Feature: Enable the Kubernetes Proxy Endpoint to be disabled via PermissionPolicy

[RubenV-dev]

Hey, I just made a Pull Request!

I am introducing a way to restrict access to the proxy-endpoint via integration with the Permissions framework. This is being done by:

• Introducing basic-permissions that can be used by integrators via permission policy to restrict access to the kubernetes proxy endpoint entirely.
• Require the need for two separate tokens to be provided to the kubernetes proxy endpoint via headers in the request.
  A backstage identity token to determine whether users have the correct permissions to use the endpoint to be provided as a value field to the Authorization header and a second token obtained from an auth provider that will be passed to authenticate with the kubernetes api when the proxy middleware redirects the request provided as a value field to the X-Kubernetes-Authorization header.

Context:

Here is my basic setup:
I enable permissions first.

OIDC Authority

I create an azure AD app registration with

$ export CLIENT_ID=$(az ad app create --display-name my-backstage --web-redirect-uris http://localhost:7007/api/auth/microsoft/handler/frame http://localhost:8000 | jq -r .appId)
$ export CLIENT_SECRET=$(az ad app credential reset --append --id $CLIENT_ID | jq -r .password)

OIDC Enabled Kind Cluster

I create a kind cluster with:

$ kind create cluster --config - <<EOF
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
kubeadmConfigPatches:
- |-
  kind: ClusterConfiguration
  apiServer:
    extraArgs:
      oidc-client-id: CLIENT-ID
      oidc-issuer-url: https://login.microsoftonline.com/TENANT-ID/v2.0
      oidc-username-claim: email
EOF

where CLIENT-ID is the ID for the app registration i created previously, and TENANT-ID is the ID of my azure AD tenant.

Setup RBAC on the cluster

kubectl create clusterrolebinding me-admin --user EMAIL-ADDRESS --clusterrole cluster-admin

where EMAIL_ADDRESS is the email of my azure account

Backstage

app-config

kubernetes:
  serviceLocatorMethod:
    type: 'multiTenant'
  clusterLocatorMethods:
    - type: config
      clusters:
        - name: kind
          url: https://127.0.0.1:PORT
          authProvider: oidc
          oidcTokenProvider: microsoft
          skipTLSVerify: true
          skipMetricsLookup: true
auth:
  environment: development
  providers:
    microsoft:
      development:
        clientId: ${CLIENT_ID}
        clientSecret: ${CLIENT_SECRET}
        tenantId: ${TENANT_ID}
catalog:
  locations:
    - type: file
      target: ../../kubernetes.yaml
      rules:
        - allow: [User, Component, Resource]

where PORT is my kind cluster port obtain by using kubectl cluster-info in your terminal. Other values were described above.
kubernetes.yaml

apiVersion: backstage.io/v1alpha1
kind: User
metadata:
  name: MYNAME
  annotations:
    'microsoft.com/email': EMAIL
spec:
  memberOf: []

where MYNAME and EMAIL match the name and email used to sign into microsoft.

I sign in using the Microsoft sign in resolver and on refresh find the refresh call under the network tab in my browser. Here i navigate to the response tab to obtain the providerInfo.accessToken to use as my X-Kubernetes-Authorization value and backstageIdentity.token as my Authorization header value.

Here i can call the proxy endpoint along with clustername as shown in unit tests and get a valid response.

After_Changes

I can create a permission policy like:
packages/backend/src/plugins/permissions.ts

class KubernetesDenyAllProxyEndpointPolicy implements PermissionPolicy {
  async handle(
    request: PolicyQuery,
    user?: BackstageIdentityResponse,
  ): Promise<PolicyDecision> {
    if (
      request.permission.name === 'kubernetes.proxy"
    ) {
      return {
        result: AuthorizeResult.DENY,
      };
    }
    return { result: AuthorizeResult.ALLOW };
  }
}

where the proxy endpoint returns 403 Forbidden messages even though I provided a valid oidc token in my request.

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)
• All your commits have a Signed-off-by line in the message. (more info)

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
example-backend	packages/backend	none	v0.2.81
@backstage/plugin-kubernetes-backend	plugins/kubernetes-backend	minor	v0.9.4
@backstage/plugin-kubernetes-common	plugins/kubernetes-common	patch	v0.6.1

[github-actions]

Uffizzi Preview deployment-14728 was deleted.

[jamieklassen]

Can we add a permission integration router so that the plugin announces the permissions it supports at an endpoint like /api/kubernetes/.well-known/backstage/permissions/metadata? I did something similar in #15150.

[Rugvip]

Thank you! 👍

Couple of smaller things but also want to get some clarity on how we're able to evolve the integration

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[Rugvip]

Awesome, thank you! 😁

Just a couple of small nits but basically ready to

We'll hold of on merging this until after the next mainline release since it's fairly large, so after next Tuesday.

[Rugvip]

Nice! Let's 😁

[github-actions]

Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.13.0 release, scheduled for Tue, 18 Apr 2023.