feat: k8s api 鉴权支持放开共享集群特定集群域资源的权限 (#3824)

LidolLxf · web-flow · commit f7d26dacac3b · 2026-01-20T14:27:42.000+08:00
* feat: k8s api 鉴权支持放开共享集群特定集群域资源的权限

* feat: golangci-lint 修复
diff --git a/bcs-services/bcs-cluster-manager/internal/actions/nodegroup/list.go b/bcs-services/bcs-cluster-manager/internal/actions/nodegroup/list.go
@@ -15,11 +15,11 @@ package nodegroup
 import (
 	"context"
 	"fmt"
-	v1 "k8s.io/api/core/v1"
 	"sort"
 
 	"github.com/Tencent/bk-bcs/bcs-common/common/blog"
 	"github.com/Tencent/bk-bcs/bcs-common/pkg/odm/operator"
+	v1 "k8s.io/api/core/v1"
 
 	cmproto "github.com/Tencent/bk-bcs/bcs-services/bcs-cluster-manager/api/clustermanager"
 	"github.com/Tencent/bk-bcs/bcs-services/bcs-cluster-manager/internal/actions"
@@ -200,6 +200,7 @@ func (la *ListAction) listOpt() *storeopt.ListOption {
 }
 
 const (
+	// nolint:unused
 	nodegroupListDefaultLimit = 100
 )
 
diff --git a/bcs-services/bcs-user-manager/app/app.go b/bcs-services/bcs-user-manager/app/app.go
@@ -106,6 +106,7 @@ func parseConfig(op *options.UserManagerOptions) (*config.UserMgrConfig, error)
 	userMgrConfig.BcsAPI = &op.BcsAPI
 	userMgrConfig.Encrypt = op.Encrypt
 	userMgrConfig.Activity = op.Activity
+	userMgrConfig.SharedCluster = op.SharedCluster
 	userMgrConfig.EnableTokenSync = op.EnableTokenSync
 	userMgrConfig.SlowSQLLatency = op.SlowSQLLatency
 
diff --git a/bcs-services/bcs-user-manager/app/user-manager/v1http/permission/verify.go b/bcs-services/bcs-user-manager/app/user-manager/v1http/permission/verify.go
@@ -32,6 +32,7 @@ import (
 	"github.com/Tencent/bk-bcs/bcs-services/bcs-user-manager/app/pkg/utils"
 	"github.com/Tencent/bk-bcs/bcs-services/bcs-user-manager/app/user-manager/models"
 	"github.com/Tencent/bk-bcs/bcs-services/bcs-user-manager/app/user-manager/storages/sqlstore"
+	"github.com/Tencent/bk-bcs/bcs-services/bcs-user-manager/config"
 )
 
 var (
@@ -533,6 +534,10 @@ func (cli *PermVerifyClient) verifyUserClusterScopedPermission(ctx context.Conte
 	actionID := ""
 	clusterType := returnClusterType(resource)
 	if clusterType == Shared {
+		// 共享集群特定资源跳过权限校验
+		if skipSpecificResources(action, resource) {
+			return true, nil
+		}
 		return false, fmt.Errorf("shared cluster[%s] not support %s permission", resource.ClusterID, clusterScopedType)
 	}
 
@@ -586,6 +591,20 @@ func (cli *PermVerifyClient) verifyUserClusterScopedPermission(ctx context.Conte
 	return allow, nil
 }
 
+// skipSpecificResources check if the resource is in the skip list
+func skipSpecificResources(action string, resource ClusterResource) bool {
+	// 仅支持查看权限跳过
+	if action != http.MethodGet {
+		return false
+	}
+	for _, skipRes := range config.GetGlobalConfig().SharedCluster.SkipResources {
+		if skipRes == resource.ResourceType {
+			return true
+		}
+	}
+	return false
+}
+
 // getK8sRequestAPIInfo
 func getK8sRequestAPIInfo(method, url string) (*parser.RequestInfo, error) {
 	resolver := parser.NewRequestInfoResolver()
diff --git a/bcs-services/bcs-user-manager/config/config.go b/bcs-services/bcs-user-manager/config/config.go
@@ -119,6 +119,8 @@ type UserMgrConfig struct {
 
 	// 操作记录清理
 	Activity options.Activity
+	// 共享集群权限配置
+	SharedCluster options.SharedCluster
 }
 
 var (
diff --git a/bcs-services/bcs-user-manager/options/options.go b/bcs-services/bcs-user-manager/options/options.go
@@ -46,14 +46,15 @@ type UserManagerOptions struct {
 	// token notify feature
 	TokenNotify TokenNotifyOptions `json:"token_notify"`
 
-	IAMConfig        IAMConfig   `json:"iam_config"`
-	PermissionSwitch bool        `json:"permission_switch"`
-	Cmdb             CmdbConfig  `json:"cmdb"`
-	CommunityEdition bool        `json:"community_edition"`
-	TracingConf      TracingConf `json:"tracing_conf"`
-	BcsAPI           BcsAPI      `json:"bcs_api"`
-	Encrypt          Encrypt     `json:"encrypt" yaml:"encrypt"`
-	Activity         Activity    `json:"activity" yaml:"activity"`
+	IAMConfig        IAMConfig     `json:"iam_config"`
+	PermissionSwitch bool          `json:"permission_switch"`
+	Cmdb             CmdbConfig    `json:"cmdb"`
+	CommunityEdition bool          `json:"community_edition"`
+	TracingConf      TracingConf   `json:"tracing_conf"`
+	BcsAPI           BcsAPI        `json:"bcs_api"`
+	Encrypt          Encrypt       `json:"encrypt" yaml:"encrypt"`
+	Activity         Activity      `json:"activity" yaml:"activity"`
+	SharedCluster    SharedCluster `json:"shared_cluster" yaml:"shared_cluster"`
 }
 
 // TracingConf tracing config
@@ -176,3 +177,8 @@ type RedisConfig struct {
 	MinIdleConns int    `json:"min_idle_conns" usage:"Redis min connect" mapstructure:"min_idle_conns" yaml:"min_idle_conns"`
 	IdleTimeout  int    `json:"idle_timeout" usage:"Redis idle timeout" mapstructure:"idle_timeout" yaml:"idle_timeout"`
 }
+
+// SharedCluster 共享集群配置
+type SharedCluster struct {
+	SkipResources []string `json:"skip_resources" yaml:"skip_resources"`
+}

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,8 @@ type UserMgrConfig struct {`
`119`	`119`
`120`	`120`	`// 操作记录清理`
`121`	`121`	`Activity options.Activity`
	`122`	`+ // 共享集群权限配置`
	`123`	`+ SharedCluster options.SharedCluster`
`122`	`124`	`}`
`123`	`125`
`124`	`126`	`var (`