Fix rbac authorization for GKE clusters (#216)

Signed-off-by: Tamal Saha <[email protected]>

Author: tamalsaha

go.mod

@@ -38,7 +38,7 @@ require (
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280
 	k8s.io/kube-state-metrics/v2 v2.7.0
 	kmodules.xyz/apiversion v0.2.0
-	kmodules.xyz/authorizer v0.25.0
+	kmodules.xyz/authorizer v0.25.1
 	kmodules.xyz/client-go v0.25.23
 	kmodules.xyz/custom-resources v0.25.1
 	kmodules.xyz/go-containerregistry v0.0.11

go.sum

@@ -2106,8 +2106,8 @@ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJ
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk=
 kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80=
-kmodules.xyz/authorizer v0.25.0 h1:yRrLtMOdlU1p4mLzaSz5pmSLpBLsVXLQHkUfiME12iQ=
-kmodules.xyz/authorizer v0.25.0/go.mod h1:Jb99YsLRJE4R4d8F5fFtlxEaxk0prdSk2LApZl4JdyI=
+kmodules.xyz/authorizer v0.25.1 h1:W19AtlPD2A1+Q4UqDmNCJKfX9bKIgj+J6bQmkYwsHwY=
+kmodules.xyz/authorizer v0.25.1/go.mod h1:hKAbHpRkbxZJjc+cMTUiyxQxp7amKUVDiN145IrpnhA=
 kmodules.xyz/client-go v0.25.23 h1:qz5XJYHLVZUowqfRXEJD7JQ4iaLLzQ1O1zPMmsdrkJw=
 kmodules.xyz/client-go v0.25.23/go.mod h1:wbdzLEoDYiCPI6dTW0mIAGNwkwFV4lC5BN1FJxiDsbw=
 kmodules.xyz/crd-schema-fuzz v0.25.0 h1:c5ZxNRqJak1bkGhECmyrKpzKGThFMB4088Kynyvngbc=

pkg/apiserver/apiserver.go

@@ -72,7 +72,7 @@ import (
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 	"k8s.io/klog/v2/klogr"
-	"kmodules.xyz/authorizer/rbac"
+	"kmodules.xyz/authorizer"
 	cu "kmodules.xyz/client-go/client"
 	"kmodules.xyz/client-go/meta"
 	appcatalogapi "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
@@ -214,7 +214,7 @@ func (c completedConfig) New(ctx context.Context) (*UIServer, error) {
 		return nil, err
 	}
 
-	rbacAuthorizer := rbac.NewForManagerOrDie(ctx, mgr)
+	rbacAuthorizer := authorizer.NewForManagerOrDie(ctx, mgr)
 
 	builder, err := promclient.NewBuilder(mgr, &c.ExtraConfig.PromConfig)
 	if err != nil {

pkg/registry/core/genericresource/storage.go

@@ -112,12 +112,13 @@ func (r *Storage) Get(ctx context.Context, name string, options *metav1.GetOptio
 	rid := kmapi.NewResourceID(mapping)
 
 	attrs := authorizer.AttributesRecord{
-		User:      user,
-		Verb:      "get",
-		Namespace: ns,
-		APIGroup:  mapping.Resource.Group,
-		Resource:  mapping.Resource.Resource,
-		Name:      objName,
+		User:            user,
+		Verb:            "get",
+		Namespace:       ns,
+		APIGroup:        mapping.Resource.Group,
+		Resource:        mapping.Resource.Resource,
+		Name:            objName,
+		ResourceRequest: true,
 	}
 	decision, why, err := r.a.Authorize(ctx, attrs)
 	if err != nil {
@@ -170,12 +171,13 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		apiType := kmapi.NewResourceID(mapping)
 
 		attrs := authorizer.AttributesRecord{
-			User:      user,
-			Verb:      "get",
-			Namespace: ns,
-			APIGroup:  mapping.Resource.Group,
-			Resource:  mapping.Resource.Resource,
-			Name:      "",
+			User:            user,
+			Verb:            "get",
+			Namespace:       ns,
+			APIGroup:        mapping.Resource.Group,
+			Resource:        mapping.Resource.Resource,
+			Name:            "",
+			ResourceRequest: true,
 		}
 
 		var list unstructured.UnstructuredList
@@ -185,6 +187,7 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		}
 		for _, item := range list.Items {
 			attrs.Name = item.GetName()
+			attrs.Namespace = item.GetNamespace()
 			decision, _, err := r.a.Authorize(ctx, attrs)
 			if err != nil {
 				return nil, apierrors.NewInternalError(err)

pkg/registry/core/podview/storage.go

@@ -96,12 +96,13 @@ func (r *Storage) Get(ctx context.Context, name string, options *metav1.GetOptio
 	}
 
 	attrs := authorizer.AttributesRecord{
-		User:      user,
-		Verb:      "get",
-		Namespace: ns,
-		APIGroup:  r.gr.Group,
-		Resource:  r.gr.Resource,
-		Name:      name,
+		User:            user,
+		Verb:            "get",
+		Namespace:       ns,
+		APIGroup:        r.gr.Group,
+		Resource:        r.gr.Resource,
+		Name:            name,
+		ResourceRequest: true,
 	}
 	decision, why, err := r.a.Authorize(ctx, attrs)
 	if err != nil {
@@ -228,12 +229,13 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 	}
 
 	attrs := authorizer.AttributesRecord{
-		User:      user,
-		Verb:      "get",
-		Namespace: ns,
-		APIGroup:  r.gr.Group,
-		Resource:  r.gr.Resource,
-		Name:      "",
+		User:            user,
+		Verb:            "get",
+		Namespace:       ns,
+		APIGroup:        r.gr.Group,
+		Resource:        r.gr.Resource,
+		Name:            "",
+		ResourceRequest: true,
 	}
 
 	opts := client.ListOptions{Namespace: ns}
@@ -257,6 +259,7 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 	podviews := make([]corev1alpha1.PodView, 0, len(podList.Items))
 	for _, pod := range podList.Items {
 		attrs.Name = pod.Name
+		attrs.Namespace = pod.Namespace
 		decision, _, err := r.a.Authorize(context.TODO(), attrs)
 		if err != nil {
 			return nil, apierrors.NewInternalError(err)

pkg/registry/core/resourceservice/storage.go

@@ -124,12 +124,13 @@ func (r *Storage) Get(ctx context.Context, name string, options *metav1.GetOptio
 	rid := kmapi.NewResourceID(mapping)
 
 	attrs := authorizer.AttributesRecord{
-		User:      user,
-		Verb:      "get",
-		Namespace: ns,
-		APIGroup:  mapping.Resource.Group,
-		Resource:  mapping.Resource.Resource,
-		Name:      objName,
+		User:            user,
+		Verb:            "get",
+		Namespace:       ns,
+		APIGroup:        mapping.Resource.Group,
+		Resource:        mapping.Resource.Resource,
+		Name:            objName,
+		ResourceRequest: true,
 	}
 	decision, why, err := r.a.Authorize(ctx, attrs)
 	if err != nil {
@@ -182,12 +183,13 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		apiType := kmapi.NewResourceID(mapping)
 
 		attrs := authorizer.AttributesRecord{
-			User:      user,
-			Verb:      "get",
-			Namespace: ns,
-			APIGroup:  mapping.Resource.Group,
-			Resource:  mapping.Resource.Resource,
-			Name:      "",
+			User:            user,
+			Verb:            "get",
+			Namespace:       ns,
+			APIGroup:        mapping.Resource.Group,
+			Resource:        mapping.Resource.Resource,
+			Name:            "",
+			ResourceRequest: true,
 		}
 
 		var list unstructured.UnstructuredList
@@ -197,6 +199,7 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		}
 		for _, item := range list.Items {
 			attrs.Name = item.GetName()
+			attrs.Namespace = item.GetNamespace()
 			decision, _, err := r.a.Authorize(ctx, attrs)
 			if err != nil {
 				return nil, apierrors.NewInternalError(err)

pkg/registry/core/resourcesummary/storage.go

@@ -120,12 +120,13 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		apiType := kmapi.NewResourceID(mapping)
 
 		attrs := authorizer.AttributesRecord{
-			User:      user,
-			Verb:      "get",
-			Namespace: ns,
-			APIGroup:  mapping.Resource.Group,
-			Resource:  mapping.Resource.Resource,
-			Name:      "",
+			User:            user,
+			Verb:            "get",
+			Namespace:       ns,
+			APIGroup:        mapping.Resource.Group,
+			Resource:        mapping.Resource.Resource,
+			Name:            "",
+			ResourceRequest: true,
 		}
 
 		summary := corev1alpha1.ResourceSummary{
@@ -152,6 +153,7 @@ func (r *Storage) List(ctx context.Context, options *internalversion.ListOptions
 		}
 		for _, item := range list.Items {
 			attrs.Name = item.GetName()
+			attrs.Namespace = item.GetNamespace()
 			decision, _, err := r.a.Authorize(ctx, attrs)
 			if err != nil {
 				return nil, apierrors.NewInternalError(err)

vendor/kmodules.xyz/authorizer/.gitignore

@@ -0,0 +1,39 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+.idea/
+dist/
+**/junit.xml
+**/.env
+.vscode/
+coverage.txt
+
+/bin
+/.go
+
+apiserver.local.config/**
+
+.DS_Store
+
+vendor