mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: pass resource names to auth check for mutateExisting policies (#10808)

Browse source
This commit is contained in:
Mariam Fahmy 2024-08-07 17:09:16 +03:00 committed by GitHub
parent 4d1f040e49
commit 53e0ccdc25
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 22 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
pkg/policy/auth/auth.go
View file

@ -11,13 +11,13 @@ import (
// Operations provides methods to performing operations on resource // Operations provides methods to performing operations on resource
type Operations interface { type Operations interface {
// CanICreate returns 'true' if self can 'create' resource // CanICreate returns 'true' if self can 'create' resource
CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error) CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
// CanIUpdate returns 'true' if self can 'update' resource // CanIUpdate returns 'true' if self can 'update' resource
CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
// CanIDelete returns 'true' if self can 'delete' resource // CanIDelete returns 'true' if self can 'delete' resource
CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error) CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
// CanIGet returns 'true' if self can 'get' resource // CanIGet returns 'true' if self can 'get' resource
CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error)
} }
// Auth provides implementation to check if caller/self/kyverno has access to perofrm operations // Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
@ -38,8 +38,8 @@ func NewAuth(client dclient.Interface, user string, log logr.Logger) *Auth {
} }
// CanICreate returns 'true' if self can 'create' resource // CanICreate returns 'true' if self can 'create' resource
func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, subresource string) (bool, error) { func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "create", "", a.user) canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "create", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx) ok, _, err := canI.RunAccessCheck(ctx)
if err != nil { if err != nil {
return false, err return false, err
@ -48,8 +48,8 @@ func (a *Auth) CanICreate(ctx context.Context, gvk, namespace, subresource strin
} }
// CanIUpdate returns 'true' if self can 'update' resource // CanIUpdate returns 'true' if self can 'update' resource
func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) { func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "update", "", a.user) canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "update", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx) ok, _, err := canI.RunAccessCheck(ctx)
if err != nil { if err != nil {
return false, err return false, err
@ -58,8 +58,8 @@ func (a *Auth) CanIUpdate(ctx context.Context, gvk, namespace, subresource strin
} }
// CanIDelete returns 'true' if self can 'delete' resource // CanIDelete returns 'true' if self can 'delete' resource
func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, subresource string) (bool, error) { func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "delete", "", a.user) canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "delete", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx) ok, _, err := canI.RunAccessCheck(ctx)
if err != nil { if err != nil {
return false, err return false, err
@ -68,8 +68,8 @@ func (a *Auth) CanIDelete(ctx context.Context, gvk, namespace, subresource strin
} }
// CanIGet returns 'true' if self can 'get' resource // CanIGet returns 'true' if self can 'get' resource
func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) { func (a *Auth) CanIGet(ctx context.Context, gvk, namespace, name, subresource string) (bool, error) {
canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "", "get", "", a.user) canI := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, name, "get", "", a.user)
ok, _, err := canI.RunAccessCheck(ctx) ok, _, err := canI.RunAccessCheck(ctx)
if err != nil { if err != nil {
return false, err return false, err

8
pkg/policy/auth/fake/auth.go
View file

@ -12,21 +12,21 @@ func NewFakeAuth() *FakeAuth {
} }
// CanICreate returns 'true' // CanICreate returns 'true'
func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace, sub string) (bool, error) { func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace, name, sub string) (bool, error) {
return true, nil return true, nil
} }
// CanIUpdate returns 'true' // CanIUpdate returns 'true'
func (a *FakeAuth) CanIUpdate(_ context.Context, kind, namespace, sub string) (bool, error) { func (a *FakeAuth) CanIUpdate(_ context.Context, kind, namespace, name, sub string) (bool, error) {
return true, nil return true, nil
} }
// CanIDelete returns 'true' // CanIDelete returns 'true'
func (a *FakeAuth) CanIDelete(_ context.Context, kind, namespace, sub string) (bool, error) { func (a *FakeAuth) CanIDelete(_ context.Context, kind, namespace, name, sub string) (bool, error) {
return true, nil return true, nil
} }
// CanIGet returns 'true' // CanIGet returns 'true'
func (a *FakeAuth) CanIGet(_ context.Context, kind, namespace, sub string) (bool, error) { func (a *FakeAuth) CanIGet(_ context.Context, kind, namespace, name, sub string) (bool, error) {
return true, nil return true, nil
} }

8
pkg/policy/generate/validate.go
View file

@ -110,7 +110,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
// Skip if there is variable defined // Skip if there is variable defined
authCheck := g.authCheck authCheck := g.authCheck
if !regex.IsVariable(gvk) { if !regex.IsVariable(gvk) {
ok, err := authCheck.CanICreate(ctx, gvk, namespace, subresource) ok, err := authCheck.CanICreate(ctx, gvk, namespace, "", subresource)
if err != nil { if err != nil {
return err return err
} }
@ -118,7 +118,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
return fmt.Errorf("%s does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) return fmt.Errorf("%s does not have permissions to 'create' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
} }
ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, subresource) ok, err = authCheck.CanIUpdate(ctx, gvk, namespace, "", subresource)
if err != nil { if err != nil {
return err return err
} }
@ -126,7 +126,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
return fmt.Errorf("%s does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) return fmt.Errorf("%s does not have permissions to 'update' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
} }
ok, err = authCheck.CanIGet(ctx, gvk, namespace, subresource) ok, err = authCheck.CanIGet(ctx, gvk, namespace, "", subresource)
if err != nil { if err != nil {
return err return err
} }
@ -134,7 +134,7 @@ func (g *Generate) canIGenerate(ctx context.Context, gvk, namespace, subresource
return fmt.Errorf("%s does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace) return fmt.Errorf("%s does not have permissions to 'get' resource %s/%s/%s. Grant proper permissions to the background controller", g.user, gvk, subresource, namespace)
} }
ok, err = authCheck.CanIDelete(ctx, gvk, namespace, subresource) ok, err = authCheck.CanIDelete(ctx, gvk, namespace, "", subresource)
if err != nil { if err != nil {
return err return err
} }

4
pkg/policy/mutate/validate.go
View file

@ -101,13 +101,13 @@ func (m *Mutate) validateAuth(ctx context.Context, targets []kyvernov1.TargetRes
srcKey = srcKey + "/" + sub srcKey = srcKey + "/" + sub
} }
if ok, err := m.authChecker.CanIUpdate(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, sub); err != nil { if ok, err := m.authChecker.CanIUpdate(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil {
errs = append(errs, err) errs = append(errs, err)
} else if !ok { } else if !ok {
errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "update", target.APIVersion, srcKey, target.Namespace)) errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "update", target.APIVersion, srcKey, target.Namespace))
} }
if ok, err := m.authChecker.CanIGet(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, sub); err != nil { if ok, err := m.authChecker.CanIGet(ctx, strings.Join([]string{target.APIVersion, k}, "/"), target.Namespace, target.Name, sub); err != nil {
errs = append(errs, err) errs = append(errs, err)
} else if !ok { } else if !ok {
errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "get", target.APIVersion, srcKey, target.Namespace)) errs = append(errs, fmt.Errorf("cannot %s/%s/%s in namespace %s", "get", target.APIVersion, srcKey, target.Namespace))