Skip to content

Commit

Permalink
added uid to the response
Browse files Browse the repository at this point in the history
  • Loading branch information
dtandersen committed Jul 20, 2023
1 parent 4546901 commit 96d1611
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 22 deletions.
34 changes: 22 additions & 12 deletions src/dsmlp/app/validator.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ class Object:
@dataclass_json
@dataclass
class Request:
uid: str
namespace: str
object: Object

Expand All @@ -67,22 +68,25 @@ def __init__(self, awsed: AwsedClient, kube: KubeClient, logger: Logger) -> None
self.kube = kube
self.logger = logger

def validate_request(self, request):
self.logger.debug("request=" + json.dumps(request, indent=2))
review: AdmissionReview = AdmissionReview.from_dict(request)
def validate_request(self, request_json):
self.logger.debug("request=" + json.dumps(request_json, indent=2))
review: AdmissionReview = AdmissionReview.from_dict(request_json)
request: Request = review.request
request_uid = request.uid
namespace_name = review.request.namespace
username = namespace_name
self.logger.info(f"Validating request namespace={namespace_name}")

try:
namespace = self.kube.get_namespace(namespace_name)
except UnsuccessfulRequest:
return self.admission_response(False, f"Denied request username={username} namespace={namespace_name}")
return self.admission_response(
request_uid, False, f"Denied request username={username} namespace={namespace_name}")

labels = namespace.labels
if not 'k8s-sync' in labels:
self.logger.info(f"Allowed namespace={namespace_name}")
return self.admission_response(True, "Allowed")
return self.admission_response(request_uid, True, "Allowed")

user = self.awsed.describe_user(username)
user_uid = user.uid
Expand All @@ -94,7 +98,7 @@ def validate_request(self, request):
if user_uid != uid:
self.logger.info(
f"Denied request username={username} namespace={namespace_name} uid={user_uid} spec.securityContext.runAsUser={uid}")
return self.admission_response(False, f"{username} is not allowed to use uid {uid}")
return self.admission_response(request_uid, False, f"{username} is not allowed to use uid {uid}")

container_uids = [container.securityContext.runAsUser for container in spec.containers
if container.securityContext is not None and container.securityContext.runAsUser is not None]
Expand All @@ -103,9 +107,15 @@ def validate_request(self, request):
if user_uid != uid:
self.logger.info(
"Denied request username=user2 namespace=user2 uid=2 spec.containers[0].securityContext.runAsUser=3")
return self.admission_response(False, f"{username} is not allowed to use uid {uid}")

return self.admission_response(True, "Allowed")

def admission_response(self, allowed, message):
return {"response": {"allowed": allowed, "status": {"message": message}}}
return self.admission_response(request_uid, False, f"{username} is not allowed to use uid {uid}")

return self.admission_response(request_uid, True, "Allowed")

def admission_response(self, uid, allowed, message):
return {
"response": {
"uid": uid,
"allowed": allowed,
"status": {"message": message}
}
}
29 changes: 19 additions & 10 deletions tests/app/test_validator.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ def test_pod_security_context(self):
response = self.when_validate(
{
"request": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"namespace": "user1",
"object": {
"spec": {
Expand All @@ -38,7 +39,8 @@ def test_pod_security_context(self):
}
)

assert_that(response, equal_to({"response": {"allowed": True, "status": {"message": "Allowed"}}}))
assert_that(response, equal_to(
{"response": {"uid": "705ab4f5-6393-11e8-b7cc-42010a800002", "allowed": True, "status": {"message": "Allowed"}}}))
assert_that(self.logger.messages, has_item("INFO Validating request namespace=user1"))

def test_security_context(self):
Expand All @@ -48,6 +50,7 @@ def test_security_context(self):
response = self.when_validate(
{
"request": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"namespace": "user1",
"object": {
"spec": {
Expand All @@ -67,7 +70,8 @@ def test_security_context(self):
}
)

assert_that(response, equal_to({"response": {"allowed": True, "status": {"message": "Allowed"}}}))
assert_that(response, equal_to(
{"response": {"uid": "705ab4f5-6393-11e8-b7cc-42010a800002", "allowed": True, "status": {"message": "Allowed"}}}))
assert_that(self.logger.messages, has_item("INFO Validating request namespace=user1"))

def test_deny_security_context(self):
Expand All @@ -77,6 +81,7 @@ def test_deny_security_context(self):
response = self.when_validate(
{
"request": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"namespace": "user2",
"object": {
"spec": {
Expand All @@ -87,8 +92,8 @@ def test_deny_security_context(self):
}}
)

assert_that(response, equal_to({"response": {"allowed": False, "status": {
"message": "user2 is not allowed to use uid 3"}}}))
assert_that(response, equal_to({"response": {"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"allowed": False, "status": {"message": "user2 is not allowed to use uid 3"}}}))
assert_that(self.logger.messages, has_item(
"INFO Denied request username=user2 namespace=user2 uid=2 spec.securityContext.runAsUser=3"))

Expand All @@ -99,6 +104,7 @@ def test_deny_unknown_user(self):
response = self.when_validate(
{
"request": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"namespace": "user2",
"object": {
"spec": {
Expand All @@ -109,8 +115,9 @@ def test_deny_unknown_user(self):
}}
)

assert_that(response, equal_to({"response": {"allowed": False, "status": {
"message": "Denied request username=user2 namespace=user2"}}}))
assert_that(response, equal_to({"response": {"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"allowed": False, "status": {
"message": "Denied request username=user2 namespace=user2"}}}))
# assert_that(self.logger.messages, has_item(
# "INFO Denied request username=user2 namespace=user2"))

Expand All @@ -121,6 +128,7 @@ def test_deny_pod_security_context(self):
response = self.when_validate(
{
"request": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"namespace": "user2",
"object": {
"kind": "Pod",
Expand All @@ -136,8 +144,8 @@ def test_deny_pod_security_context(self):
}}
)

assert_that(response, equal_to({"response": {"allowed": False, "status": {
"message": "user2 is not allowed to use uid 3"}}}))
assert_that(response, equal_to({"response": {"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"allowed": False, "status": {"message": "user2 is not allowed to use uid 3"}}}))
assert_that(self.logger.messages, has_item(equal_to(
"INFO Denied request username=user2 namespace=user2 uid=2 spec.containers[0].securityContext.runAsUser=3")))

Expand All @@ -147,6 +155,7 @@ def test_unlabelled_namespace_can_use_any_uid(self):
response = self.when_validate(
{
"request": {
"uid": "705ab4f5-6393-11e8-b7cc-42010a800002",
"namespace": "kube-system",
"object": {
# "kind": "Pod",
Expand All @@ -163,8 +172,8 @@ def test_unlabelled_namespace_can_use_any_uid(self):
}
)

assert_that(response, equal_to({"response": {"allowed": True, "status": {
"message": "Allowed"}}}))
assert_that(response, equal_to(
{"response": {"uid": "705ab4f5-6393-11e8-b7cc-42010a800002", "allowed": True, "status": {"message": "Allowed"}}}))
assert_that(self.logger.messages, has_item(
"INFO Allowed namespace=kube-system"))

Expand Down

0 comments on commit 96d1611

Please sign in to comment.