Fix container terminal security risk
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
@@ -166,6 +166,10 @@ func (s *APIServer) PrepareRun(stopCh <-chan struct{}) error {
|
|||||||
// Installation happens before all informers start to cache objects, so
|
// Installation happens before all informers start to cache objects, so
|
||||||
// any attempt to list objects using listers will get empty results.
|
// any attempt to list objects using listers will get empty results.
|
||||||
func (s *APIServer) installKubeSphereAPIs() {
|
func (s *APIServer) installKubeSphereAPIs() {
|
||||||
|
imOperator := im.NewOperator(s.KubernetesClient.KubeSphere(), s.InformerFactory, s.Config.AuthenticationOptions)
|
||||||
|
amOperator := am.NewOperator(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes())
|
||||||
|
rbacAuthorizer := authorizerfactory.NewRBACAuthorizer(amOperator)
|
||||||
|
|
||||||
urlruntime.Must(configv1alpha2.AddToContainer(s.container, s.Config))
|
urlruntime.Must(configv1alpha2.AddToContainer(s.container, s.Config))
|
||||||
urlruntime.Must(resourcev1alpha3.AddToContainer(s.container, s.InformerFactory))
|
urlruntime.Must(resourcev1alpha3.AddToContainer(s.container, s.InformerFactory))
|
||||||
urlruntime.Must(monitoringv1alpha3.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.MonitoringClient, s.InformerFactory, s.OpenpitrixClient))
|
urlruntime.Must(monitoringv1alpha3.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.MonitoringClient, s.InformerFactory, s.OpenpitrixClient))
|
||||||
@@ -174,7 +178,7 @@ func (s *APIServer) installKubeSphereAPIs() {
|
|||||||
urlruntime.Must(resourcesv1alpha2.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.InformerFactory,
|
urlruntime.Must(resourcesv1alpha2.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.InformerFactory,
|
||||||
s.KubernetesClient.Master()))
|
s.KubernetesClient.Master()))
|
||||||
urlruntime.Must(tenantv1alpha2.AddToContainer(s.container, s.InformerFactory, s.KubernetesClient.Kubernetes(),
|
urlruntime.Must(tenantv1alpha2.AddToContainer(s.container, s.InformerFactory, s.KubernetesClient.Kubernetes(),
|
||||||
s.KubernetesClient.KubeSphere(), s.EventsClient, s.LoggingClient, s.AuditingClient))
|
s.KubernetesClient.KubeSphere(), s.EventsClient, s.LoggingClient, s.AuditingClient, amOperator, rbacAuthorizer))
|
||||||
urlruntime.Must(terminalv1alpha2.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.KubernetesClient.Config()))
|
urlruntime.Must(terminalv1alpha2.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.KubernetesClient.Config()))
|
||||||
urlruntime.Must(clusterkapisv1alpha1.AddToContainer(s.container,
|
urlruntime.Must(clusterkapisv1alpha1.AddToContainer(s.container,
|
||||||
s.InformerFactory.KubernetesSharedInformerFactory(),
|
s.InformerFactory.KubernetesSharedInformerFactory(),
|
||||||
@@ -182,7 +186,6 @@ func (s *APIServer) installKubeSphereAPIs() {
|
|||||||
s.Config.MultiClusterOptions.ProxyPublishService,
|
s.Config.MultiClusterOptions.ProxyPublishService,
|
||||||
s.Config.MultiClusterOptions.ProxyPublishAddress,
|
s.Config.MultiClusterOptions.ProxyPublishAddress,
|
||||||
s.Config.MultiClusterOptions.AgentImage))
|
s.Config.MultiClusterOptions.AgentImage))
|
||||||
imOperator := im.NewOperator(s.KubernetesClient.KubeSphere(), s.InformerFactory, s.Config.AuthenticationOptions)
|
|
||||||
urlruntime.Must(iamapi.AddToContainer(s.container, imOperator,
|
urlruntime.Must(iamapi.AddToContainer(s.container, imOperator,
|
||||||
am.NewOperator(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()),
|
am.NewOperator(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()),
|
||||||
group.New(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()),
|
group.New(s.InformerFactory, s.KubernetesClient.KubeSphere(), s.KubernetesClient.Kubernetes()),
|
||||||
|
|||||||
@@ -30,10 +30,12 @@ import (
|
|||||||
eventsv1alpha1 "kubesphere.io/kubesphere/pkg/api/events/v1alpha1"
|
eventsv1alpha1 "kubesphere.io/kubesphere/pkg/api/events/v1alpha1"
|
||||||
loggingv1alpha2 "kubesphere.io/kubesphere/pkg/api/logging/v1alpha2"
|
loggingv1alpha2 "kubesphere.io/kubesphere/pkg/api/logging/v1alpha2"
|
||||||
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
||||||
|
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/query"
|
"kubesphere.io/kubesphere/pkg/apiserver/query"
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/request"
|
"kubesphere.io/kubesphere/pkg/apiserver/request"
|
||||||
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
||||||
"kubesphere.io/kubesphere/pkg/informers"
|
"kubesphere.io/kubesphere/pkg/informers"
|
||||||
|
"kubesphere.io/kubesphere/pkg/models/iam/am"
|
||||||
"kubesphere.io/kubesphere/pkg/models/tenant"
|
"kubesphere.io/kubesphere/pkg/models/tenant"
|
||||||
servererr "kubesphere.io/kubesphere/pkg/server/errors"
|
servererr "kubesphere.io/kubesphere/pkg/server/errors"
|
||||||
"kubesphere.io/kubesphere/pkg/simple/client/auditing"
|
"kubesphere.io/kubesphere/pkg/simple/client/auditing"
|
||||||
@@ -45,10 +47,12 @@ type tenantHandler struct {
|
|||||||
tenant tenant.Interface
|
tenant tenant.Interface
|
||||||
}
|
}
|
||||||
|
|
||||||
func newTenantHandler(factory informers.InformerFactory, k8sclient kubernetes.Interface, ksclient kubesphere.Interface, evtsClient events.Client, loggingClient logging.Interface, auditingclient auditing.Client) *tenantHandler {
|
func newTenantHandler(factory informers.InformerFactory, k8sclient kubernetes.Interface, ksclient kubesphere.Interface,
|
||||||
|
evtsClient events.Client, loggingClient logging.Interface, auditingclient auditing.Client,
|
||||||
|
am am.AccessManagementInterface, authorizer authorizer.Authorizer) *tenantHandler {
|
||||||
|
|
||||||
return &tenantHandler{
|
return &tenantHandler{
|
||||||
tenant: tenant.New(factory, k8sclient, ksclient, evtsClient, loggingClient, auditingclient),
|
tenant: tenant.New(factory, k8sclient, ksclient, evtsClient, loggingClient, auditingclient, am, authorizer),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -27,11 +27,13 @@ import (
|
|||||||
eventsv1alpha1 "kubesphere.io/kubesphere/pkg/api/events/v1alpha1"
|
eventsv1alpha1 "kubesphere.io/kubesphere/pkg/api/events/v1alpha1"
|
||||||
loggingv1alpha2 "kubesphere.io/kubesphere/pkg/api/logging/v1alpha2"
|
loggingv1alpha2 "kubesphere.io/kubesphere/pkg/api/logging/v1alpha2"
|
||||||
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
||||||
|
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/runtime"
|
"kubesphere.io/kubesphere/pkg/apiserver/runtime"
|
||||||
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
||||||
"kubesphere.io/kubesphere/pkg/constants"
|
"kubesphere.io/kubesphere/pkg/constants"
|
||||||
"kubesphere.io/kubesphere/pkg/informers"
|
"kubesphere.io/kubesphere/pkg/informers"
|
||||||
"kubesphere.io/kubesphere/pkg/models"
|
"kubesphere.io/kubesphere/pkg/models"
|
||||||
|
"kubesphere.io/kubesphere/pkg/models/iam/am"
|
||||||
"kubesphere.io/kubesphere/pkg/server/errors"
|
"kubesphere.io/kubesphere/pkg/server/errors"
|
||||||
"kubesphere.io/kubesphere/pkg/simple/client/auditing"
|
"kubesphere.io/kubesphere/pkg/simple/client/auditing"
|
||||||
"kubesphere.io/kubesphere/pkg/simple/client/events"
|
"kubesphere.io/kubesphere/pkg/simple/client/events"
|
||||||
@@ -49,11 +51,13 @@ func Resource(resource string) schema.GroupResource {
|
|||||||
return GroupVersion.WithResource(resource).GroupResource()
|
return GroupVersion.WithResource(resource).GroupResource()
|
||||||
}
|
}
|
||||||
|
|
||||||
func AddToContainer(c *restful.Container, factory informers.InformerFactory, k8sclient kubernetes.Interface, ksclient kubesphere.Interface, evtsClient events.Client, loggingClient logging.Interface, auditingclient auditing.Client) error {
|
func AddToContainer(c *restful.Container, factory informers.InformerFactory, k8sclient kubernetes.Interface,
|
||||||
|
ksclient kubesphere.Interface, evtsClient events.Client, loggingClient logging.Interface,
|
||||||
|
auditingclient auditing.Client, am am.AccessManagementInterface, authorizer authorizer.Authorizer) error {
|
||||||
mimePatch := []string{restful.MIME_JSON, runtime.MimeMergePatchJson, runtime.MimeJsonPatchJson}
|
mimePatch := []string{restful.MIME_JSON, runtime.MimeMergePatchJson, runtime.MimeJsonPatchJson}
|
||||||
|
|
||||||
ws := runtime.NewWebService(GroupVersion)
|
ws := runtime.NewWebService(GroupVersion)
|
||||||
handler := newTenantHandler(factory, k8sclient, ksclient, evtsClient, loggingClient, auditingclient)
|
handler := newTenantHandler(factory, k8sclient, ksclient, evtsClient, loggingClient, auditingclient, am, authorizer)
|
||||||
|
|
||||||
ws.Route(ws.GET("/clusters").
|
ws.Route(ws.GET("/clusters").
|
||||||
To(handler.ListClusters).
|
To(handler.ListClusters).
|
||||||
|
|||||||
@@ -39,7 +39,7 @@ func AddToContainer(c *restful.Container, client kubernetes.Interface, config *r
|
|||||||
|
|
||||||
handler := newTerminalHandler(client, config)
|
handler := newTerminalHandler(client, config)
|
||||||
|
|
||||||
webservice.Route(webservice.GET("/namespaces/{namespace}/pods/{pod}").
|
webservice.Route(webservice.GET("/namespaces/{namespace}/pods/{pod}/exec").
|
||||||
To(handler.handleTerminalSession).
|
To(handler.handleTerminalSession).
|
||||||
Param(webservice.PathParameter("namespace", "namespace of which the pod located in")).
|
Param(webservice.PathParameter("namespace", "namespace of which the pod located in")).
|
||||||
Param(webservice.PathParameter("pod", "name of the pod")).
|
Param(webservice.PathParameter("pod", "name of the pod")).
|
||||||
|
|||||||
@@ -41,7 +41,6 @@ import (
|
|||||||
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
||||||
typesv1beta1 "kubesphere.io/kubesphere/pkg/apis/types/v1beta1"
|
typesv1beta1 "kubesphere.io/kubesphere/pkg/apis/types/v1beta1"
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory"
|
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/query"
|
"kubesphere.io/kubesphere/pkg/apiserver/query"
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/request"
|
"kubesphere.io/kubesphere/pkg/apiserver/request"
|
||||||
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
||||||
@@ -92,11 +91,9 @@ type tenantOperator struct {
|
|||||||
auditing auditing.Interface
|
auditing auditing.Interface
|
||||||
}
|
}
|
||||||
|
|
||||||
func New(informers informers.InformerFactory, k8sclient kubernetes.Interface, ksclient kubesphere.Interface, evtsClient eventsclient.Client, loggingClient loggingclient.Interface, auditingclient auditingclient.Client) Interface {
|
func New(informers informers.InformerFactory, k8sclient kubernetes.Interface, ksclient kubesphere.Interface, evtsClient eventsclient.Client, loggingClient loggingclient.Interface, auditingclient auditingclient.Client, am am.AccessManagementInterface, authorizer authorizer.Authorizer) Interface {
|
||||||
amOperator := am.NewReadOnlyOperator(informers)
|
|
||||||
authorizer := authorizerfactory.NewRBACAuthorizer(amOperator)
|
|
||||||
return &tenantOperator{
|
return &tenantOperator{
|
||||||
am: amOperator,
|
am: am,
|
||||||
authorizer: authorizer,
|
authorizer: authorizer,
|
||||||
resourceGetter: resourcesv1alpha3.NewResourceGetter(informers),
|
resourceGetter: resourcesv1alpha3.NewResourceGetter(informers),
|
||||||
k8sclient: k8sclient,
|
k8sclient: k8sclient,
|
||||||
|
|||||||
@@ -30,9 +30,11 @@ import (
|
|||||||
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||||
tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
|
tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
|
||||||
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
tenantv1alpha2 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha2"
|
||||||
|
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory"
|
||||||
"kubesphere.io/kubesphere/pkg/apiserver/query"
|
"kubesphere.io/kubesphere/pkg/apiserver/query"
|
||||||
fakeks "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake"
|
fakeks "kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake"
|
||||||
"kubesphere.io/kubesphere/pkg/informers"
|
"kubesphere.io/kubesphere/pkg/informers"
|
||||||
|
"kubesphere.io/kubesphere/pkg/models/iam/am"
|
||||||
"reflect"
|
"reflect"
|
||||||
fakeapp "sigs.k8s.io/application/pkg/client/clientset/versioned/fake"
|
fakeapp "sigs.k8s.io/application/pkg/client/clientset/versioned/fake"
|
||||||
"testing"
|
"testing"
|
||||||
@@ -538,5 +540,8 @@ func prepare() Interface {
|
|||||||
RoleBindings().Informer().GetIndexer().Add(roleBinding)
|
RoleBindings().Informer().GetIndexer().Add(roleBinding)
|
||||||
}
|
}
|
||||||
|
|
||||||
return New(fakeInformerFactory, k8sClient, ksClient, nil, nil, nil)
|
amOperator := am.NewOperator(fakeInformerFactory, ksClient, k8sClient)
|
||||||
|
authorizer := authorizerfactory.NewRBACAuthorizer(amOperator)
|
||||||
|
|
||||||
|
return New(fakeInformerFactory, k8sClient, ksClient, nil, nil, nil, amOperator, authorizer)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -127,7 +127,7 @@ func generateSwaggerJson() []byte {
|
|||||||
urlruntime.Must(operationsv1alpha2.AddToContainer(container, clientsets.Kubernetes()))
|
urlruntime.Must(operationsv1alpha2.AddToContainer(container, clientsets.Kubernetes()))
|
||||||
urlruntime.Must(resourcesv1alpha2.AddToContainer(container, clientsets.Kubernetes(), informerFactory, ""))
|
urlruntime.Must(resourcesv1alpha2.AddToContainer(container, clientsets.Kubernetes(), informerFactory, ""))
|
||||||
urlruntime.Must(resourcesv1alpha3.AddToContainer(container, informerFactory))
|
urlruntime.Must(resourcesv1alpha3.AddToContainer(container, informerFactory))
|
||||||
urlruntime.Must(tenantv1alpha2.AddToContainer(container, informerFactory, nil, nil, nil, nil, nil))
|
urlruntime.Must(tenantv1alpha2.AddToContainer(container, informerFactory, nil, nil, nil, nil, nil, nil, nil))
|
||||||
urlruntime.Must(terminalv1alpha2.AddToContainer(container, clientsets.Kubernetes(), nil))
|
urlruntime.Must(terminalv1alpha2.AddToContainer(container, clientsets.Kubernetes(), nil))
|
||||||
urlruntime.Must(metricsv1alpha2.AddToContainer(container))
|
urlruntime.Must(metricsv1alpha2.AddToContainer(container))
|
||||||
urlruntime.Must(networkv1alpha2.AddToContainer(container, ""))
|
urlruntime.Must(networkv1alpha2.AddToContainer(container, ""))
|
||||||
|
|||||||
Reference in New Issue
Block a user