diff --git a/cmd/authz/authorization.go b/cmd/authz/authorization.go index 58a97c482..32dcc7e1c 100644 --- a/cmd/authz/authorization.go +++ b/cmd/authz/authorization.go @@ -44,7 +44,7 @@ func handleAuthorize(w http.ResponseWriter, r *http.Request, c client.Client, ma attrs := review.Spec.ResourceAttributes if attrs == nil || attrs.Name == "" { recordDenied("", "", reasonMissingAttributes, nil) - respond(w, review, false, "missing resource attributes") + respond(w, review, false, "missing resource name in request") return } diff --git a/cmd/authz/authorization_test.go b/cmd/authz/authorization_test.go index b168e8d65..6b698b018 100644 --- a/cmd/authz/authorization_test.go +++ b/cmd/authz/authorization_test.go @@ -64,7 +64,7 @@ var _ = Describe("handleAuthorize", func() { }) Context("request validation", func() { - It("should deny requests with missing resource attributes", func() { + It("should deny requests with missing resource attributes or resource name", func() { h := makeHandler(nil) review := authv1.SubjectAccessReview{ Spec: authv1.SubjectAccessReviewSpec{ @@ -75,7 +75,7 @@ var _ = Describe("handleAuthorize", func() { } resp := postReview(h, review) Expect(resp.Status.Allowed).To(BeFalse(), "requests without resource attributes should be denied") - Expect(resp.Status.Reason).To(ContainSubstring("missing resource attributes"), "denial reason should mention missing attributes") + Expect(resp.Status.Reason).To(ContainSubstring("missing resource name in request"), "denial reason should mention missing attributes") }) }) diff --git a/dev-env/webhook/structured-authz-insecure.yaml b/dev-env/webhook/structured-authz-insecure.yaml index f84a43d35..506153a76 100644 --- a/dev-env/webhook/structured-authz-insecure.yaml +++ b/dev-env/webhook/structured-authz-insecure.yaml @@ -33,6 +33,7 @@ authorizers: - expression: has(request.resourceAttributes) # only resource requests - expression: request.resourceAttributes.namespace != "" - expression: request.resourceAttributes.group == "greenhouse.sap" - # Note on verbs: get is needed for kubectl edit, list and watch is needed for kubectl wait triggered after kubectl delete. - - expression: request.resourceAttributes.verb in ["get","list","watch","update","patch","delete"] + # Note on verbs: get is needed for kubectl edit; watch is still needed for kubectl wait triggered after kubectl delete. + # List is intentionally not matched here and should be handled via RBAC instead. + - expression: request.resourceAttributes.verb in ["get","watch","update","patch","delete"] \ No newline at end of file diff --git a/dev-env/webhook/structured-authz-secure.yaml b/dev-env/webhook/structured-authz-secure.yaml index 9b3e2abf2..a7cf7c856 100644 --- a/dev-env/webhook/structured-authz-secure.yaml +++ b/dev-env/webhook/structured-authz-secure.yaml @@ -33,6 +33,7 @@ authorizers: - expression: has(request.resourceAttributes) # only resource requests - expression: request.resourceAttributes.namespace != "" - expression: request.resourceAttributes.group == "greenhouse.sap" - # Note on verbs: get is needed for kubectl edit, list and watch is needed for kubectl wait triggered after kubectl delete. - - expression: request.resourceAttributes.verb in ["get","list","watch","update","patch","delete"] + # Note on verbs: get is needed for kubectl edit; watch is still needed for kubectl wait triggered after kubectl delete. + # List is intentionally not matched here and should be handled via RBAC instead. + - expression: request.resourceAttributes.verb in ["get","watch","update","patch","delete"] \ No newline at end of file