From a2a6f9a6d88e500ca0c1ebd307089fbbf0c9f6a4 Mon Sep 17 00:00:00 2001
From: Ryan McKinley <ryantxu@gmail.com>
Date: Mon, 13 Nov 2023 12:51:41 -0800
Subject: [PATCH] K8s: Update comments and structure to help a security review
 (#77881)

---
 .../auth/authorizer/provider.go               |  3 +++
 pkg/services/grafana-apiserver/service.go     | 27 ++++++++-----------
 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/pkg/services/grafana-apiserver/auth/authorizer/provider.go b/pkg/services/grafana-apiserver/auth/authorizer/provider.go
index c658252bb41..a330028f750 100644
--- a/pkg/services/grafana-apiserver/auth/authorizer/provider.go
+++ b/pkg/services/grafana-apiserver/auth/authorizer/provider.go
@@ -18,6 +18,9 @@ func ProvideAuthorizer(
 	cfg *setting.Cfg,
 ) authorizer.Authorizer {
 	authorizers := []authorizer.Authorizer{
+		// This will allow privileged uses to do anything.
+		// In development mode, a privileged user is configured and saved into:
+		// ${data}/grafana-apiserver/grafana.kubeconfig
 		authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup),
 	}
 
diff --git a/pkg/services/grafana-apiserver/service.go b/pkg/services/grafana-apiserver/service.go
index 349fd2c87b3..9b06fff2230 100644
--- a/pkg/services/grafana-apiserver/service.go
+++ b/pkg/services/grafana-apiserver/service.go
@@ -233,12 +233,10 @@ func (s *service) start(ctx context.Context) error {
 		if err := o.Authentication.ApplyTo(&serverConfig.Authentication, serverConfig.SecureServing, serverConfig.OpenAPIConfig); err != nil {
 			return err
 		}
-	}
-
-	// override ExternalAddress and LoopbackClientConfig in prod mode.
-	// in dev mode we want to use the loopback client config
-	// and address provided by SecureServingOptions.
-	if !s.config.devMode {
+	} else {
+		// In production mode, override ExternalAddress and LoopbackClientConfig.
+		// In dev mode we want to use the loopback client config
+		// and address provided by SecureServingOptions.
 		serverConfig.ExternalAddress = s.config.host
 		serverConfig.LoopbackClientConfig = &clientrest.Config{
 			Host: s.config.apiURL,
@@ -315,23 +313,20 @@ func (s *service) start(ctx context.Context) error {
 		}
 	}
 
-	s.restConfig = server.LoopbackClientConfig
-
-	// only write kubeconfig in dev mode
-	if s.config.devMode {
-		if err := s.ensureKubeConfig(); err != nil {
-			return err
-		}
-	}
-
 	// Used by the proxy wrapper registered in ProvideService
 	s.handler = server.Handler
+	s.restConfig = server.LoopbackClientConfig
 
-	// skip starting the server in prod mode
+	// When running in production, do not start a standalone https server
 	if !s.config.devMode {
 		return nil
 	}
 
+	// only write kubeconfig in dev mode
+	if err := s.ensureKubeConfig(); err != nil {
+		return err
+	}
+
 	prepared := server.PrepareRun()
 	go func() {
 		s.stoppedCh <- prepared.Run(s.stopCh)