From ed6c93e65d20b4f3f4efb74d771e407ae5b0d5d7 Mon Sep 17 00:00:00 2001 From: Karol Szwaj Date: Thu, 30 Jan 2025 15:40:01 +0100 Subject: [PATCH] Add the authorization-steps flag in the authorizer Signed-off-by: Karol Szwaj On-behalf-of: @SAP karol.szwaj@sap.com --- pkg/server/options/authorization.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/server/options/authorization.go b/pkg/server/options/authorization.go index 8a4f76aa42a..7006bed2cea 100644 --- a/pkg/server/options/authorization.go +++ b/pkg/server/options/authorization.go @@ -48,6 +48,10 @@ type Authorization struct { // Webhook contains flags to enable an external HTTPS webhook to perform // authorization against. Note that not all built-in options are supported by kcp. Webhook *kubeoptions.BuiltInAuthorizationOptions + + // AuthorizationSteps are the order of authorizers that allows to rearrange the order. + // The default are four authorizers in a union: AlwaysAllowPaths, AlwaysAllowGroups, RBAC and Webhook. + AuthorizationSteps []string } func NewAuthorization() *Authorization { @@ -113,6 +117,10 @@ func (s *Authorization) AddFlags(fs *pflag.FlagSet) { "A list of HTTP paths to skip during authorization, i.e. these are authorized without "+ "contacting the 'core' kubernetes server.") + fs.StringSliceVar(&s.AuthorizationSteps, "authorization-steps", s.AuthorizationSteps, + "A list of authorizers that should be enabled, allowing administrator rearrange the default order."+ + " The default order is: AlwaysAllowPaths,AlwaysAllowGroups,RBAC,Webhook") + // Only surface selected, webhook-related CLI flags fs.StringVar(&s.Webhook.WebhookConfigFile, "authorization-webhook-config-file", s.Webhook.WebhookConfigFile,