Bumping k8s dependencies to 1.13
This commit is contained in:
Cheng Xing
52
vendor/k8s.io/kubernetes/pkg/registry/rbac/escalation_check.go
generated
vendored
52
vendor/k8s.io/kubernetes/pkg/registry/rbac/escalation_check.go
generated
vendored
@@ -20,6 +20,7 @@ import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
@@ -27,6 +28,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/apis/rbac"
|
||||
)
|
||||
|
||||
// EscalationAllowed checks if the user associated with the context is a superuser
|
||||
func EscalationAllowed(ctx context.Context) bool {
|
||||
u, ok := genericapirequest.UserFrom(ctx)
|
||||
if !ok {
|
||||
@@ -44,6 +46,56 @@ func EscalationAllowed(ctx context.Context) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
var roleResources = map[schema.GroupResource]bool{
|
||||
rbac.SchemeGroupVersion.WithResource("clusterroles").GroupResource(): true,
|
||||
rbac.SchemeGroupVersion.WithResource("roles").GroupResource(): true,
|
||||
}
|
||||
|
||||
// RoleEscalationAuthorized checks if the user associated with the context is explicitly authorized to escalate the role resource associated with the context
|
||||
func RoleEscalationAuthorized(ctx context.Context, a authorizer.Authorizer) bool {
|
||||
if a == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
user, ok := genericapirequest.UserFrom(ctx)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
|
||||
requestInfo, ok := genericapirequest.RequestInfoFrom(ctx)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
|
||||
if !requestInfo.IsResourceRequest {
|
||||
return false
|
||||
}
|
||||
|
||||
requestResource := schema.GroupResource{Group: requestInfo.APIGroup, Resource: requestInfo.Resource}
|
||||
if !roleResources[requestResource] {
|
||||
return false
|
||||
}
|
||||
|
||||
attrs := authorizer.AttributesRecord{
|
||||
User: user,
|
||||
Verb: "escalate",
|
||||
APIGroup: requestInfo.APIGroup,
|
||||
Resource: requestInfo.Resource,
|
||||
Name: requestInfo.Name,
|
||||
Namespace: requestInfo.Namespace,
|
||||
ResourceRequest: true,
|
||||
}
|
||||
|
||||
decision, _, err := a.Authorize(attrs)
|
||||
if err != nil {
|
||||
utilruntime.HandleError(fmt.Errorf(
|
||||
"error authorizing user %#v to escalate %#v named %q in namespace %q: %v",
|
||||
user, requestResource, requestInfo.Name, requestInfo.Namespace, err,
|
||||
))
|
||||
}
|
||||
return decision == authorizer.DecisionAllow
|
||||
}
|
||||
|
||||
// BindingAuthorized returns true if the user associated with the context is explicitly authorized to bind the specified roleRef
|
||||
func BindingAuthorized(ctx context.Context, roleRef rbac.RoleRef, bindingNamespace string, a authorizer.Authorizer) bool {
|
||||
if a == nil {
|
||||
|
||||
Reference in New Issue
Block a user