1/* 2Copyright 2016 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17// Package policybased implements a standard storage for ClusterRole that prevents privilege escalation. 18package policybased 19 20import ( 21 "context" 22 "errors" 23 24 apierrors "k8s.io/apimachinery/pkg/api/errors" 25 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 26 "k8s.io/apimachinery/pkg/runtime" 27 "k8s.io/apiserver/pkg/authorization/authorizer" 28 "k8s.io/apiserver/pkg/registry/rest" 29 kapihelper "k8s.io/kubernetes/pkg/apis/core/helper" 30 "k8s.io/kubernetes/pkg/apis/rbac" 31 rbacregistry "k8s.io/kubernetes/pkg/registry/rbac" 32 rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation" 33) 34 35var groupResource = rbac.Resource("clusterroles") 36 37type Storage struct { 38 rest.StandardStorage 39 40 authorizer authorizer.Authorizer 41 42 ruleResolver rbacregistryvalidation.AuthorizationRuleResolver 43} 44 45func NewStorage(s rest.StandardStorage, authorizer authorizer.Authorizer, ruleResolver rbacregistryvalidation.AuthorizationRuleResolver) *Storage { 46 return &Storage{s, authorizer, ruleResolver} 47} 48 49func (r *Storage) NamespaceScoped() bool { 50 return false 51} 52 53func (r *Storage) StorageVersion() runtime.GroupVersioner { 54 svp, ok := r.StandardStorage.(rest.StorageVersionProvider) 55 if !ok { 56 return nil 57 } 58 return svp.StorageVersion() 59} 60 61var _ rest.StorageVersionProvider = &Storage{} 62 63var fullAuthority = []rbac.PolicyRule{ 64 rbac.NewRule("*").Groups("*").Resources("*").RuleOrDie(), 65 rbac.NewRule("*").URLs("*").RuleOrDie(), 66} 67 68func (s *Storage) Create(ctx context.Context, obj runtime.Object, createValidatingAdmission rest.ValidateObjectFunc, options *metav1.CreateOptions) (runtime.Object, error) { 69 if rbacregistry.EscalationAllowed(ctx) || rbacregistry.RoleEscalationAuthorized(ctx, s.authorizer) { 70 return s.StandardStorage.Create(ctx, obj, createValidatingAdmission, options) 71 } 72 73 clusterRole := obj.(*rbac.ClusterRole) 74 rules := clusterRole.Rules 75 if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil { 76 return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, err) 77 } 78 // to set the aggregation rule, since it can gather anything, requires * on *.* 79 if hasAggregationRule(clusterRole) { 80 if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, fullAuthority); err != nil { 81 return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, errors.New("must have cluster-admin privileges to use the aggregationRule")) 82 } 83 } 84 85 return s.StandardStorage.Create(ctx, obj, createValidatingAdmission, options) 86} 87 88func (s *Storage) Update(ctx context.Context, name string, obj rest.UpdatedObjectInfo, createValidation rest.ValidateObjectFunc, updateValidation rest.ValidateObjectUpdateFunc, forceAllowCreate bool, options *metav1.UpdateOptions) (runtime.Object, bool, error) { 89 if rbacregistry.EscalationAllowed(ctx) || rbacregistry.RoleEscalationAuthorized(ctx, s.authorizer) { 90 return s.StandardStorage.Update(ctx, name, obj, createValidation, updateValidation, forceAllowCreate, options) 91 } 92 93 nonEscalatingInfo := rest.WrapUpdatedObjectInfo(obj, func(ctx context.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) { 94 clusterRole := obj.(*rbac.ClusterRole) 95 oldClusterRole := oldObj.(*rbac.ClusterRole) 96 97 // if we're only mutating fields needed for the GC to eventually delete this obj, return 98 if rbacregistry.IsOnlyMutatingGCFields(obj, oldObj, kapihelper.Semantic) { 99 return obj, nil 100 } 101 102 rules := clusterRole.Rules 103 if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, rules); err != nil { 104 return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, err) 105 } 106 // to change the aggregation rule, since it can gather anything and prevent tightening, requires * on *.* 107 if hasAggregationRule(clusterRole) || hasAggregationRule(oldClusterRole) { 108 if err := rbacregistryvalidation.ConfirmNoEscalationInternal(ctx, s.ruleResolver, fullAuthority); err != nil { 109 return nil, apierrors.NewForbidden(groupResource, clusterRole.Name, errors.New("must have cluster-admin privileges to use the aggregationRule")) 110 } 111 } 112 113 return obj, nil 114 }) 115 116 return s.StandardStorage.Update(ctx, name, nonEscalatingInfo, createValidation, updateValidation, forceAllowCreate, options) 117} 118 119func hasAggregationRule(clusterRole *rbac.ClusterRole) bool { 120 return clusterRole.AggregationRule != nil && len(clusterRole.AggregationRule.ClusterRoleSelectors) > 0 121} 122