fix(auth): allow anyone to get cluster-info in kube-public

xiaosuiba · xiaosuiba · commit 7726e9f6d8c9 · 2021-06-03T16:27:19.000+08:00
diff --git a/pkg/auth/filter/filter.go b/pkg/auth/filter/filter.go
@@ -60,6 +60,8 @@ const (
 	decisionAllow  = "allow"
 	decisionForbid = "forbid"
 	reasonError    = "internal error"
+
+	kubePublicNS = "kube-public"
 )
 
 var (
@@ -182,6 +184,11 @@ func UnprotectedAuthorized(attributes authorizer.Attributes) authorizer.Decision
 		return authorizer.DecisionAllow
 	}
 
+	// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	if attributes.GetNamespace() == kubePublicNS && isGetVerb(verb) {
+		return authorizer.DecisionAllow
+	}
+
 	return authorizer.DecisionNoOpinion
 }
 
@@ -323,3 +330,7 @@ func splitPath(path string) []string {
 	}
 	return strings.Split(path, "/")
 }
+
+func isGetVerb(verb string) bool {
+	return strings.HasPrefix(verb, "get")
+}
diff --git a/web/console/src/webApi/tkestack.ts b/web/console/src/webApi/tkestack.ts
@@ -1,13 +1,13 @@
 import Request from './request';
 
 export const getTkeStackVersion = async () => {
-  const rsp = await Request.get<any, { items: Array<{ data?: { tkeVersion?: string } }> }>(
-    '/api/v1/namespaces/kube-public/configmaps',
+  const rsp = await Request.get<any, { data?: { tkeVersion: string } }>(
+    '/api/v1/namespaces/kube-public/configmaps/cluster-info',
     {
       headers: {
         'X-TKE-ClusterName': 'global'
       }
     }
   );
-  return rsp?.items?.[0]?.data?.tkeVersion ?? '';
+  return rsp?.data?.tkeVersion ?? '';
 };

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,8 @@ const (`
`60`	`60`	`decisionAllow = "allow"`
`61`	`61`	`decisionForbid = "forbid"`
`62`	`62`	`reasonError = "internal error"`
	`63`	`+`
	`64`	`+ kubePublicNS = "kube-public"`
`63`	`65`	`)`
`64`	`66`
`65`	`67`	`var (`
`@@ -182,6 +184,11 @@ func UnprotectedAuthorized(attributes authorizer.Attributes) authorizer.Decision`
`182`	`184`	`return authorizer.DecisionAllow`
`183`	`185`	`}`
`184`	`186`
	`187`	`+ // https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/`
	`188`	`+ if attributes.GetNamespace() == kubePublicNS && isGetVerb(verb) {`
	`189`	`+ return authorizer.DecisionAllow`
	`190`	`+ }`
	`191`	`+`
`185`	`192`	`return authorizer.DecisionNoOpinion`
`186`	`193`	`}`
`187`	`194`
`@@ -323,3 +330,7 @@ func splitPath(path string) []string {`
`323`	`330`	`}`
`324`	`331`	`return strings.Split(path, "/")`
`325`	`332`	`}`
	`333`	`+`
	`334`	`+func isGetVerb(verb string) bool {`
	`335`	`+ return strings.HasPrefix(verb, "get")`
	`336`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`import Request from './request';`
`2`	`2`
`3`	`3`	`export const getTkeStackVersion = async () => {`
`4`		`- const rsp = await Request.get<any, { items: Array<{ data?: { tkeVersion?: string } }> }>(`
`5`		`- '/api/v1/namespaces/kube-public/configmaps',`
	`4`	`+ const rsp = await Request.get<any, { data?: { tkeVersion: string } }>(`
	`5`	`+ '/api/v1/namespaces/kube-public/configmaps/cluster-info',`
`6`	`6`	`{`
`7`	`7`	`headers: {`
`8`	`8`	`'X-TKE-ClusterName': 'global'`
`9`	`9`	`}`
`10`	`10`	`}`
`11`	`11`	`);`
`12`		`- return rsp?.items?.[0]?.data?.tkeVersion ?? '';`
	`12`	`+ return rsp?.data?.tkeVersion ?? '';`
`13`	`13`	`};`