Merge pull request #53 from yue9944882/feat/disable-authz-configurable

k8s-ci-robot · web-flow · commit 7b73a9e83c77 · 2021-09-12T22:26:06.000-07:00
Feat: Make authz configurable via `--enable-authorization`
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go 1.x
       uses: actions/setup-go@v2
       with:
-        go-version: ^1.16
+        go-version: 1.16.6
       id: go
 
     - run: go get github.com/golangci/golangci-lint/cmd/golangci-lint
diff --git a/pkg/builder/builder_auth.go b/pkg/builder/builder_auth.go
@@ -6,12 +6,25 @@ import (
 	"sigs.k8s.io/apiserver-runtime/internal/sample-apiserver/pkg/cmd/server"
 )
 
+var enableAuthorization bool
+
 // DisableAuthorization disables delegated authentication and authorization
 func (a *Server) DisableAuthorization() *Server {
 	server.ServerOptionsFns = append(server.ServerOptionsFns, func(o *ServerOptions) *ServerOptions {
-		o.RecommendedOptions.Authorization = nil
+		if !enableAuthorization {
+			o.RecommendedOptions.Authorization = nil
+		}
 		return o
 	})
+	server.FlagsFns = append(server.FlagsFns, func(fs *pflag.FlagSet) *pflag.FlagSet {
+		fs.BoolVar(&enableAuthorization, "enable-authorization", false,
+			"Enabling authorization will check if the incoming authenticated requests "+
+				"have sufficient permission for the requesting target. Deploying the apiserver "+
+				"inside a kubernetes cluster will delegate the authorization to the hosting "+
+				"kube-apiserver, otherwise specify `--authorization-kubeconfig` to explicitly "+
+				"set a kube-apiserver to talk to.")
+		return fs
+	})
 	return a
 }
 
