server/config: assing system:apiserver user to system:authenticated group

p0lyn0mial · p0lyn0mial · commit dfeb560d4a22 · 2024-10-07T17:41:30.000+02:00
diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go
@@ -1170,7 +1170,7 @@ func AuthorizeClientBearerToken(loopback *restclient.Config, authn *Authenticati
 	tokens[privilegedLoopbackToken] = &user.DefaultInfo{
 		Name:   user.APIServerUser,
 		UID:    uid,
-		Groups: []string{user.SystemPrivilegedGroup},
+		Groups: []string{user.AllAuthenticated, user.SystemPrivilegedGroup},
 	}
 
 	tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)
diff --git a/staging/src/k8s.io/apiserver/pkg/server/config_test.go b/staging/src/k8s.io/apiserver/pkg/server/config_test.go
@@ -38,6 +38,7 @@ import (
 	"k8s.io/apiserver/pkg/audit/policy"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/server/healthz"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
@@ -83,6 +84,34 @@ func TestAuthorizeClientBearerTokenNoops(t *testing.T) {
 	}
 }
 
+func TestAuthorizeClientBearerTokenRequiredGroups(t *testing.T) {
+	fakeAuthenticator := authenticator.RequestFunc(func(req *http.Request) (*authenticator.Response, bool, error) {
+		return &authenticator.Response{User: &user.DefaultInfo{}}, false, nil
+	})
+	fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
+		return authorizer.DecisionAllow, "", nil
+	})
+	target := &rest.Config{BearerToken: "secretToken"}
+	authN := &AuthenticationInfo{Authenticator: fakeAuthenticator}
+	authC := &AuthorizationInfo{Authorizer: fakeAuthorizer}
+
+	AuthorizeClientBearerToken(target, authN, authC)
+
+	fakeRequest, err := http.NewRequest("", "", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	fakeRequest.Header.Set("Authorization", "bearer secretToken")
+	rsp, _, err := authN.Authenticator.AuthenticateRequest(fakeRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	expectedGroups := []string{user.AllAuthenticated, user.SystemPrivilegedGroup}
+	if !reflect.DeepEqual(expectedGroups, rsp.User.GetGroups()) {
+		t.Fatalf("unexpected groups = %v returned, expected = %v", rsp.User.GetGroups(), expectedGroups)
+	}
+}
+
 func TestNewWithDelegate(t *testing.T) {
 	_, ctx := ktesting.NewTestContext(t)
 	ctx, cancel := context.WithCancelCause(ctx)

Original file line number	Diff line number	Diff line change
`@@ -1170,7 +1170,7 @@ func AuthorizeClientBearerToken(loopback restclient.Config, authn Authenticati`
`1170`	`1170`	`tokens[privilegedLoopbackToken] = &user.DefaultInfo{`
`1171`	`1171`	`Name: user.APIServerUser,`
`1172`	`1172`	`UID: uid,`
`1173`		`- Groups: []string{user.SystemPrivilegedGroup},`
	`1173`	`+ Groups: []string{user.AllAuthenticated, user.SystemPrivilegedGroup},`
`1174`	`1174`	`}`
`1175`	`1175`
`1176`	`1176`	`tokenAuthenticator := authenticatorfactory.NewFromTokens(tokens, authn.APIAudiences)`