Add flag to always allow usernames

This will allow the kube-request-access to allow certain users by their username, instead of only the groups they're part of. Since a prefix can be added to the username, it has to be removed before doing any check.
spreadshirt · Jun 27, 2023 · bdf92e6 · bdf92e6
1 parent f21c143
commit bdf92e6
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/kube-request-access.go b/kube-request-access.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"strings"
 	"time"
 
 	"github.com/gorilla/handlers"
@@ -61,6 +62,7 @@ type admissionConfig struct {
 
 	grantedRoleName         string
 	alwaysAllowedGroupNames []string
+	alwaysAllowedUserNames  []string
 	usernamePrefix          string
 
 	auditWebhookURL      string
@@ -88,6 +90,7 @@ func main() {
 
 	cmd.Flags().StringVar(&cfg.grantedRoleName, "granted-role-name", "", "Name of the role that is given to a user temporarily when a request is granted")
 	cmd.Flags().StringSliceVar(&cfg.alwaysAllowedGroupNames, "always-allowed-group-name", nil, "Name of a group whose members will be allowed to execute commands without a request and grant")
+	cmd.Flags().StringSliceVar(&cfg.alwaysAllowedUserNames, "always-allowed-user-name", nil, "User name of a user who will be allowed to execute commands without a request and grant")
 	cmd.Flags().StringVar(&cfg.usernamePrefix, "username-prefix", "", "Prefix for usernames to use when verifying and granting access (optional)")
 
 	cmd.Flags().StringVar(&cfg.auditWebhookURL, "audit-webhook-url", "", "URL of the audit webhook to be used")
@@ -133,6 +136,13 @@ type admissionHandler struct {
 	// with stdin or tty set for interactive commands.
 	AlwaysAllowedGroupNames map[string]bool
 
+	// AlwaysAllowedUserNames can be set to always allow users with a given
+	// user name.  They won't need to request or grant and will always be allowed.
+	//
+	// Additionally they won't have the regular restrictions applied, like exec
+	// with stdin or tty set for interactive commands.
+	AlwaysAllowedUserNames map[string]bool
+
 	// UsernamePrefix can be set to work with systems that add a prefix to the
 	// usernames in Kubernetes.
 	UsernamePrefix string
@@ -205,6 +215,13 @@ func (cfg *admissionConfig) run(_ *cobra.Command, _ []string) error {
 		}
 	}
 
+	if len(cfg.alwaysAllowedUserNames) > 0 {
+		handler.AlwaysAllowedUserNames = make(map[string]bool, len(cfg.alwaysAllowedUserNames))
+		for _, alwaysAllowedUser := range cfg.alwaysAllowedUserNames {
+			handler.AlwaysAllowedUserNames[alwaysAllowedUser] = true
+		}
+	}
+
 	router := mux.NewRouter()
 	router.HandleFunc("/ready", func(w http.ResponseWriter, req *http.Request) {
 		w.Write([]byte("ok"))
@@ -736,7 +753,7 @@ func (ah *admissionHandler) handleReview(ctx context.Context, admissionReview *a
 }
 
 func (ah *admissionHandler) isAlwaysAllowed(userInfo authenticationv1.UserInfo) bool {
-	if len(ah.AlwaysAllowedGroupNames) < 1 {
+	if len(ah.AlwaysAllowedGroupNames) < 1 && len(ah.AlwaysAllowedUserNames) < 1 {
 		return false
 	}
 
@@ -746,5 +763,14 @@ func (ah *admissionHandler) isAlwaysAllowed(userInfo authenticationv1.UserInfo)
 		}
 	}
 
+	username := userInfo.Username
+	if ah.UsernamePrefix != "" {
+		// if the usernamePrefix is set, let's remove it
+		username = strings.Replace(username, ah.UsernamePrefix, "", 1)
+	}
+	if _, found := ah.AlwaysAllowedUserNames[username]; found {
+		return true
+	}
+
 	return false
 }