Skip to content

Commit

Permalink
Merge pull request #127902 from p0lyn0mial/upstream-system-authentica…
Browse files Browse the repository at this point in the history
…ted-for-system-apiserver

server/config: assing system:apiserver user to system:authenticated group
  • Loading branch information
k8s-ci-robot authored Oct 7, 2024
2 parents 7ab8a2b + dfeb560 commit 8155327
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
2 changes: 1 addition & 1 deletion staging/src/k8s.io/apiserver/pkg/server/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -1170,7 +1170,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati
tokens[privilegedLoopbackToken] = &user.DefaultInfo{
Name: user.APIServerUser,
UID: uid,
Groups: []string{user.SystemPrivilegedGroup},
Groups: []string{user.AllAuthenticated, user.SystemPrivilegedGroup},
}

tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)
Expand Down
29 changes: 29 additions & 0 deletions staging/src/k8s.io/apiserver/pkg/server/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ import (
"k8s.io/apiserver/pkg/audit/policy"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/endpoints/request"
"k8s.io/apiserver/pkg/server/healthz"
utilfeature "k8s.io/apiserver/pkg/util/feature"
Expand Down Expand Up @@ -83,6 +84,34 @@ func TestAuthorizeClientBearerTokenNoops(t *testing.T) {
}
}

func TestAuthorizeClientBearerTokenRequiredGroups(t *testing.T) {
fakeAuthenticator := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
return &authenticator.Response{User: &user.DefaultInfo{}}, false, nil
})
fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
return authorizer.DecisionAllow, "", nil
})
target := &rest.Config{BearerToken: "secretToken"}
authN := &AuthenticationInfo{Authenticator: fakeAuthenticator}
authC := &AuthorizationInfo{Authorizer: fakeAuthorizer}

AuthorizeClientBearerToken(target, authN, authC)

fakeRequest, err := http.NewRequest("", "", nil)
if err != nil {
t.Fatal(err)
}
fakeRequest.Header.Set("Authorization", "bearer secretToken")
rsp, _, err := authN.Authenticator.AuthenticateRequest(fakeRequest)
if err != nil {
t.Fatal(err)
}
expectedGroups := []string{user.AllAuthenticated, user.SystemPrivilegedGroup}
if !reflect.DeepEqual(expectedGroups, rsp.User.GetGroups()) {
t.Fatalf("unexpected groups = %v returned, expected = %v", rsp.User.GetGroups(), expectedGroups)
}
}

func TestNewWithDelegate(t *testing.T) {
_, ctx := ktesting.NewTestContext(t)
ctx, cancel := context.WithCancelCause(ctx)
Expand Down

0 comments on commit 8155327

Please sign in to comment.