := range subjects.([]map[string]interface{}) { + if !matchSubjectsMap(subject, userInfo) { + continue + } + + roleRef, ok := subject["roleRef"] + if !ok { + return nil, nil, fmt.Errorf("%s/%s/%s has no roleRef", rolebinding.GetKind(), rolebinding.GetNamespace(), rolebinding.GetName()) + } + + roleRefMap := roleRef.(map[string]interface{}) + switch roleRefMap["kind"] { + case "role": + roles = append(roles, rolebinding.GetNamespace()+":"+roleRefMap["name"].(string)) + case "clusterRole": + clusterRoles = append(clusterRoles, roleRefMap["name"].(string)) + } + } + } + + return roles, clusterRoles, nil +} + +// RoleRef in ClusterRoleBindings can only reference a ClusterRole in the global namespace +func getRoleRefByClusterRoleBindings(clusterroleBindings *unstructured.UnstructuredList, userInfo authenticationv1.UserInfo) (clusterRoles []string, err error) { + for _, clusterRoleBinding := range clusterroleBindings.Items { + crb := clusterRoleBinding.UnstructuredContent() + subjects, ok := crb["subjects"] + if !ok { + return nil, fmt.Errorf("%s/%s has no subjects field", clusterRoleBinding.GetKind(), clusterRoleBinding.GetName()) + } + + for _, subject := range subjects.([]map[string]interface{}) { + if !matchSubjectsMap(subject, userInfo) { + continue + } + + roleRef, ok := subject["roleRef"] + if !ok { + return nil, fmt.Errorf("%s/%s has no roleRef", clusterRoleBinding.GetKind(), clusterRoleBinding.GetName()) + } + + roleRefMap := roleRef.(map[string]interface{}) + if roleRefMap["kind"] == "clusterRole" { + clusterRoles = append(clusterRoles, roleRefMap["name"].(string)) + } + } + } + return clusterRoles, nil +} + +// matchSubjectsMap checks if userInfo found in subject +// return true directly if found a match +// subject["kind"] can only be ServiceAccount, User and Group +func matchSubjectsMap(subject map[string]interface{}, userInfo authenticationv1.UserInfo) bool { + // ServiceAccount + if isServiceaccountUserInfo(userInfo.Username) { + if matchServiceAccount(subject, userInfo) { + return true + } + } + + // User or Group + if matchUserOrGroup(subject, userInfo) { + return true + } + + return false +} + +func isServiceaccountUserInfo(username string) bool { + if strings.Contains(username, engine.SaPrefix) { + return true + } + return false +} + +// matchServiceAccount checks if userInfo sa matche the subject sa +// serviceaccount represents as saPrefix:namespace:name in userInfo +func matchServiceAccount(subject map[string]interface{}, userInfo authenticationv1.UserInfo) bool { + // checks if subject contains the serviceaccount info + sa := subject["kind"] + if sa.(string) != "ServiceAccount" { + glog.V(3).Infof("subject %v has no service account info", subject) + return false + } + + subjectServiceAccount := subject["namespace"].(string) + ":" + subject["name"].(string) + if userInfo.Username[len(engine.SaPrefix):] != subjectServiceAccount { + glog.V(3).Infof("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(engine.SaPrefix):]) + return false + } + + return true +} + +// matchUserOrGroup checks if userInfo contains user or group info in a subject +func matchUserOrGroup(subject map[string]interface{}, userInfo authenticationv1.UserInfo) bool { + keys := append(userInfo.Groups, userInfo.Username) + for _, key := range keys { + if subject["name"].(string) == key { + return true + } + } + + glog.V(3).Infof("user/group '%v' info not found in request userInfo: %v", subject["name"], keys) + return false +} + +// func newSubjectMap(kind, name, namespace string) map[string]interface{} { +// return map[string]interface{}{ +// "kind": kind, +// "name": name, +// "namespace": namespace, +// } +// } + +// func filterPolicyByUserInfo(client *client.Client, policies []*v1alpha1.ClusterPolicy, request *v1beta1.AdmissionRequest) ([]*v1alpha1.ClusterPolicy, error) { +// var matchesPolicies []*v1alpha1.ClusterPolicy + +// if request.UserInfo.Username == "" || len(request.UserInfo.Groups) == 0 { +// glog.Infof("empty userInfo in the request: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", +// request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation) +// return nil, nil +// } + +// for _, p := range policies { +// for _, rule := range p.Spec.Rules { +// if match := filterByMatchBlock(client, rule.MatchResources, request.UserInfo); match { +// matchesPolicies = append(matchesPolicies, p) +// } + +// if exclude := filterByExcludeBlock(client, rule.ExcludeResources, request.UserInfo); !exclude { +// matchesPolicies = append(matchesPolicies, p) +// } +// } +// } + +// return matchesPolicies, nil +// } + +// // filterByMatchBlock return true if entire match block is found in userInfo +// func filterByMatchBlock(client *client.Client, match v1alpha1.MatchResources, userInfo authenticationv1.UserInfo) bool { +// if reflect.DeepEqual(match, v1alpha1.MatchResources{}) { +// return true +// } + +// if !matchSubjects(match.Subjects, userInfo) { +// glog.V(3).Infof("Subjects does not match, match subjects: %v, userInfo: %s", match.Subjects, userInfo.String()) +// return false +// } + +// if !matchRoles(client, match.Roles, userInfo) { +// glog.V(3).Infof("Roles does not match, match roles: %v, userInfo: %s", match.Roles, userInfo.String()) +// return false +// } + +// if !matchClusterRoles(client, match.ClusterRoles, userInfo) { +// glog.V(3).Infof("ClusterRoles does not match, match clusterRoles: %v, userInfo: %s", match.ClusterRoles, userInfo.String()) +// return false +// } + +// return true +// } + +// // filterByExcludeBlock return true if entire exclude block found in userInfo +// func filterByExcludeBlock(client *client.Client, exclude v1alpha1.ExcludeResources, userInfo authenticationv1.UserInfo) bool { +// if reflect.DeepEqual(exclude, v1alpha1.ExcludeResources{}) { +// return false +// } + +// if !matchSubjects(exclude.Subjects, userInfo) { +// glog.V(3).Infof("Subjects does not match, exclude subjects: %v, userInfo: %s", exclude.Subjects, userInfo.String()) +// return false +// } + +// if !matchRoles(client, exclude.Roles, userInfo) { +// glog.V(3).Infof("Roles does not match, exclude roles: %v, userInfo: %s", exclude.Roles, userInfo.String()) +// return false +// } + +// if !matchClusterRoles(client, exclude.ClusterRoles, userInfo) { +// glog.V(3).Infof("ClusterRoles does not match, exclude clusterRoles: %v, userInfo: %s", exclude.ClusterRoles, userInfo.String()) +// return false +// } + +// return true +// } + +// // matchSubjects checks if all subjects in the policy match the userInfo in the admission request +// func matchSubjects(subjects []rbacv1.Subject, userInfo authenticationv1.UserInfo) bool { +// for _, subject := range subjects { +// s := newSubjectMap(subject.Kind, subject.Name, subject.Namespace) +// if ok := matchSubjectsMap(s, userInfo); !ok { +// return false +// } +// } + +// // all matches || empty subjects || unknown subject kind +// return true +// } + +// // matchRoles checks if the given roles matches the roles in this request.UserInfo +// func matchRoles(client *client.Client, roles []string, userInfo authenticationv1.UserInfo) bool { +// for _, role := range roles { +// // roleInfo = $namespace:name +// roleInfo := strings.Split(role, ":") +// if len(roleInfo) != 2 { +// glog.Errorf("invalid role format, expect namespace:name, found '%s'", role) +// return false +// } + +// fieldSelector := fields.Set{ +// "roleRef.name": roleInfo[1], +// }.AsSelector().String() + +// // rolebindings +// roleBindings, err := client.ListResource("RoleBindings", roleInfo[0], metav1.ListOptions{FieldSelector: fieldSelector}) +// if err != nil { +// glog.Errorf("failed to list rolebindings from role '%s'", role) +// return false +// } + +// if ok := matchSubjectForRole(roleBindings, userInfo); !ok { +// return false +// } +// } + +// return true +// } + +// func matchClusterRoles(client *client.Client, roles []string, userInfo authenticationv1.UserInfo) bool { +// for _, role := range roles { +// // roleInfo = $name +// fieldSelector := fields.Set{ +// "roleRef.name": role, +// }.AsSelector().String() + +// nsList, err := client.ListResource("Namespace", "", metav1.ListOptions{}) +// if err != nil { +// glog.Errorf("failed to get namespace list: %v", err) +// return false +// } + +// for _, ns := range nsList.Items { +// // rolebindings +// roleBindings, err := client.ListResource("RoleBindings", ns.GetName(), metav1.ListOptions{FieldSelector: fieldSelector}) +// if err != nil { +// glog.Errorf("failed to list rolebindings from role '%s'", role) +// return false +// } + +// if ok := matchSubjectForRole(roleBindings, userInfo); !ok { +// return false +// } +// } + +// // clusterrolebindings +// clusterroleBindings, err := client.ListResource("ClusterRoleBindings", "", metav1.ListOptions{FieldSelector: fieldSelector}) +// if err != nil { +// glog.Errorf("failed to list clusterrolebindings from role '%s'", role) +// return false +// } + +// if ok := matchSubjectForRole(clusterroleBindings, userInfo); !ok { +// return false +// } +// } +// return true +// } + +// func matchSubjectForRole(roleBindings *unstructured.UnstructuredList, userInfo authenticationv1.UserInfo) bool { +// subjects, err := getSubjects(roleBindings) +// if err != nil { +// glog.Errorf("failed to get subjects from rolebindings: %v", err) +// } + +// for _, subject := range subjects { +// if ok := matchSubjectsMap(subject, userInfo); !ok { +// return false +// } +// } +// return true +// } + +// func getSubjects(bindings *unstructured.UnstructuredList) ([]map[string]interface{}, error) { +// var subjectsLists []map[string]interface{} +// for _, binding := range bindings.Items { +// bindingMap := binding.UnstructuredContent() +// subjects, ok := bindingMap["subjects"] +// if !ok { +// return nil, fmt.Errorf("missing subjects in %s/%s", binding.GetKind(), binding.GetName()) +// } + +// subjectsList, ok := subjects.([]map[string]interface{}) +// if !ok { +// return nil, fmt.Errorf("wrong type of subjects in %s/%s, expect: %T, found: %T", +// binding.GetKind(), binding.GetName(), subjectsList, subjects) +// } +// subjectsLists = append(subjectsLists, subjectsList...) +// } + +// return subjectsLists, nil +// } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index e9301c0297..4d79e79d26 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -151,8 +151,15 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques return &v1beta1.AdmissionResponse{Allowed: true} } + // TODO(shuting): continue apply policy if error getting roleRef? + roles, clusterRoles, err := getRoleRef(ws.client, request) + if err != nil { + glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v", + request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err) + } + // MUTATION - ok, patches, msg := ws.HandleMutation(request, policies) + ok, patches, msg := ws.HandleMutation(request, policies, roles, clusterRoles) if !ok { glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name) return &v1beta1.AdmissionResponse{ @@ -168,7 +175,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques patchedResource := processResourceWithPatches(patches, request.Object.Raw) // VALIDATION - ok, msg = ws.HandleValidation(request, policies, patchedResource) + ok, msg = ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles) if !ok { glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name) return &v1beta1.AdmissionResponse{