IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

K8s: Update comments and structure to help a security review (#77881)

Browse Source
This commit is contained in:
Ryan McKinley
2023-11-13 12:51:41 -08:00
committed by GitHub
parent dec9a07738
commit a2a6f9a6d8
2 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/services/grafana-apiserver/auth/authorizer/provider.go
View File

@@ -18,6 +18,9 @@ func ProvideAuthorizer(
cfg *setting.Cfg,
) authorizer.Authorizer {
authorizers := []authorizer.Authorizer{
// This will allow privileged uses to do anything.
// In development mode, a privileged user is configured and saved into:
// ${data}/grafana-apiserver/grafana.kubeconfig
authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup),
}

27
pkg/services/grafana-apiserver/service.go
View File

@@ -233,12 +233,10 @@ func (s *service) start(ctx context.Context) error {
if err := o.Authentication.ApplyTo(&serverConfig.Authentication, serverConfig.SecureServing, serverConfig.OpenAPIConfig); err != nil {
return err
}
}
// override ExternalAddress and LoopbackClientConfig in prod mode.
// in dev mode we want to use the loopback client config
// and address provided by SecureServingOptions.
if !s.config.devMode {
} else {
// In production mode, override ExternalAddress and LoopbackClientConfig.
// In dev mode we want to use the loopback client config
// and address provided by SecureServingOptions.
serverConfig.ExternalAddress = s.config.host
serverConfig.LoopbackClientConfig = &clientrest.Config{
Host: s.config.apiURL,
@@ -315,23 +313,20 @@ func (s *service) start(ctx context.Context) error {
}
}
s.restConfig = server.LoopbackClientConfig
// only write kubeconfig in dev mode
if s.config.devMode {
if err := s.ensureKubeConfig(); err != nil {
return err
}
}
// Used by the proxy wrapper registered in ProvideService
s.handler = server.Handler
s.restConfig = server.LoopbackClientConfig
// skip starting the server in prod mode
// When running in production, do not start a standalone https server
if !s.config.devMode {
return nil
}
// only write kubeconfig in dev mode
if err := s.ensureKubeConfig(); err != nil {
return err
}
prepared := server.PrepareRun()
go func() {
s.stoppedCh <- prepared.Run(s.stopCh)