Merge pull request #13649 from Miciah/RestrictUsersAdmission-allow-SA-with-implicit-NS

OpenShift Bot · web-flow · commit 53c083020f1a · 2017-04-08T15:03:36.000-05:00
Merged by openshift-bot
diff --git a/pkg/authorization/admission/restrictusers/subjectchecker.go b/pkg/authorization/admission/restrictusers/subjectchecker.go
@@ -279,8 +279,19 @@ func (checker ServiceAccountSubjectChecker) Allowed(subject kapi.ObjectReference
 		return false, nil
 	}
 
+	subjectNamespace := subject.Namespace
+	if len(subjectNamespace) == 0 {
+		// If a RoleBinding has a subject that is a ServiceAccount with
+		// no namespace specified, the namespace will be defaulted to
+		// that of the RoleBinding.  However, admission control plug-ins
+		// execute before this happens, so in order not to reject such
+		// subjects erroneously, we copy the logic here of using the
+		// RoleBinding's namespace if the subject's is empty.
+		subjectNamespace = ctx.namespace
+	}
+
 	for _, namespace := range checker.serviceAccountRestriction.Namespaces {
-		if subject.Namespace == namespace {
+		if subjectNamespace == namespace {
 			return true, nil
 		}
 	}
@@ -292,7 +303,7 @@ func (checker ServiceAccountSubjectChecker) Allowed(subject kapi.ObjectReference
 		}
 
 		if subject.Name == serviceAccountRef.Name &&
-			subject.Namespace == serviceAccountNamespace {
+			subjectNamespace == serviceAccountNamespace {
 			return true, nil
 		}
 	}
diff --git a/pkg/authorization/admission/restrictusers/subjectchecker_test.go b/pkg/authorization/admission/restrictusers/subjectchecker_test.go
@@ -192,7 +192,7 @@ func TestSubjectCheckers(t *testing.T) {
 			shouldAllow: true,
 		},
 		{
-			name: "allow service account by literal name match",
+			name: "allow service account with explicit namespace by match on literal name and explicit namespace",
 			checker: mustNewSubjectChecker(t,
 				&authorizationapi.RoleBindingRestrictionSpec{
 					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
@@ -208,7 +208,7 @@ func TestSubjectCheckers(t *testing.T) {
 			shouldAllow: true,
 		},
 		{
-			name: "allow service account by literal name match with implicit namespace",
+			name: "allow service account with explicit namespace by match on literal name and implicit namespace",
 			checker: mustNewSubjectChecker(t,
 				&authorizationapi.RoleBindingRestrictionSpec{
 					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
@@ -220,6 +220,113 @@ func TestSubjectCheckers(t *testing.T) {
 			subject:     serviceaccountRef,
 			shouldAllow: true,
 		},
+		{
+			name: "prohibit service account with explicit namespace where literal name matches but explicit namespace does not",
+			checker: mustNewSubjectChecker(t,
+				&authorizationapi.RoleBindingRestrictionSpec{
+					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
+						ServiceAccounts: []authorizationapi.ServiceAccountReference{
+							{
+								Namespace: serviceaccountRef.Namespace,
+								Name:      serviceaccountRef.Name,
+							},
+						},
+					},
+				}),
+			subject: kapi.ObjectReference{
+				Kind:      authorizationapi.ServiceAccountKind,
+				Namespace: "othernamespace",
+				Name:      serviceaccountRef.Name,
+			},
+			shouldAllow: false,
+		},
+		{
+			name: "prohibit service account with explicit namespace where literal name matches but implicit namespace does not",
+			checker: mustNewSubjectChecker(t,
+				&authorizationapi.RoleBindingRestrictionSpec{
+					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
+						ServiceAccounts: []authorizationapi.ServiceAccountReference{
+							{Name: serviceaccountRef.Name},
+						},
+					},
+				}),
+			subject: kapi.ObjectReference{
+				Kind:      authorizationapi.ServiceAccountKind,
+				Namespace: "othernamespace",
+				Name:      serviceaccountRef.Name,
+			},
+			shouldAllow: false,
+		},
+		{
+			name: "allow service account with implicit namespace by match on literal name and explicit namespace",
+			checker: mustNewSubjectChecker(t,
+				&authorizationapi.RoleBindingRestrictionSpec{
+					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
+						ServiceAccounts: []authorizationapi.ServiceAccountReference{
+							{
+								Name:      serviceaccountRef.Name,
+								Namespace: serviceaccountRef.Namespace,
+							},
+						},
+					},
+				}),
+			subject: kapi.ObjectReference{
+				Kind: authorizationapi.ServiceAccountKind,
+				Name: serviceaccountRef.Name,
+			},
+			shouldAllow: true,
+		},
+		{
+			name: "allow service account with implicit namespace by match on literal name and implicit namespace",
+			checker: mustNewSubjectChecker(t,
+				&authorizationapi.RoleBindingRestrictionSpec{
+					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
+						ServiceAccounts: []authorizationapi.ServiceAccountReference{
+							{Name: serviceaccountRef.Name},
+						},
+					},
+				}),
+			subject: kapi.ObjectReference{
+				Kind: authorizationapi.ServiceAccountKind,
+				Name: serviceaccountRef.Name,
+			},
+			shouldAllow: true,
+		},
+		{
+			name: "prohibit service account with implicit namespace where literal name matches but explicit namespace does not",
+			checker: mustNewSubjectChecker(t,
+				&authorizationapi.RoleBindingRestrictionSpec{
+					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
+						ServiceAccounts: []authorizationapi.ServiceAccountReference{
+							{
+								Namespace: "othernamespace",
+								Name:      serviceaccountRef.Name,
+							},
+						},
+					},
+				}),
+			subject: kapi.ObjectReference{
+				Kind: authorizationapi.ServiceAccountKind,
+				Name: serviceaccountRef.Name,
+			},
+			shouldAllow: false,
+		},
+		{
+			name: "prohibit service account with explicit namespace where explicit namespace matches but literal name does not",
+			checker: mustNewSubjectChecker(t,
+				&authorizationapi.RoleBindingRestrictionSpec{
+					ServiceAccountRestriction: &authorizationapi.ServiceAccountRestriction{
+						ServiceAccounts: []authorizationapi.ServiceAccountReference{
+							{
+								Namespace: serviceaccountRef.Namespace,
+								Name:      "othername",
+							},
+						},
+					},
+				}),
+			subject:     serviceaccountRef,
+			shouldAllow: false,
+		},
 		{
 			name: "allow service account by match on namespace",
 			checker: mustNewSubjectChecker(t,

Original file line number	Diff line number	Diff line change
`@@ -279,8 +279,19 @@ func (checker ServiceAccountSubjectChecker) Allowed(subject kapi.ObjectReference`
`279`	`279`	`return false, nil`
`280`	`280`	`}`
`281`	`281`
	`282`	`+ subjectNamespace := subject.Namespace`
	`283`	`+ if len(subjectNamespace) == 0 {`
	`284`	`+ // If a RoleBinding has a subject that is a ServiceAccount with`
	`285`	`+ // no namespace specified, the namespace will be defaulted to`
	`286`	`+ // that of the RoleBinding. However, admission control plug-ins`
	`287`	`+ // execute before this happens, so in order not to reject such`
	`288`	`+ // subjects erroneously, we copy the logic here of using the`
	`289`	`+ // RoleBinding's namespace if the subject's is empty.`
	`290`	`+ subjectNamespace = ctx.namespace`
	`291`	`+ }`
	`292`	`+`
`282`	`293`	`for _, namespace := range checker.serviceAccountRestriction.Namespaces {`
`283`		`- if subject.Namespace == namespace {`
	`294`	`+ if subjectNamespace == namespace {`
`284`	`295`	`return true, nil`
`285`	`296`	`}`
`286`	`297`	`}`
`@@ -292,7 +303,7 @@ func (checker ServiceAccountSubjectChecker) Allowed(subject kapi.ObjectReference`
`292`	`303`	`}`
`293`	`304`
`294`	`305`	`if subject.Name == serviceAccountRef.Name &&`
`295`		`- subject.Namespace == serviceAccountNamespace {`
	`306`	`+ subjectNamespace == serviceAccountNamespace {`
`296`	`307`	`return true, nil`
`297`	`308`	`}`
`298`	`309`	`}`