diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go index 81a7d6ddb3a0f..cb7b4bd1cf961 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config.go @@ -1155,7 +1155,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati tokens[privilegedLoopbackToken] = &user.DefaultInfo{ Name: user.APIServerUser, UID: uid, - Groups: []string{user.SystemPrivilegedGroup}, + Groups: []string{user.AllAuthenticated, user.SystemPrivilegedGroup}, } tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences) diff --git a/staging/src/k8s.io/apiserver/pkg/server/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/config_test.go index a1d6d8902f98f..615c16a04dfb0 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config_test.go @@ -17,6 +17,7 @@ limitations under the License. package server import ( + "context" "fmt" "io" "net/http" @@ -36,6 +37,7 @@ import ( "k8s.io/apiserver/pkg/audit/policy" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/server/healthz" "k8s.io/client-go/informers" @@ -78,6 +80,34 @@ func TestAuthorizeClientBearerTokenNoops(t *testing.T) { } } +func TestAuthorizeClientBearerTokenRequiredGroups(t *testing.T) { + fakeAuthenticator := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) { + return &authenticator.Response{User: &user.DefaultInfo{}}, false, nil + }) + fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) { + return authorizer.DecisionAllow, "", nil + }) + target := &rest.Config{BearerToken: "secretToken"} + authN := &AuthenticationInfo{Authenticator: fakeAuthenticator} + authC := &AuthorizationInfo{Authorizer: fakeAuthorizer} + + AuthorizeClientBearerToken(target, authN, authC) + + fakeRequest, err := http.NewRequest("", "", nil) + if err != nil { + t.Fatal(err) + } + fakeRequest.Header.Set("Authorization", "bearer secretToken") + rsp, _, err := authN.Authenticator.AuthenticateRequest(fakeRequest) + if err != nil { + t.Fatal(err) + } + expectedGroups := []string{user.AllAuthenticated, user.SystemPrivilegedGroup} + if !reflect.DeepEqual(expectedGroups, rsp.User.GetGroups()) { + t.Fatalf("unexpected groups = %v returned, expected = %v", rsp.User.GetGroups(), expectedGroups) + } +} + func TestNewWithDelegate(t *testing.T) { delegateConfig := NewConfig(codecs) delegateConfig.ExternalAddress = "192.168.10.4:443"