admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: kubesphere 4.0 (#6115)

Browse Source 
* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

* feat: kubesphere 4.0

Signed-off-by: ci-bot <ci-bot@kubesphere.io>

---------

Signed-off-by: ci-bot <ci-bot@kubesphere.io>
Co-authored-by: ks-ci-bot <ks-ci-bot@example.com>
Co-authored-by: joyceliu <joyceliu@yunify.com>
This commit is contained in:
KubeSphere CI Bot
2024-09-06 11:05:52 +08:00
committed by GitHub
parent b5015ec7b9
commit 447a51f08b
8557 changed files with 546695 additions and 1146174 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/apiserver/authorization/authorizer/interfaces.go
View File

@@ -1,19 +1,3 @@
/*
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package authorizer
import (
@@ -51,9 +35,6 @@ type Attributes interface {
// The namespace of the object, if a request is for a REST object.
GetNamespace() string
// The devops project of the object, if a request is for a REST object.
GetDevOps() string
// The kind of object, if a request is for a REST object.
GetResource() string
@@ -112,7 +93,6 @@ type AttributesRecord struct {
Cluster string
Workspace string
Namespace string
DevOps string
APIGroup string
APIVersion string
Resource string
@@ -148,10 +128,6 @@ func (a AttributesRecord) GetNamespace() string {
return a.Namespace
}
func (a AttributesRecord) GetDevOps() string {
return a.DevOps
}
func (a AttributesRecord) GetResource() string {
return a.Resource
}

18
pkg/apiserver/authorization/options.go
View File

@@ -1,21 +1,3 @@
/*
Copyright 2021 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package authorization
import (

178
pkg/apiserver/authorization/rbac/rbac.go
View File

@@ -1,19 +1,3 @@
/*
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// NOTE: This file is copied from k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac.
package rbac
@@ -24,20 +8,20 @@ import (
"fmt"
"github.com/open-policy-agent/opa/rego"
rbacv1 "k8s.io/api/rbac/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/klog/v2"
iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
corev1alpha1 "kubesphere.io/api/core/v1alpha1"
iamv1beta1 "kubesphere.io/api/iam/v1beta1"
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
"kubesphere.io/kubesphere/pkg/apiserver/request"
"kubesphere.io/kubesphere/pkg/models/iam/am"
ksserviceaccount "kubesphere.io/kubesphere/pkg/utils/serviceaccount"
"kubesphere.io/kubesphere/pkg/utils/sliceutil"
"k8s.io/klog/v2"
rbacv1 "k8s.io/api/rbac/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/user"
)
const (
@@ -45,7 +29,7 @@ const (
defaultRegoFileName = "authz.rego"
)
type RBACAuthorizer struct {
type Authorizer struct {
am am.AccessManagementInterface
}
@@ -90,7 +74,7 @@ func (r *ruleAccumulator) visit(_ fmt.Stringer, _ string, rule *rbacv1.PolicyRul
return true
}
func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (authorizer.Decision, string, error) {
func (r *Authorizer) Authorize(requestAttributes authorizer.Attributes) (authorizer.Decision, string, error) {
ruleCheckingVisitor := &authorizingVisitor{requestAttributes: requestAttributes}
r.visitRulesFor(requestAttributes, ruleCheckingVisitor.visit)
@@ -100,7 +84,7 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
}
// Build a detailed log of the denial.
// Make the whole block conditional so we don't do a lot of string-building we won't use.
// Make the whole block conditional, so we don't do a lot of string-building we won't use.
if klog.V(4).Enabled() {
var operation string
if requestAttributes.IsResourceRequest() {
@@ -129,10 +113,10 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
}
var scope string
if ns := requestAttributes.GetNamespace(); len(ns) > 0 {
scope = fmt.Sprintf("in namespace %q", ns)
} else if ws := requestAttributes.GetWorkspace(); len(ws) > 0 {
scope = fmt.Sprintf("in workspace %q", ws)
if requestAttributes.GetResourceScope() == request.NamespaceScope {
scope = fmt.Sprintf("in namespace %q", requestAttributes.GetNamespace())
} else if requestAttributes.GetResourceScope() == request.WorkspaceScope {
scope = fmt.Sprintf("in workspace %q", requestAttributes.GetWorkspace())
} else if requestAttributes.GetResourceScope() == request.ClusterScope {
scope = "cluster scope"
} else {
@@ -149,8 +133,8 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
return authorizer.DecisionNoOpinion, reason, nil
}
func NewRBACAuthorizer(am am.AccessManagementInterface) *RBACAuthorizer {
return &RBACAuthorizer{am: am}
func NewRBACAuthorizer(am am.AccessManagementInterface) *Authorizer {
return &Authorizer{am: am}
}
func ruleAllows(requestAttributes authorizer.Attributes, rule *rbacv1.PolicyRule) bool {
@@ -195,18 +179,16 @@ func regoPolicyAllows(requestAttributes authorizer.Attributes, regoPolicy string
return false
}
func (r *RBACAuthorizer) rulesFor(requestAttributes authorizer.Attributes) ([]rbacv1.PolicyRule, error) {
func (r *Authorizer) rulesFor(requestAttributes authorizer.Attributes) ([]rbacv1.PolicyRule, error) {
visitor := &ruleAccumulator{}
r.visitRulesFor(requestAttributes, visitor.visit)
return visitor.rules, utilerrors.NewAggregate(visitor.errors)
}
func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes, visitor func(source fmt.Stringer, regoPolicy string, rule *rbacv1.PolicyRule, err error) bool) {
if globalRoleBindings, err := r.am.ListGlobalRoleBindings(""); err != nil {
if !visitor(nil, "", nil, err) {
return
}
func (r *Authorizer) visitRulesFor(requestAttributes authorizer.Attributes, visitor func(source fmt.Stringer, regoPolicy string, rule *rbacv1.PolicyRule, err error) bool) {
if globalRoleBindings, err := r.am.ListGlobalRoleBindings("", ""); err != nil {
visitor(nil, "", nil, err)
return
} else {
sourceDescriber := &globalRoleBindingDescriber{}
for _, globalRoleBinding := range globalRoleBindings {
@@ -219,7 +201,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
visitor(nil, "", nil, err)
continue
}
sourceDescriber.binding = globalRoleBinding
sourceDescriber.binding = &globalRoleBinding
sourceDescriber.subject = &globalRoleBinding.Subjects[subjectIndex]
if !visitor(sourceDescriber, regoPolicy, nil, nil) {
return
@@ -236,35 +218,25 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
}
}
if requestAttributes.GetResourceScope() == request.WorkspaceScope ||
requestAttributes.GetResourceScope() == request.NamespaceScope ||
requestAttributes.GetResourceScope() == request.DevOpsScope {
var workspace string
var err error
// all of resource under namespace and devops belong to workspace
if requestAttributes.GetResourceScope() == request.NamespaceScope {
if workspace, err = r.am.GetNamespaceControlledWorkspace(requestAttributes.GetNamespace()); err != nil {
if !visitor(nil, "", nil, err) {
return
}
}
} else if requestAttributes.GetResourceScope() == request.DevOpsScope {
if workspace, err = r.am.GetDevOpsControlledWorkspace(requestAttributes.GetDevOps()); err != nil {
if !visitor(nil, "", nil, err) {
return
}
}
var targetWorkspace string
if requestAttributes.GetResourceScope() == request.NamespaceScope {
if workspace, err := r.am.GetNamespaceControlledWorkspace(requestAttributes.GetNamespace()); err != nil {
visitor(nil, "", nil, err)
return
} else {
targetWorkspace = workspace
}
}
if workspace == "" {
workspace = requestAttributes.GetWorkspace()
}
if requestAttributes.GetResourceScope() == request.WorkspaceScope {
targetWorkspace = requestAttributes.GetWorkspace()
}
if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", nil, workspace); err != nil {
if !visitor(nil, "", nil, err) {
return
}
// workspace managed resources
if targetWorkspace != "" {
if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", "", nil, targetWorkspace); err != nil {
visitor(nil, "", nil, err)
return
} else {
sourceDescriber := &workspaceRoleBindingDescriber{}
for _, workspaceRoleBinding := range workspaceRoleBindings {
@@ -275,9 +247,9 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
regoPolicy, rules, err := r.am.GetRoleReferenceRules(workspaceRoleBinding.RoleRef, "")
if err != nil {
visitor(nil, "", nil, err)
continue
return
}
sourceDescriber.binding = workspaceRoleBinding
sourceDescriber.binding = &workspaceRoleBinding
sourceDescriber.subject = &workspaceRoleBinding.Subjects[subjectIndex]
if !visitor(sourceDescriber, regoPolicy, nil, nil) {
return
@@ -291,38 +263,28 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
}
}
if requestAttributes.GetResourceScope() == request.NamespaceScope ||
requestAttributes.GetResourceScope() == request.DevOpsScope {
var targetNamespace string
if requestAttributes.GetResourceScope() == request.NamespaceScope {
targetNamespace = requestAttributes.GetNamespace()
}
namespace := requestAttributes.GetNamespace()
// list devops role binding
if requestAttributes.GetResourceScope() == request.DevOpsScope {
if relatedNamespace, err := r.am.GetDevOpsRelatedNamespace(requestAttributes.GetDevOps()); err != nil {
if !visitor(nil, "", nil, err) {
return
}
} else {
namespace = relatedNamespace
}
}
if roleBindings, err := r.am.ListRoleBindings("", nil, namespace); err != nil {
if !visitor(nil, "", nil, err) {
return
}
if targetNamespace != "" {
if roleBindings, err := r.am.ListRoleBindings("", "", nil, targetNamespace); err != nil {
visitor(nil, "", nil, err)
return
} else {
sourceDescriber := &roleBindingDescriber{}
for _, roleBinding := range roleBindings {
subjectIndex, applies := appliesTo(requestAttributes.GetUser(), roleBinding.Subjects, namespace)
subjectIndex, applies := appliesTo(requestAttributes.GetUser(), roleBinding.Subjects, targetNamespace)
if !applies {
continue
}
regoPolicy, rules, err := r.am.GetRoleReferenceRules(roleBinding.RoleRef, namespace)
regoPolicy, rules, err := r.am.GetRoleReferenceRules(roleBinding.RoleRef, targetNamespace)
if err != nil {
visitor(nil, "", nil, err)
continue
return
}
sourceDescriber.binding = roleBinding
sourceDescriber.binding = &roleBinding
sourceDescriber.subject = &roleBinding.Subjects[subjectIndex]
if !visitor(sourceDescriber, regoPolicy, nil, nil) {
return
@@ -336,10 +298,9 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
}
}
if clusterRoleBindings, err := r.am.ListClusterRoleBindings(""); err != nil {
if !visitor(nil, "", nil, err) {
return
}
if clusterRoleBindings, err := r.am.ListClusterRoleBindings("", ""); err != nil {
visitor(nil, "", nil, err)
return
} else {
sourceDescriber := &clusterRoleBindingDescriber{}
for _, clusterRoleBinding := range clusterRoleBindings {
@@ -350,9 +311,9 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
regoPolicy, rules, err := r.am.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
if err != nil {
visitor(nil, "", nil, err)
continue
return
}
sourceDescriber.binding = clusterRoleBinding
sourceDescriber.binding = &clusterRoleBinding
sourceDescriber.subject = &clusterRoleBinding.Subjects[subjectIndex]
if !visitor(sourceDescriber, regoPolicy, nil, nil) {
return
@@ -386,8 +347,9 @@ func appliesToUser(user user.Info, subject rbacv1.Subject, namespace string) boo
return sliceutil.HasString(user.GetGroups(), subject.Name)
case rbacv1.ServiceAccountKind:
// default the namespace to namespace we're working in if its available. This allows rolebindings that reference
// SAs in th local namespace to avoid having to qualify them.
// Default the namespace to namespace we're working in if it's available.
// This allows role bindings that reference
// SAs in the local namespace to avoid having to qualify them.
saNamespace := namespace
if len(subject.Namespace) > 0 {
saNamespace = subject.Namespace
@@ -395,15 +357,23 @@ func appliesToUser(user user.Info, subject rbacv1.Subject, namespace string) boo
if len(saNamespace) == 0 {
return false
}
// use a more efficient comparison for RBAC checking
return serviceaccount.MatchesUsername(saNamespace, subject.Name, user.GetName())
switch subject.APIGroup {
case rbacv1.GroupName:
// use a more efficient comparison for RBAC checking
return serviceaccount.MatchesUsername(saNamespace, subject.Name, user.GetName())
case corev1alpha1.GroupName:
return ksserviceaccount.MatchesUsername(saNamespace, subject.Name, user.GetName())
default:
return false
}
default:
return false
}
}
type globalRoleBindingDescriber struct {
binding *iamv1alpha2.GlobalRoleBinding
binding *iamv1beta1.GlobalRoleBinding
subject *rbacv1.Subject
}
@@ -417,7 +387,7 @@ func (d *globalRoleBindingDescriber) String() string {
}
type clusterRoleBindingDescriber struct {
binding *rbacv1.ClusterRoleBinding
binding *iamv1beta1.ClusterRoleBinding
subject *rbacv1.Subject
}
@@ -431,7 +401,7 @@ func (d *clusterRoleBindingDescriber) String() string {
}
type workspaceRoleBindingDescriber struct {
binding *iamv1alpha2.WorkspaceRoleBinding
binding *iamv1beta1.WorkspaceRoleBinding
subject *rbacv1.Subject
}
@@ -445,7 +415,7 @@ func (d *workspaceRoleBindingDescriber) String() string {
}
type roleBindingDescriber struct {
binding *rbacv1.RoleBinding
binding *iamv1beta1.RoleBinding
subject *rbacv1.Subject
}

227
pkg/apiserver/authorization/rbac/rbac_test.go
View File

@@ -1,24 +1,7 @@
/*
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package rbac
import (
"context"
"errors"
"hash/fnv"
"io"
@@ -27,36 +10,35 @@ import (
"github.com/google/go-cmp/cmp"
corev1 "k8s.io/api/core/v1"
fakek8s "k8s.io/client-go/kubernetes/fake"
iamv1alpha2 "kubesphere.io/api/iam/v1alpha2"
tenantv1alpha1 "kubesphere.io/api/tenant/v1alpha1"
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
"kubesphere.io/kubesphere/pkg/apiserver/request"
fakeks "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake"
"kubesphere.io/kubesphere/pkg/informers"
"kubesphere.io/kubesphere/pkg/models/iam/am"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apiserver/pkg/authentication/user"
iamv1beta1 "kubesphere.io/api/iam/v1beta1"
tenantv1beta1 "kubesphere.io/api/tenant/v1beta1"
"sigs.k8s.io/controller-runtime/pkg/cache/informertest"
runtimefakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
"kubesphere.io/kubesphere/pkg/apiserver/request"
"kubesphere.io/kubesphere/pkg/models/iam/am"
"kubesphere.io/kubesphere/pkg/models/resources/v1beta1"
"kubesphere.io/kubesphere/pkg/scheme"
)
// StaticRoles is a rule resolver that resolves from lists of role objects.
type StaticRoles struct {
roles []*rbacv1.Role
roleBindings []*rbacv1.RoleBinding
clusterRoles []*rbacv1.ClusterRole
clusterRoleBindings []*rbacv1.ClusterRoleBinding
workspaceRoles []*iamv1alpha2.WorkspaceRole
workspaceRoleBindings []*iamv1alpha2.WorkspaceRoleBinding
globalRoles []*iamv1alpha2.GlobalRole
globalRoleBindings []*iamv1alpha2.GlobalRoleBinding
roles []*iamv1beta1.Role
roleBindings []*iamv1beta1.RoleBinding
clusterRoles []*iamv1beta1.ClusterRole
clusterRoleBindings []*iamv1beta1.ClusterRoleBinding
workspaceRoles []*iamv1beta1.WorkspaceRole
workspaceRoleBindings []*iamv1beta1.WorkspaceRoleBinding
globalRoles []*iamv1beta1.GlobalRole
globalRoleBindings []*iamv1beta1.GlobalRoleBinding
namespaces []*corev1.Namespace
}
func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error) {
func (r *StaticRoles) GetRole(namespace, name string) (*iamv1beta1.Role, error) {
if len(namespace) == 0 {
return nil, errors.New("must provide namespace when getting role")
}
@@ -68,21 +50,21 @@ func (r *StaticRoles) GetRole(namespace, name string) (*rbacv1.Role, error) {
return nil, errors.New("role not found")
}
func (r *StaticRoles) GetClusterRole(name string) (*rbacv1.ClusterRole, error) {
func (r *StaticRoles) GetClusterRole(name string) (*iamv1beta1.ClusterRole, error) {
for _, clusterRole := range r.clusterRoles {
if clusterRole.Name == name {
return clusterRole, nil
}
}
return nil, errors.New("clusterrole not found")
return nil, errors.New("cluster role not found")
}
func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error) {
func (r *StaticRoles) ListRoleBindings(namespace string) ([]*iamv1beta1.RoleBinding, error) {
if len(namespace) == 0 {
return nil, errors.New("must provide namespace when listing role bindings")
}
var roleBindingList []*rbacv1.RoleBinding
var roleBindingList []*iamv1beta1.RoleBinding
for _, roleBinding := range r.roleBindings {
if roleBinding.Namespace != namespace {
continue
@@ -92,17 +74,17 @@ func (r *StaticRoles) ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding,
return roleBindingList, nil
}
func (r *StaticRoles) ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error) {
func (r *StaticRoles) ListClusterRoleBindings() ([]*iamv1beta1.ClusterRoleBinding, error) {
return r.clusterRoleBindings, nil
}
// compute a hash of a policy rule so we can sort in a deterministic order
// compute a hash of a policy rule, so we can sort in a deterministic order
func hashOf(p rbacv1.PolicyRule) string {
hash := fnv.New32()
writeStrings := func(slis ...[]string) {
for _, sli := range slis {
for _, s := range sli {
io.WriteString(hash, s)
_, _ = io.WriteString(hash, s)
}
}
}
@@ -140,13 +122,13 @@ func TestRBACAuthorizer(t *testing.T) {
}
staticRoles := StaticRoles{
roles: []*rbacv1.Role{
roles: []*iamv1beta1.Role{
{
ObjectMeta: metav1.ObjectMeta{Namespace: "namespace1", Name: "readthings"},
Rules: []rbacv1.PolicyRule{ruleReadPods, ruleReadServices},
},
},
clusterRoles: []*rbacv1.ClusterRole{
clusterRoles: []*iamv1beta1.ClusterRole{
{
ObjectMeta: metav1.ObjectMeta{Name: "cluster-admin"},
Rules: []rbacv1.PolicyRule{ruleAdmin},
@@ -156,16 +138,16 @@ func TestRBACAuthorizer(t *testing.T) {
Rules: []rbacv1.PolicyRule{ruleWriteNodes},
},
},
workspaceRoles: []*iamv1alpha2.WorkspaceRole{
workspaceRoles: []*iamv1beta1.WorkspaceRole{
{
ObjectMeta: metav1.ObjectMeta{
Name: "system-workspace-workspace-manager",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
Rules: []rbacv1.PolicyRule{ruleAdmin},
},
},
globalRoles: []*iamv1alpha2.GlobalRole{
globalRoles: []*iamv1beta1.GlobalRole{
{
ObjectMeta: metav1.ObjectMeta{
Name: "global-admin",
@@ -174,9 +156,12 @@ func TestRBACAuthorizer(t *testing.T) {
},
},
roleBindings: []*rbacv1.RoleBinding{
roleBindings: []*iamv1beta1.RoleBinding{
{
ObjectMeta: metav1.ObjectMeta{Namespace: "namespace1"},
ObjectMeta: metav1.ObjectMeta{
Namespace: "namespace1",
Name: "readthings",
},
Subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "foobar"},
{Kind: rbacv1.GroupKind, Name: "group1"},
@@ -184,37 +169,40 @@ func TestRBACAuthorizer(t *testing.T) {
RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "Role", Name: "readthings"},
},
},
workspaceRoleBindings: []*iamv1alpha2.WorkspaceRoleBinding{
workspaceRoleBindings: []*iamv1beta1.WorkspaceRoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Name: "system-workspace-workspace-manager-tester",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
RoleRef: rbacv1.RoleRef{
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1alpha2.ResourceKindWorkspaceRole,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindWorkspaceRole,
Name: "system-workspace-workspace-manager",
},
Subjects: []rbacv1.Subject{
{
Kind: iamv1alpha2.ResourceKindUser,
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindUser,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Name: "tester",
},
},
},
},
globalRoleBindings: []*iamv1alpha2.GlobalRoleBinding{
globalRoleBindings: []*iamv1beta1.GlobalRoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Name: "admin",
},
RoleRef: rbacv1.RoleRef{
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1alpha2.ResourceKindGlobalRole,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindGlobalRole,
Name: "global-admin",
},
Subjects: []rbacv1.Subject{
{
Kind: iamv1alpha2.ResourceKindUser,
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindUser,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Name: "admin",
},
},
@@ -249,6 +237,12 @@ func TestRBACAuthorizer(t *testing.T) {
workspace: "system-workspace",
effectiveRules: []rbacv1.PolicyRule{ruleAdmin},
},
{
StaticRoles: staticRoles,
user: &user.DefaultInfo{Name: "tester"},
workspace: "not-exists-workspace",
effectiveRules: nil,
},
{
StaticRoles: staticRoles,
user: &user.DefaultInfo{Name: "foobar"},
@@ -315,9 +309,9 @@ func TestRBACAuthorizer(t *testing.T) {
}
func TestRBACAuthorizerMakeDecision(t *testing.T) {
t.Skipf("TODO: refactor this test case")
staticRoles := StaticRoles{
roles: []*rbacv1.Role{
roles: []*iamv1beta1.Role{
{
ObjectMeta: metav1.ObjectMeta{
Namespace: "kubesphere-system",
@@ -345,7 +339,7 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
},
},
},
clusterRoles: []*rbacv1.ClusterRole{
clusterRoles: []*iamv1beta1.ClusterRole{
{
ObjectMeta: metav1.ObjectMeta{
Name: "cluster-viewer",
@@ -371,11 +365,11 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
},
},
},
workspaceRoles: []*iamv1alpha2.WorkspaceRole{
workspaceRoles: []*iamv1beta1.WorkspaceRole{
{
ObjectMeta: metav1.ObjectMeta{
Name: "system-workspace-admin",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
Rules: []rbacv1.PolicyRule{
{
@@ -388,7 +382,7 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
{
ObjectMeta: metav1.ObjectMeta{
Name: "system-workspace-viewer",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
Rules: []rbacv1.PolicyRule{
{
@@ -399,7 +393,7 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
},
},
},
globalRoles: []*iamv1alpha2.GlobalRole{
globalRoles: []*iamv1beta1.GlobalRole{
{
ObjectMeta: metav1.ObjectMeta{
Name: "global-admin",
@@ -427,7 +421,7 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
},
},
roleBindings: []*rbacv1.RoleBinding{
roleBindings: []*iamv1beta1.RoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Namespace: "kubesphere-system",
@@ -452,20 +446,20 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "Role", Name: "kubesphere-system-viewer"},
},
},
workspaceRoleBindings: []*iamv1alpha2.WorkspaceRoleBinding{
workspaceRoleBindings: []*iamv1beta1.WorkspaceRoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Name: "system-workspace-admin",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
RoleRef: rbacv1.RoleRef{
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1alpha2.ResourceKindWorkspaceRole,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindWorkspaceRole,
Name: "system-workspace-admin",
},
Subjects: []rbacv1.Subject{
{
Kind: iamv1alpha2.ResourceKindUser,
Kind: iamv1beta1.ResourceKindUser,
Name: "system-workspace-admin",
},
},
@@ -473,22 +467,22 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
{
ObjectMeta: metav1.ObjectMeta{
Name: "system-workspace-viewer",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
RoleRef: rbacv1.RoleRef{
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1alpha2.ResourceKindWorkspaceRole,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindWorkspaceRole,
Name: "system-workspace-viewer",
},
Subjects: []rbacv1.Subject{
{
Kind: iamv1alpha2.ResourceKindUser,
Kind: iamv1beta1.ResourceKindUser,
Name: "system-workspace-viewer",
},
},
},
},
clusterRoleBindings: []*rbacv1.ClusterRoleBinding{
clusterRoleBindings: []*iamv1beta1.ClusterRoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Name: "cluster-admin",
@@ -508,20 +502,20 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
RoleRef: rbacv1.RoleRef{APIGroup: rbacv1.GroupName, Kind: "ClusterRole", Name: "cluster-viewer"},
},
},
globalRoleBindings: []*iamv1alpha2.GlobalRoleBinding{
globalRoleBindings: []*iamv1beta1.GlobalRoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Name: "admin",
},
RoleRef: rbacv1.RoleRef{
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1alpha2.ResourceKindGlobalRole,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindGlobalRole,
Name: "global-admin",
},
Subjects: []rbacv1.Subject{
{
Kind: iamv1alpha2.ResourceKindUser,
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindUser,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Name: "admin",
},
},
@@ -531,14 +525,14 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
Name: "viewer",
},
RoleRef: rbacv1.RoleRef{
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1alpha2.ResourceKindGlobalRole,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindGlobalRole,
Name: "global-viewer",
},
Subjects: []rbacv1.Subject{
{
Kind: iamv1alpha2.ResourceKindUser,
APIGroup: iamv1alpha2.SchemeGroupVersion.Group,
Kind: iamv1beta1.ResourceKindUser,
APIGroup: iamv1beta1.SchemeGroupVersion.Group,
Name: "viewer",
},
},
@@ -549,13 +543,13 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
{
ObjectMeta: metav1.ObjectMeta{
Name: "kubesphere-system",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
},
{
ObjectMeta: metav1.ObjectMeta{
Name: "kube-system",
Labels: map[string]string{tenantv1alpha1.WorkspaceLabel: "system-workspace"},
Labels: map[string]string{tenantv1beta1.WorkspaceLabel: "system-workspace"},
},
},
},
@@ -671,7 +665,7 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
APIVersion: "v1alpha2",
Resource: "namespaces",
ResourceRequest: true,
ResourceScope: iamv1alpha2.ScopeWorkspace,
ResourceScope: iamv1beta1.ScopeWorkspace,
},
ExpectedDecision: authorizer.DecisionAllow,
},
@@ -856,71 +850,66 @@ func TestRBACAuthorizerMakeDecision(t *testing.T) {
}
}
func newMockRBACAuthorizer(staticRoles *StaticRoles) (*RBACAuthorizer, error) {
ksClient := fakeks.NewSimpleClientset()
k8sClient := fakek8s.NewSimpleClientset()
fakeInformerFactory := informers.NewInformerFactories(k8sClient, ksClient, nil, nil, nil, nil)
k8sInformerFactory := fakeInformerFactory.KubernetesSharedInformerFactory()
ksInformerFactory := fakeInformerFactory.KubeSphereSharedInformerFactory()
func newMockRBACAuthorizer(staticRoles *StaticRoles) (*Authorizer, error) {
client := runtimefakeclient.NewClientBuilder().
WithScheme(scheme.Scheme).Build()
for _, role := range staticRoles.roles {
err := k8sInformerFactory.Rbac().V1().Roles().Informer().GetIndexer().Add(role)
if err != nil {
if err := client.Create(context.Background(), role.DeepCopy()); err != nil {
return nil, err
}
}
for _, roleBinding := range staticRoles.roleBindings {
err := k8sInformerFactory.Rbac().V1().RoleBindings().Informer().GetIndexer().Add(roleBinding)
if err != nil {
if err := client.Create(context.Background(), roleBinding.DeepCopy()); err != nil {
return nil, err
}
}
for _, clusterRole := range staticRoles.clusterRoles {
err := k8sInformerFactory.Rbac().V1().ClusterRoles().Informer().GetIndexer().Add(clusterRole)
if err != nil {
if err := client.Create(context.Background(), clusterRole.DeepCopy()); err != nil {
return nil, err
}
}
for _, clusterRoleBinding := range staticRoles.clusterRoleBindings {
err := k8sInformerFactory.Rbac().V1().ClusterRoleBindings().Informer().GetIndexer().Add(clusterRoleBinding)
if err != nil {
if err := client.Create(context.Background(), clusterRoleBinding.DeepCopy()); err != nil {
return nil, err
}
}
for _, workspaceRole := range staticRoles.workspaceRoles {
err := ksInformerFactory.Iam().V1alpha2().WorkspaceRoles().Informer().GetIndexer().Add(workspaceRole)
if err != nil {
if err := client.Create(context.Background(), workspaceRole.DeepCopy()); err != nil {
return nil, err
}
}
for _, workspaceRoleBinding := range staticRoles.workspaceRoleBindings {
err := ksInformerFactory.Iam().V1alpha2().WorkspaceRoleBindings().Informer().GetIndexer().Add(workspaceRoleBinding)
if err != nil {
if err := client.Create(context.Background(), workspaceRoleBinding.DeepCopy()); err != nil {
return nil, err
}
}
for _, globalRole := range staticRoles.globalRoles {
err := ksInformerFactory.Iam().V1alpha2().GlobalRoles().Informer().GetIndexer().Add(globalRole)
if err != nil {
if err := client.Create(context.Background(), globalRole.DeepCopy()); err != nil {
return nil, err
}
}
for _, globalRoleBinding := range staticRoles.globalRoleBindings {
err := ksInformerFactory.Iam().V1alpha2().GlobalRoleBindings().Informer().GetIndexer().Add(globalRoleBinding)
if err != nil {
if err := client.Create(context.Background(), globalRoleBinding.DeepCopy()); err != nil {
return nil, err
}
}
return NewRBACAuthorizer(am.NewReadOnlyOperator(fakeInformerFactory, nil)), nil
fakeCache := &informertest.FakeInformers{Scheme: scheme.Scheme}
resourceManager, err := v1beta1.New(context.Background(), client, fakeCache)
if err != nil {
return nil, err
}
return NewRBACAuthorizer(am.NewReadOnlyOperator(resourceManager)), nil
}
func TestAppliesTo(t *testing.T) {
@@ -985,7 +974,7 @@ func TestAppliesTo(t *testing.T) {
subjects: []rbacv1.Subject{
{Kind: rbacv1.UserKind, Name: "barfoo"},
{Kind: rbacv1.GroupKind, Name: "foobar"},
{Kind: rbacv1.ServiceAccountKind, Namespace: "kube-system", Name: "default"},
{Kind: rbacv1.ServiceAccountKind, APIGroup: rbacv1.GroupName, Namespace: "kube-system", Name: "default"},
},
user: &user.DefaultInfo{Name: "system:serviceaccount:kube-system:default"},
namespace: "default",