From 32286d571dee764f30863e18de8f65f13dae6891 Mon Sep 17 00:00:00 2001 From: Lukasz Szaszkiewicz Date: Mon, 7 Oct 2024 17:39:10 +0200 Subject: [PATCH] server/config: assing system:apiserver user to system:authenticated group --- .../src/k8s.io/apiserver/pkg/server/config.go | 2 +- .../apiserver/pkg/server/config_test.go | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go index a326e7335ae78..6da8949192897 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config.go @@ -1170,7 +1170,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati tokens[privilegedLoopbackToken] = &user.DefaultInfo{ Name: user.APIServerUser, UID: uid, - Groups: []string{user.SystemPrivilegedGroup}, + Groups: []string{user.AllAuthenticated, user.SystemPrivilegedGroup}, } tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences) diff --git a/staging/src/k8s.io/apiserver/pkg/server/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/config_test.go index a7f76d0142ece..75314e2cafa33 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config_test.go @@ -38,6 +38,7 @@ import ( "k8s.io/apiserver/pkg/audit/policy" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" + "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/endpoints/request" "k8s.io/apiserver/pkg/server/healthz" utilfeature "k8s.io/apiserver/pkg/util/feature" @@ -83,6 +84,34 @@ func TestAuthorizeClientBearerTokenNoops(t *testing.T) { } } +func TestAuthorizeClientBearerTokenRequiredGroups(t *testing.T) { + fakeAuthenticator := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) { + return &authenticator.Response{User: &user.DefaultInfo{}}, false, nil + }) + fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) { + return authorizer.DecisionAllow, "", nil + }) + target := &rest.Config{BearerToken: "secretToken"} + authN := &AuthenticationInfo{Authenticator: fakeAuthenticator} + authC := &AuthorizationInfo{Authorizer: fakeAuthorizer} + + AuthorizeClientBearerToken(target, authN, authC) + + fakeRequest, err := http.NewRequest("", "", nil) + if err != nil { + t.Fatal(err) + } + fakeRequest.Header.Set("Authorization", "bearer secretToken") + rsp, _, err := authN.Authenticator.AuthenticateRequest(fakeRequest) + if err != nil { + t.Fatal(err) + } + expectedGroups := []string{user.AllAuthenticated, user.SystemPrivilegedGroup} + if !reflect.DeepEqual(expectedGroups, rsp.User.GetGroups()) { + t.Fatalf("unexpected groups = %v returned, expected = %v", rsp.User.GetGroups(), expectedGroups) + } +} + func TestNewWithDelegate(t *testing.T) { _, ctx := ktesting.NewTestContext(t) ctx, cancel := context.WithCancelCause(ctx)