Switch RBAC subject apiVersion to apiGroup in v1beta1

2025-10-30 01:42:48 +00:00 · 2017-02-10 11:31:40 -05:00
parent 95badd95ce
commit 2a76fa1c8f
20 changed files with 240 additions and 73 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml
@@ -12,7 +12,8 @@ items:
    kind: ClusterRole
    name: cluster-admin
  subjects:
-  - kind: Group
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
    name: system:masters
 - apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
@@ -26,9 +27,11 @@ items:
    kind: ClusterRole
    name: system:basic-user
  subjects:
-  - kind: Group
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
    name: system:authenticated
-  - kind: Group
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
    name: system:unauthenticated
 - apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
@@ -42,9 +45,11 @@ items:
    kind: ClusterRole
    name: system:discovery
  subjects:
-  - kind: Group
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
    name: system:authenticated
-  - kind: Group
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
    name: system:unauthenticated
 - apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
@@ -58,7 +63,8 @@ items:
    kind: ClusterRole
    name: system:kube-controller-manager
  subjects:
-  - kind: User
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
    name: system:kube-controller-manager
 - apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
@@ -72,7 +78,8 @@ items:
    kind: ClusterRole
    name: system:node
  subjects:
-  - kind: Group
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
    name: system:nodes
 - apiVersion: rbac.authorization.k8s.io/v1beta1
  kind: ClusterRoleBinding
@@ -86,7 +93,8 @@ items:
    kind: ClusterRole
    name: system:node-proxier
  subjects:
-  - kind: User
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
    name: system:kube-proxy
 kind: List
 metadata: {}
--- a/plugin/pkg/auth/authorizer/rbac/rbac_test.go
+++ b/plugin/pkg/auth/authorizer/rbac/rbac_test.go
@@ -64,6 +64,15 @@ func newClusterRoleBinding(roleName string, subjects ...string) *rbac.ClusterRol
 	for i, subject := range subjects {
 		split := strings.SplitN(subject, ":", 2)
 		r.Subjects[i].Kind, r.Subjects[i].Name = split[0], split[1]
+
+		switch r.Subjects[i].Kind {
+		case rbac.ServiceAccountKind:
+			r.Subjects[i].APIGroup = ""
+		case rbac.UserKind, rbac.GroupKind:
+			r.Subjects[i].APIGroup = rbac.GroupName
+		default:
+			panic(fmt.Errorf("invalid kind %s", r.Subjects[i].Kind))
+		}
 	}
 	return r
 }
@@ -82,6 +91,15 @@ func newRoleBinding(namespace, roleName string, bindType uint16, subjects ...str
 	for i, subject := range subjects {
 		split := strings.SplitN(subject, ":", 2)
 		r.Subjects[i].Kind, r.Subjects[i].Name = split[0], split[1]
+
+		switch r.Subjects[i].Kind {
+		case rbac.ServiceAccountKind:
+			r.Subjects[i].APIGroup = ""
+		case rbac.UserKind, rbac.GroupKind:
+			r.Subjects[i].APIGroup = rbac.GroupName
+		default:
+			panic(fmt.Errorf("invalid kind %s", r.Subjects[i].Kind))
+		}
 	}
 	return r
 }
--- a/plugin/pkg/auth/authorizer/rbac/subject_locator.go
+++ b/plugin/pkg/auth/authorizer/rbac/subject_locator.go
@@ -54,9 +54,9 @@ func NewSubjectAccessEvaluator(roles rbacregistryvalidation.RoleGetter, roleBind
 // AllowedSubjects returns the subjects that can perform an action and any errors encountered while computing the list.
 // It is possible to have both subjects and errors returned if some rolebindings couldn't be resolved, but others could be.
 func (r *SubjectAccessEvaluator) AllowedSubjects(requestAttributes authorizer.Attributes) ([]rbac.Subject, error) {
-	subjects := []rbac.Subject{{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup}}
+	subjects := []rbac.Subject{{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup}}
 	if len(r.superUser) > 0 {
-		subjects = append(subjects, rbac.Subject{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: r.superUser})
+		subjects = append(subjects, rbac.Subject{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: r.superUser})
 	}
 	errorlist := []error{}

--- a/plugin/pkg/auth/authorizer/rbac/subject_locator_test.go
+++ b/plugin/pkg/auth/authorizer/rbac/subject_locator_test.go
@@ -58,29 +58,29 @@ func TestSubjectLocator(t *testing.T) {
 				{
 					&defaultAttributes{"", "", "get", "Pods", "", "ns1", ""},
 					[]rbac.Subject{
-						{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
-						{Kind: rbac.UserKind, Name: "super-admin"},
-						{Kind: rbac.GroupKind, Name: "super-admins"},
-						{Kind: rbac.UserKind, Name: "admin"},
-						{Kind: rbac.GroupKind, Name: "admins"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "admins"},
 					},
 				},
 				{
 					// cluster role matches star in namespace
 					&defaultAttributes{"", "", "*", "Pods", "", "*", ""},
 					[]rbac.Subject{
-						{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
-						{Kind: rbac.UserKind, Name: "super-admin"},
-						{Kind: rbac.GroupKind, Name: "super-admins"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
 					},
 				},
 				{
 					// empty ns
 					&defaultAttributes{"", "", "*", "Pods", "", "", ""},
 					[]rbac.Subject{
-						{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
-						{Kind: rbac.UserKind, Name: "super-admin"},
-						{Kind: rbac.GroupKind, Name: "super-admins"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
 					},
 				},
 			},
@@ -104,32 +104,32 @@ func TestSubjectLocator(t *testing.T) {
 				{
 					&defaultAttributes{"", "", "get", "Pods", "", "ns1", ""},
 					[]rbac.Subject{
-						{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
-						{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: "foo"},
-						{Kind: rbac.UserKind, Name: "super-admin"},
-						{Kind: rbac.GroupKind, Name: "super-admins"},
-						{Kind: rbac.UserKind, Name: "admin"},
-						{Kind: rbac.GroupKind, Name: "admins"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "foo"},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "admins"},
 					},
 				},
 				{
 					// verb matchies correctly
 					&defaultAttributes{"", "", "create", "Pods", "", "ns1", ""},
 					[]rbac.Subject{
-						{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
-						{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: "foo"},
-						{Kind: rbac.UserKind, Name: "super-admin"},
-						{Kind: rbac.GroupKind, Name: "super-admins"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "foo"},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
 					},
 				},
 				{
 					// binding only works in correct ns
 					&defaultAttributes{"", "", "get", "Pods", "", "ns2", ""},
 					[]rbac.Subject{
-						{Kind: rbac.GroupKind, Name: user.SystemPrivilegedGroup},
-						{Kind: rbac.UserKind, APIVersion: "v1alpha1", Name: "foo"},
-						{Kind: rbac.UserKind, Name: "super-admin"},
-						{Kind: rbac.GroupKind, Name: "super-admins"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: user.SystemPrivilegedGroup},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "foo"},
+						{Kind: rbac.UserKind, APIGroup: rbac.GroupName, Name: "super-admin"},
+						{Kind: rbac.GroupKind, APIGroup: rbac.GroupName, Name: "super-admins"},
 					},
 				},
 			},
@@ -144,7 +144,7 @@ func TestSubjectLocator(t *testing.T) {
 				t.Errorf("case %q %d: error %v", tt.name, i, err)
 			}
 			if !reflect.DeepEqual(actualSubjects, action.subjects) {
-				t.Errorf("case %q %d: expected %v actual %v", tt.name, i, action.subjects, actualSubjects)
+				t.Errorf("case %q %d: expected\n%v\nactual\n%v", tt.name, i, action.subjects, actualSubjects)
 			}
 		}
 	}