Skip to content

Commit

Permalink
Do not allow virtual workspaces by default...
Browse files Browse the repository at this point in the history 
... when no autorizer is defined.

Signed-off-by: David Festal <dfestal@redhat.com>
  • Loading branch information
@davidfestal
davidfestal committed Jun 1, 2022
1 parent 66cc1dc commit cf98b01
Show file tree
Hide file tree
Showing 6 changed files with 27 additions and 2 deletions.
7 changes: 7 additions & 0 deletions pkg/virtual/apiexport/builder/build.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,12 @@ import (

"github.com/kcp-dev/logicalcluster"

"k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
genericapiserver "k8s.io/apiserver/pkg/server"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/tools/cache"
"k8s.io/klog/v2"

apisv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apis/v1alpha1"
kcpclient "github.com/kcp-dev/kcp/pkg/client/clientset/versioned"
Expand Down Expand Up @@ -118,6 +120,11 @@ func BuildVirtualWorkspace(
return
},

Authorizer: func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
klog.Error("the authorizer for the 'initializingworkspaces' virtual workspace is not implemented !")
return authorizer.DecisionAllow, "", nil
},

Ready: func() error {
select {
case <-readyCh:
Expand Down
2 changes: 1 addition & 1 deletion pkg/virtual/framework/dynamic/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,5 +58,5 @@ func (vw *DynamicVirtualWorkspace) Authorize(ctx context.Context, a authorizer.A
if vw.Authorizer != nil {
return vw.Authorizer(ctx, a)
}
return authorizer.DecisionAllow, "", nil
return authorizer.DecisionNoOpinion, "", nil
}
2 changes: 1 addition & 1 deletion pkg/virtual/framework/fixedgvs/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,5 +79,5 @@ func (vw *FixedGroupVersionsVirtualWorkspace) Authorize(ctx context.Context, a a
if vw.Authorizer != nil {
return vw.Authorizer(ctx, a)
}
return authorizer.DecisionAllow, "", nil
return authorizer.DecisionNoOpinion, "", nil
}
6 changes: 6 additions & 0 deletions pkg/virtual/initializingworkspaces/builder/build.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,13 @@ import (
crdlisters "k8s.io/apiextensions-apiserver/pkg/client/listers/apiextensions/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
genericapiserver "k8s.io/apiserver/pkg/server"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/clusters"
"k8s.io/klog/v2"

"github.com/kcp-dev/kcp/pkg/admission/reservedcrdgroups"
apisv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apis/v1alpha1"
Expand Down Expand Up @@ -119,6 +121,10 @@ func BuildVirtualWorkspace(
accepted = true
return
},
Authorizer: func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
klog.Error("the authorizer for the 'initializingworkspaces' virtual workspace is not implemented !")
return authorizer.DecisionAllow, "", nil
},
Ready: func() error {
select {
case <-readyCh:
Expand Down
6 changes: 6 additions & 0 deletions pkg/virtual/syncer/builder/build.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,13 @@ import (

"github.com/kcp-dev/logicalcluster"

"k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
genericapiserver "k8s.io/apiserver/pkg/server"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/clusters"
"k8s.io/klog/v2"

apisv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/apis/v1alpha1"
workloadv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/workload/v1alpha1"
Expand Down Expand Up @@ -118,6 +120,10 @@ func BuildVirtualWorkspace(
accepted = true
return
},
Authorizer: func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
klog.Error("the authorizer for the 'syncer' virtual workspace is not implemented !")
return authorizer.DecisionAllow, "", nil
},
Ready: func() error {
select {
case <-readyCh:
Expand Down
6 changes: 6 additions & 0 deletions pkg/virtual/workspaces/builder/build.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,13 @@ import (

"github.com/kcp-dev/logicalcluster"

"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/registry/rest"
genericapiserver "k8s.io/apiserver/pkg/server"
rbacinformers "k8s.io/client-go/informers/rbac/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/cache"
"k8s.io/klog/v2"

tenancyv1alpha1 "github.com/kcp-dev/kcp/pkg/apis/tenancy/v1alpha1"
tenancyv1beta1 "github.com/kcp-dev/kcp/pkg/apis/tenancy/v1beta1"
Expand Down Expand Up @@ -91,6 +93,10 @@ func BuildVirtualWorkspace(rootPathPrefix string, wildcardsClusterWorkspaces wor
}
return
},
Authorizer: func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
klog.Error("the authorizer for the 'workdspaces' virtual workspace is not implemented !")
return authorizer.DecisionAllow, "", nil
},
GroupVersionAPISets: []fixedgvs.GroupVersionAPISet{
{
GroupVersion: tenancyv1beta1.SchemeGroupVersion,
Expand Down

0 comments on commit cf98b01

Please sign in to comment.