-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Enable the Kubernetes Proxy Endpoint to be disabled via PermissionPolicy #16237
Conversation
Changed Packages
|
de13506
to
f91a06a
Compare
Uffizzi Preview |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add a permission integration router so that the plugin announces the permissions it supports at an endpoint like /api/kubernetes/.well-known/backstage/permissions/metadata
? I did something similar in #15150.
plugins/kubernetes-backend/src/service/KubernetesBuilder.test.ts
Outdated
Show resolved
Hide resolved
39af6e3
to
834909d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you! 👍
Couple of smaller things but also want to get some clarity on how we're able to evolve the integration
834909d
to
a31e83c
Compare
6300864
to
c08b209
Compare
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution! |
c08b209
to
ac7154a
Compare
ac7154a
to
9946d56
Compare
9946d56
to
0b97cee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you! 😁
Just a couple of small nits but basically ready to
We'll hold of on merging this until after the next mainline release since it's fairly large, so after next Tuesday.
0b97cee
to
7b767ba
Compare
7b767ba
to
aec022f
Compare
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
…ssion, reword changeset, add permission parameter to install doc Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
… available to the plugin Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
…ew changes to api-reports and changeset along with docs Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
Signed-off-by: Ruben Vallejo <rvallejo@vmware.com>
aec022f
to
7c4cf78
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Let's 😁
Thank you for contributing to Backstage! The changes in this pull request will be part of the |
Hey, I just made a Pull Request!
I am introducing a way to restrict access to the proxy-endpoint via integration with the Permissions framework. This is being done by:
A backstage identity token to determine whether users have the correct permissions to use the endpoint to be provided as a value field to the
Authorization
header and a second token obtained from an auth provider that will be passed to authenticate with the kubernetes api when the proxy middleware redirects the request provided as a value field to theX-Kubernetes-Authorization
header.Context:
Here is my basic setup:
I enable permissions first.
OIDC Authority
I create an azure AD app registration with
OIDC Enabled Kind Cluster
I create a kind cluster with:
where
CLIENT-ID
is the ID for the app registration i created previously, andTENANT-ID
is the ID of my azure AD tenant.Setup RBAC on the cluster
where
EMAIL_ADDRESS
is the email of my azure accountBackstage
app-config
where
PORT
is my kind cluster port obtain by using kubectl cluster-info in your terminal. Other values were described above.kubernetes.yaml
where
MYNAME
andEMAIL
match the name and email used to sign into microsoft.I sign in using the Microsoft sign in resolver and on refresh find the refresh call under the network tab in my browser. Here i navigate to the response tab to obtain the providerInfo.accessToken to use as my
X-Kubernetes-Authorization
value and backstageIdentity.token as myAuthorization
header value.Here i can call the proxy endpoint along with clustername as shown in unit tests and get a valid response.
After_Changes
I can create a permission policy like:
packages/backend/src/plugins/permissions.ts
where the proxy endpoint returns 403 Forbidden messages even though I provided a valid oidc token in my request.
✔️ Checklist
Signed-off-by
line in the message. (more info)