mirrors/tailscale
1
0
Fork 0
Code Issues Pull Requests Projects Wiki Activity

cmd/containerboot: check that k8s secret permissions are correct.

Browse Source 
Updates #6629.

Signed-off-by: David Anderson <danderson@tailscale.com>
This commit is contained in:
David Anderson
2022-12-06 14:52:22 -08:00
committed by Dave Anderson
parent e79a1eb24a
commit e36c27bcd1
3 changed files with 70 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/containerboot/main_test.go
View File

@ -784,6 +784,12 @@ func (k *kubeServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if r.Header.Get("Authorization") != "Bearer bearer_token" {
panic("client didn't provide bearer token in request")
}
if r.URL.Path == "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews" {
// Just say yes to all SARs, we don't enforce RBAC.
w.Header().Set("Content-Type", "application/json")
fmt.Fprintln(w, `{"status":{"allowed":true}}`)
return
}
if r.URL.Path != "/api/v1/namespaces/default/secrets/tailscale" {
panic(fmt.Sprintf("unhandled fake kube api path %q", r.URL.Path))
}