Kubernetes authentication and RBAC authorization#6
Draft
Kubernetes authentication and RBAC authorization#6
Conversation
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
… go.sum Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
…ective defaults for RPS and Burst parameters Signed-off-by: chupakobra6 <igorpheik@gmail.com>
…fective defaults for RPS and Burst parameters Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
…access to "token" only Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: chupakobra6 <igorpheik@gmail.com>
Signed-off-by: Artur Kraev <artur.kraev@flant.com>
This reverts commit 8d751f1.
- Implement case-insensitive matching for API groups, resources, and resource paths - Refactor IsActionAllowed to extract matchRule helper function for better code organization - Add error handling and logging for pattern matching failures - Update documentation and examples to use generic resource names (registry.example.com/registries) instead of deckhouse-specific ones - Add comprehensive test coverage for case-insensitive matching scenarios including uppercase, mixed case, and wildcard patterns
- Simplified timeout configuration in kubernetesAuthz by directly using the configured request timeout. - Added default request timeout value of 10 seconds in AuthConfig and updated validation logic to set it if not specified or invalid. - Removed redundant default request timeout constant from const.go to streamline the codebase. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Introduced UIDLabel constant for Kubernetes user UID in const.go. - Enhanced UserInfo struct to include UID and updated ToLabels and UserInfoFromLabels methods to handle UID. - Updated documentation to reflect the addition of UID in authentication labels and ACL examples. Signed-off-by: [Your Name] [Your Email] Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Added checks to handle cases where no actions are provided in the authorization request, returning a NoMatch error. - Updated the logic to return NoMatch if no actions are allowed after processing the request. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Removed unnecessary logging of SSRR rules. - Enhanced cache handling to differentiate between successful rule retrieval and error cases, ensuring proper error propagation. - Updated cache addition logic to store errors instead of nil values for better failure tracking. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Updated field name from `UserName` to `Username` in the Kubernetes authentication logic and configuration to ensure consistency. - Adjusted related documentation and examples to reflect the change in the field name. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Updated the field name from `Username` to `UserName` in both the authentication and authorization logic to ensure consistency across the codebase. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Updated the kubernetesAuthz struct to use a RulesFetcher for improved rule retrieval. - Removed the previous caching logic and integrated a new cached rules fetcher to enhance performance and error handling. - Simplified the authorization process by directly utilizing the rules fetcher in the Authorize method. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Introduced singleflight to prevent duplicate in-flight requests for the same cache key in the cached rules fetcher. - Refactored the GetRules method to utilize singleflight for improved performance and error handling. - Cleaned up code formatting for better readability. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Renamed metrics from k8sAuthzRequestsTotal to k8sAuthzRulesRequestsTotal and k8sAuthzRequestLatencySeconds to k8sAuthzRulesRequestDurationSeconds for clarity. - Updated the initialization and usage of metrics in the kubernetesAuthz struct to reflect the new naming conventions. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Introduced a new NamespaceCheckVerbs field in AuthzConfig to specify Docker actions that require namespace existence checks before authorization. - Updated the kubernetesAuthz struct to include a namespaceChecker for validating namespace existence. - Enhanced the Authorize method to perform namespace checks based on the new configuration, improving authorization accuracy. - Updated documentation to reflect the new namespace check functionality and its usage. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Added error handling for token authentication to return a specific error message when the token is not authenticated. - Updated the Authenticate method to return api.WrongPass instead of nil for better clarity on authentication failures. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Introduced a new AuthFailed type to encapsulate authentication errors, providing clearer error messages in HTTP responses. - Updated the WrongPass variable to use NewAuthFailed for consistency in error handling. - Modified the Kubernetes authentication logic to return an AuthFailed error instead of a generic error, improving clarity in failure scenarios. - Enhanced error handling in the AuthServer to log specific authentication failures. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Updated the Authenticator interface to clarify special error cases: NoMatch and WrongPass/AuthFailed. - Improved documentation for authentication failures, specifying HTTP 401 responses and error messages. - Added notes in examples and documentation to reflect changes in error handling for invalid or unauthenticated tokens. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Included patterns to ignore editor swap files, Helm chart lockfiles, build artifacts, and macOS system files. - This update helps maintain a cleaner repository by preventing unnecessary files from being tracked. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Changed the default success TTL for caching from 5 minutes to 1 minute in the AuthConfig struct. - Updated related documentation and examples to reflect the new default value for success_ttl. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Implemented a warning log in the Authorize method to notify when access is denied due to a non-existent namespace. - This enhancement improves visibility into authorization failures, aiding in debugging and monitoring. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Added a verbose log statement in the Authorize method to output the retrieved rules for a user and namespace, enhancing visibility into the authorization process. - This change aids in debugging and monitoring by providing more context during authorization checks. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Updated the IsActionAllowed method to use the original case of the resource path when matching against authorization rules, improving accuracy in rule evaluation. - This change ensures that the authorization checks are performed without altering the case of the resource path, which may affect rule matching. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
…mprovements - Updated the NewRulesFetcher function to accept an optional rulesFilter parameter, allowing for filtering of fetched rules based on API group and resource. - Refactored the IsActionAllowed method to simplify rule matching logic and improve clarity. - Introduced a new Validate method for AuthzConfig to ensure proper configuration and error handling. - Enhanced test coverage for AuthzConfig validation and rule filtering, ensuring robust authorization checks. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
- Introduced the ApplyDefaults function to set default values for optional fields in AuthConfig, ensuring proper initialization. - Added a new test, TestApplyDefaults, to verify the correct application of default values and idempotency. - Updated existing validation tests to incorporate the new applyDefaults parameter, improving clarity and functionality in testing AuthConfig validation. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
| return false, nil, api.NoMatch | ||
| } | ||
|
|
||
| ctx, cancel := context.WithTimeout(context.Background(), ka.cfg.Limits.RequestTimeout) |
Member
There was a problem hiding this comment.
RequestTimeout is used twice. Will this cause any errors?:
- when initializing
tokenAuth; - when calling the
AuthenticateTokenmethod;
Collaborator
Author
There was a problem hiding this comment.
which problem it can be?
Member
There was a problem hiding this comment.
Just thought about the empty value in RequestTimeout.
It is checked in the method, but not at the call level. But ideally, default values should be set there.
I think we can skip it. There shouldn't be any problems.
- Removed unused time import and the DefaultBackoffInitialDelay constant from const.go, streamlining the code. - Updated the GetRules method in rules_fetcher.go to utilize the new DefaultRetryBackoff from the webhookauthn package, enhancing the backoff strategy for retries. Signed-off-by: Artur Kraev <artur.kraev@flant.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Kubernetes authentication (via TokenReview) and optional Kubernetes RBAC authorization (via SelfSubjectRulesReview).
Users authenticate with Kubernetes bearer tokens; pull/push/delete can be authorized via existing Kubernetes RBAC (Roles/RoleBindings) for a configurable API group and resource.
Changes
Authentication (Kubernetes TokenReview)
kubernetes_auth:docker loginusername is fixed (default"token"), password is a Kubernetes bearer token validated via TokenReview.kubeconfigpath; if omitted, in-cluster config is used.limits(request_timeout,qps,burst) andcache(success_ttl,failure_ttl) for TokenReview.k8s-username,k8s-uid,k8s-groups,k8s-extra-*, andgroupsfor ACL compatibility.registry_auth_k8s_authn_requests_total,registry_auth_k8s_authn_request_latency_seconds.Authorization (optional, SelfSubjectRulesReview)
authzblock underkubernetes_authenables RBAC-based authorization via SelfSubjectRulesReview.resourceNamesusing recursive globbing (e.g.images/**) via doublestar (godoc).api_groupandresource(e.g. custom resourceregistriesinregistry.example.com).namespace_check_verbs: for listed actions (e.g.push,delete), namespace existence is checked before calling SelfSubjectRulesReview.registry_auth_k8s_authz_rules_requests_total,registry_auth_k8s_authz_rules_request_duration_seconds.Configuration example
RBAC samples
Auth server (TokenReview + SelfSubjectRulesReview)
The auth server's service account needs permission to create TokenReview and SelfSubjectRulesReview, and (if
namespace_check_verbsis used) to get/list namespaces:User/application RBAC (registry path access)
When
authzis enabled, grant access to repository paths via Role/ClusterRole on the configured resource (e.g.api_group: "registry.example.com",resource: "registries"). resourceNames are repository path patterns; matching uses recursive globbing (e.g.**). Verb mapping:get→ pull,list→ catalog/list,create→ push,delete→ delete tag/manifest.Read-only (pull + list) for one namespace:
Push and pull (FULL) for a subpath:
(With
namespace_check_verbs: ["push", "delete"], push/delete are only allowed if namespacemy-appexists.)Requirements
Testing
auth_server/k8s/config_test.gocovers config validation and defaults.resourceNamesand globs.Backward compatibility
kubernetes_auth. Existing configs and auth methods are unchanged.