Skip to content

Commit 264cd64

Browse files
liggittliggitt
committed
Run RBAC hook correctly when running from authz config file
1 parent 1f40e09 commit 264cd64

File tree

1 file changed

+21
-10
lines changed

1 file changed

+21
-10
lines changed

pkg/controlplane/apiserver/config.go

Lines changed: 21 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -147,12 +147,13 @@ func BuildGenericConfig(
147147
return
148148
}
149149

150-
genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, err = BuildAuthorizer(s, genericConfig.EgressSelector, versionedInformers)
150+
var enablesRBAC bool
151+
genericConfig.Authorization.Authorizer, genericConfig.RuleResolver, enablesRBAC, err = BuildAuthorizer(s, genericConfig.EgressSelector, versionedInformers)
151152
if err != nil {
152153
lastErr = fmt.Errorf("invalid authorization config: %v", err)
153154
return
154155
}
155-
if s.Authorization != nil && !sets.NewString(s.Authorization.Modes...).Has(modes.ModeRBAC) {
156+
if s.Authorization != nil && !enablesRBAC {
156157
genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName)
157158
}
158159

@@ -168,25 +169,35 @@ func BuildGenericConfig(
168169
return
169170
}
170171

171-
// BuildAuthorizer constructs the authorizer. If authorization is not set in s, it returns nil, nil, nil
172-
func BuildAuthorizer(s controlplaneapiserver.CompletedOptions, EgressSelector *egressselector.EgressSelector, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, error) {
172+
// BuildAuthorizer constructs the authorizer. If authorization is not set in s, it returns nil, nil, false, nil
173+
func BuildAuthorizer(s controlplaneapiserver.CompletedOptions, egressSelector *egressselector.EgressSelector, versionedInformers clientgoinformers.SharedInformerFactory) (authorizer.Authorizer, authorizer.RuleResolver, bool, error) {
173174
authorizationConfig, err := s.Authorization.ToAuthorizationConfig(versionedInformers)
174175
if err != nil {
175-
return nil, nil, err
176+
return nil, nil, false, err
176177
}
177178
if authorizationConfig == nil {
178-
return nil, nil, nil
179+
return nil, nil, false, nil
179180
}
180181

181-
if EgressSelector != nil {
182-
egressDialer, err := EgressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
182+
if egressSelector != nil {
183+
egressDialer, err := egressSelector.Lookup(egressselector.ControlPlane.AsNetworkContext())
183184
if err != nil {
184-
return nil, nil, err
185+
return nil, nil, false, err
185186
}
186187
authorizationConfig.CustomDial = egressDialer
187188
}
188189

189-
return authorizationConfig.New()
190+
enablesRBAC := false
191+
for _, a := range authorizationConfig.AuthorizationConfiguration.Authorizers {
192+
if string(a.Type) == modes.ModeRBAC {
193+
enablesRBAC = true
194+
break
195+
}
196+
}
197+
198+
authorizer, ruleResolver, err := authorizationConfig.New()
199+
200+
return authorizer, ruleResolver, enablesRBAC, err
190201
}
191202

192203
// CreatePeerEndpointLeaseReconciler creates a apiserver endpoint lease reconciliation loop

0 commit comments

Comments
 (0)