app,rewrite: remove non-resource attrs

Author: ibihim

cmd/kube-rbac-proxy/app/kube-rbac-proxy.go

@@ -297,8 +297,6 @@ func setupAuthorizer(krbInfo *server.KubeRBACProxyInfo, delegatedAuthz *serverco
 		attrsGenerator = rewrite.NewTemplatedResourceAttributesGenerator(
 			krbInfo.Authorization.ResourceAttributes,
 		)
-	default:
-		attrsGenerator = &rewrite.NonResourceAttributesGenerator{}
 	}
 
 	if attrsGenerator != nil {

pkg/authorization/rewrite/attributes.go

@@ -30,24 +30,6 @@ type AttributesGenerator interface {
 	Generate(context.Context, authorizer.Attributes) []authorizer.Attributes
 }
 
-// NonResourceAttributesGenerator reduces a given attribute to user and http based
-// attributes.
-type NonResourceAttributesGenerator struct{}
-
-var _ AttributesGenerator = &NonResourceAttributesGenerator{}
-
-// Generate reduces the original attributes to user and http based attributes.
-func (d *NonResourceAttributesGenerator) Generate(ctx context.Context, attr authorizer.Attributes) []authorizer.Attributes {
-	return []authorizer.Attributes{
-		authorizer.AttributesRecord{
-			User:            attr.GetUser(),
-			Verb:            attr.GetVerb(),
-			ResourceRequest: false,
-			Path:            attr.GetPath(),
-		},
-	}
-}
-
 // ResourceAttributesGenerator uses the given attributes' user, http verb and
 // verifies its authorization against a static kubernetes resource. The
 // authorization is bound to that given kubernetes resource.

pkg/authorization/rewrite/attributes_test.go

@@ -25,142 +25,6 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 )
 
-func TestDefaultAttributesGenerator(t *testing.T) {
-	generator := &rewrite.NonResourceAttributesGenerator{}
-	testCases := []struct {
-		name       string
-		attributes authorizer.AttributesRecord
-		expected   authorizer.AttributesRecord
-	}{
-		{
-			name: "basic HTTP attributes",
-			attributes: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 0"},
-				Verb:            "post",
-				Namespace:       "",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "",
-				Subresource:     "",
-				Name:            "",
-				ResourceRequest: false,
-				Path:            "/api/v1/users",
-			},
-			expected: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 0"},
-				Verb:            "post",
-				Namespace:       "",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "",
-				Subresource:     "",
-				Name:            "",
-				ResourceRequest: false,
-				Path:            "/api/v1/users",
-			},
-		},
-		{
-			name: "basic attributes",
-			attributes: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 1"},
-				Verb:            "get",
-				Namespace:       "default",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "pods",
-				Subresource:     "",
-				Name:            "",
-				ResourceRequest: false,
-				Path:            "/api/v1/namespaces/default/pods",
-			},
-			expected: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 1"},
-				Verb:            "get",
-				Namespace:       "",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "",
-				Subresource:     "",
-				Name:            "",
-				ResourceRequest: false,
-				Path:            "/api/v1/namespaces/default/pods",
-			},
-		},
-		{
-			name: "attributes with subresource",
-			attributes: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 2"},
-				Verb:            "update",
-				Namespace:       "default",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "pods",
-				Subresource:     "status",
-				Name:            "pod1",
-				ResourceRequest: false,
-				Path:            "/api/v1/namespaces/default/pods/pod1/status",
-			},
-			expected: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 2"},
-				Verb:            "update",
-				Namespace:       "",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "",
-				Subresource:     "",
-				Name:            "",
-				ResourceRequest: false,
-				Path:            "/api/v1/namespaces/default/pods/pod1/status",
-			},
-		},
-		{
-			name: "resource request attributes",
-			attributes: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 3"},
-				Verb:            "get",
-				Namespace:       "default",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "pods",
-				Subresource:     "",
-				Name:            "",
-				ResourceRequest: true,
-				Path:            "/api/v1/namespaces/default/pods",
-			},
-			expected: authorizer.AttributesRecord{
-				User:            &user.DefaultInfo{Name: "test user 3"},
-				Verb:            "get",
-				Namespace:       "",
-				APIGroup:        "",
-				APIVersion:      "",
-				Resource:        "",
-				Subresource:     "",
-				Name:            "",
-				ResourceRequest: false,
-				Path:            "/api/v1/namespaces/default/pods",
-			},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			generatedAttributes := generator.Generate(context.Background(), tc.attributes)
-
-			if len(generatedAttributes) != 1 {
-				t.Errorf("Expected 1 generated attribute, but got %d", len(generatedAttributes))
-			}
-
-			generatedRecord := generatedAttributes[0]
-			if !reflect.DeepEqual(generatedRecord, tc.expected) {
-				t.Errorf(
-					"Generated attribute does not match expected attribute.\nHave: %+v,\nWant: %+v",
-					generatedRecord, tc.expected,
-				)
-			}
-		})
-	}
-}
-
 func TestBoundAttributesGenerator(t *testing.T) {
 	boundResource := &rewrite.ResourceAttributes{
 		Namespace:  "kube-system",