feat: kubesphere 4.0 (#6115)

* feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> * feat: kubesphere 4.0 Signed-off-by: ci-bot <ci-bot@kubesphere.io> --------- Signed-off-by: ci-bot <ci-bot@kubesphere.io> Co-authored-by: ks-ci-bot <ks-ci-bot@example.com> Co-authored-by: joyceliu <joyceliu@yunify.com>
2024-09-06 11:05:52 +08:00
parent b5015ec7b9
commit 447a51f08b
8557 changed files with 546695 additions and 1146174 deletions
--- a/pkg/apiserver/authentication/authenticators/basic/basic.go
+++ b/pkg/apiserver/authentication/authenticators/basic/basic.go
@@ -1,34 +1,22 @@
 /*
-Copyright 2020 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+ * Please refer to the LICENSE file in the root directory of the project.
+ * https://github.com/kubesphere/kubesphere/blob/master/LICENSE
+ */

 package basic

 import (
 	"context"
+	"errors"

+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/klog/v2"
-
-	iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
+	iamv1beta1 "kubesphere.io/api/iam/v1beta1"

 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/request/basictoken"
 	"kubesphere.io/kubesphere/pkg/apiserver/request"
 	"kubesphere.io/kubesphere/pkg/models/auth"
-
-	"k8s.io/apiserver/pkg/authentication/authenticator"
-	"k8s.io/apiserver/pkg/authentication/user"
 )

 // TokenAuthenticator implements kubernetes token authenticate interface with our custom logic.
@@ -49,15 +37,15 @@ func NewBasicAuthenticator(authenticator auth.PasswordAuthenticator, loginRecord
 }

 func (t *basicAuthenticator) AuthenticatePassword(ctx context.Context, username, password string) (*authenticator.Response, bool, error) {
-	authenticated, provider, err := t.authenticator.Authenticate(ctx, "", username, password)
+	authenticated, err := t.authenticator.Authenticate(ctx, "", username, password)
 	if err != nil {
-		if t.loginRecorder != nil && err == auth.IncorrectPasswordError {
+		if t.loginRecorder != nil && errors.Is(err, auth.IncorrectPasswordError) {
 			var sourceIP, userAgent string
 			if requestInfo, ok := request.RequestInfoFrom(ctx); ok {
 				sourceIP = requestInfo.SourceIP
 				userAgent = requestInfo.UserAgent
 			}
-			if err := t.loginRecorder.RecordLogin(username, iamv1alpha2.Password, provider, sourceIP, userAgent, err); err != nil {
+			if err := t.loginRecorder.RecordLogin(ctx, username, iamv1beta1.Password, "", sourceIP, userAgent, err); err != nil {
 				klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", username, err)
 			}
 		}
--- a/pkg/apiserver/authentication/authenticators/jwt/jwt.go
+++ b/pkg/apiserver/authentication/authenticators/jwt/jwt.go
@@ -1,33 +1,25 @@
 /*
-Copyright 2019 The KubeSphere Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
+ * Please refer to the LICENSE file in the root directory of the project.
+ * https://github.com/kubesphere/kubesphere/blob/master/LICENSE
+ */

 package jwt

 import (
 	"context"

+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/klog/v2"
+	clusterv1alpha1 "kubesphere.io/api/cluster/v1alpha1"
+	corev1alpha1 "kubesphere.io/api/core/v1alpha1"
+	iamv1beta1 "kubesphere.io/api/iam/v1beta1"
+	runtimecache "sigs.k8s.io/controller-runtime/pkg/cache"

-	iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
-
+	"kubesphere.io/kubesphere/pkg/apiserver/authentication/token"
 	"kubesphere.io/kubesphere/pkg/models/auth"
-
-	iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
+	"kubesphere.io/kubesphere/pkg/utils/serviceaccount"
 )

 // TokenAuthenticator implements kubernetes token authenticate interface with our custom logic.
@@ -37,13 +29,15 @@ import (
 // because some resources are public accessible.
 type tokenAuthenticator struct {
 	tokenOperator auth.TokenManagementInterface
-	userLister    iamv1alpha2listers.UserLister
+	cache         runtimecache.Cache
+	clusterRole   string
 }

-func NewTokenAuthenticator(tokenOperator auth.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token {
+func NewTokenAuthenticator(cache runtimecache.Cache, tokenOperator auth.TokenManagementInterface, clusterRole string) authenticator.Token {
 	return &tokenAuthenticator{
 		tokenOperator: tokenOperator,
-		userLister:    userLister,
+		cache:         cache,
+		clusterRole:   clusterRole,
 	}
 }

@@ -54,25 +48,51 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string
 		return nil, false, err
 	}

-	if verified.User.GetName() == iamv1alpha2.PreRegistrationUser {
+	if serviceaccount.IsServiceAccountToken(verified.Subject) {
+		if t.clusterRole == string(clusterv1alpha1.ClusterRoleHost) {
+			_, err = t.validateServiceAccount(ctx, verified)
+			if err != nil {
+				return nil, false, err
+			}
+		}
 		return &authenticator.Response{
 			User: verified.User,
 		}, true, nil
 	}

-	userInfo, err := t.userLister.Get(verified.User.GetName())
-	if err != nil {
-		return nil, false, err
+	if verified.User.GetName() == iamv1beta1.PreRegistrationUser {
+		return &authenticator.Response{
+			User: verified.User,
+		}, true, nil
 	}

-	// AuthLimitExceeded state should be ignored
-	if userInfo.Status.State == iamv1alpha2.UserDisabled {
-		return nil, false, auth.AccountIsNotActiveError
+	if t.clusterRole == string(clusterv1alpha1.ClusterRoleHost) {
+		userInfo := &iamv1beta1.User{}
+		if err := t.cache.Get(ctx, types.NamespacedName{Name: verified.User.GetName()}, userInfo); err != nil {
+			return nil, false, err
+		}
+
+		// AuthLimitExceeded state should be ignored
+		if userInfo.Status.State == iamv1beta1.UserDisabled {
+			return nil, false, auth.AccountIsNotActiveError
+		}
 	}
+
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
-			Name:   userInfo.GetName(),
-			Groups: append(userInfo.Spec.Groups, user.AllAuthenticated),
+			Name: verified.User.GetName(),
+			// TODO(wenhaozhou) Add user`s groups(can be searched by GroupBinding)
+			Groups: []string{user.AllAuthenticated},
 		},
 	}, true, nil
 }
+
+func (t *tokenAuthenticator) validateServiceAccount(ctx context.Context, verify *token.VerifiedResponse) (*corev1alpha1.ServiceAccount, error) {
+	// Ensure the relative service account exist
+	name, namespace := serviceaccount.SplitUsername(verify.Username)
+	sa := &corev1alpha1.ServiceAccount{}
+	if err := t.cache.Get(ctx, types.NamespacedName{Name: name, Namespace: namespace}, sa); err != nil {
+		return nil, err
+	}
+	return sa, nil
+}