Skip to content

Commit

Permalink
Fix RBAC authorizer of ServiceAccount
Browse files Browse the repository at this point in the history
RBAC authorizer assigns a role to a wrong service account.
  • Loading branch information
albatross0 committed Jul 20, 2016
1 parent 86b47f2 commit d1b14e2
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 3 deletions.
4 changes: 2 additions & 2 deletions pkg/apis/rbac/validation/rulevalidation.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
apierrors "k8s.io/kubernetes/pkg/api/errors"
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/serviceaccount"
utilerrors "k8s.io/kubernetes/pkg/util/errors"
)

Expand Down Expand Up @@ -201,8 +202,7 @@ func appliesToUser(user user.Info, subject rbac.Subject) (bool, error) {
if subject.Namespace == "" {
return false, fmt.Errorf("subject of kind service account without specified namespace")
}
// TODO(ericchiang): Is there a better way of matching a service account name?
return "system:serviceaccount:"+subject.Name+":"+subject.Namespace == user.GetName(), nil
return serviceaccount.MakeUsername(subject.Namespace, subject.Name) == user.GetName(), nil
default:
return false, fmt.Errorf("unknown subject kind: %s", subject.Kind)
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/rbac/validation/rulevalidation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,7 @@ func TestAppliesTo(t *testing.T) {
subjects: []rbac.Subject{
{Kind: rbac.UserKind, Name: "barfoo"},
{Kind: rbac.GroupKind, Name: "foobar"},
{Kind: rbac.ServiceAccountKind, Name: "kube-system", Namespace: "default"},
{Kind: rbac.ServiceAccountKind, Namespace: "kube-system", Name: "default"},
},
ctx: api.WithNamespace(
api.WithUser(api.NewContext(), &user.DefaultInfo{Name: "system:serviceaccount:kube-system:default"}),
Expand Down

0 comments on commit d1b14e2

Please sign in to comment.