Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure to sanitize entity IDs before usage in labels #55

Merged
merged 3 commits into from Jun 3, 2019
Merged

Make sure to sanitize entity IDs before usage in labels #55

merged 3 commits into from Jun 3, 2019

Conversation

yorinasub17
Copy link
Contributor

@yorinasub17 yorinasub17 commented May 31, 2019
edited

This is backwards incompatible

Kubernetes labels can only support alphanumerics, -, _, and .. This can be problematic when adding labels that include the entity IDs, which is free form and user provided. To address this, this PR updates the label generators to sanitize the values before adding them into the label.

@yorinasub17
Copy link
Contributor Author

I tested this on my EKS cluster as well.

BEFORE:

%~> aws-vault exec gwddev -- kubergrunt helm grant --tiller-namespace kube-system --rbac-user foo@bar --tls-common-name foo --tls-org bar                 [0] INFO[2019-05-31T11:52:58-07:00] No context name provided. Using default.      name=kubergrunt
INFO[2019-05-31T11:52:58-07:00] No kube config path provided. Using default (/Users/yoriy/.kube/config)  name=kubergrunt
INFO[2019-05-31T11:52:58-07:00] Granting access Tiller server deployed in namespace kube-system to:  name=kubergrunt
INFO[2019-05-31T11:52:58-07:00]         - the RBAC users [foo@bar]                   name=kubergrunt
INFO[2019-05-31T11:52:58-07:00] Checking if Tiller is deployed in the namespace.  name=kubergrunt
INFO[2019-05-31T11:52:58-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:52:58-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Found a valid Tiller instance in the namespace kube-system.  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Downloading the CA TLS certificates for Tiller deployed in namespace kube-system.  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Using /var/folders/n2/pljz6dq52bd1ksmw23qyr3sr0000gn/T/703103746 as temp path for storing certificates  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Successfully downloaded CA TLS certificates for Tiller deployed in namespace kube-system.  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Granting access to deployed Tiller in namespace kube-system to RBAC groups  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Successfully granted access to deployed Tiller in namespace kube-system to RBAC groups  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Granting access to deployed Tiller in namespace kube-system to RBAC users  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Generating and storing certificate key pair for foo@bar (1 of 1)  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Using /var/folders/n2/pljz6dq52bd1ksmw23qyr3sr0000gn/T/346762361 as temp path for storing client certificates  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Generating client certificates for entity foo@bar  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Generating signed TLS certificate key pair    name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Done generating signed TLS Certificate key pair  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Successfully generated client certificates for entity foo@bar  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Uploading client certificate key pair as secret in namespace kube-system with name tiller-client-cca210311c3caf70e4a335aad6fa1047-certs  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Successfully uploaded client certificate key pair as a secret  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Successfully generated and stored certificate key pair for foo@bar  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Creating and binding RBAC roles to foo@bar    name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Creating RBAC role to grant access to Tiller in namespace kube-system to foo@bar  name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:52:59-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
ERRO[2019-05-31T11:52:59-07:00] Error creating RBAC role to grant access to Tiller: Role.rbac.authorization.k8s.io "foo@bar-kube-system-tiller-access" is invalid: metadata.labels: Invalid value: "foo@bar-kube-system-tiller-access": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')  name=kubergrunt
ERRO[2019-05-31T11:52:59-07:00] Error creating and binding RBAC roles to foo@bar  name=kubergrunt
ERRO[2019-05-31T11:52:59-07:00] Error granting access to deployed Tiller in namespace kube-system to RBAC users: Role.rbac.authorization.k8s.io "foo@bar-kube-system-tiller-access" is invalid: metadata.labels: Invalid value: "foo@bar-kube-system-tiller-access": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')  name=kubergrunt
ERROR: Role.rbac.authorization.k8s.io "foo@bar-kube-system-tiller-access" is invalid: metadata.labels: Invalid value: "foo@bar-kube-system-tiller-access": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')

AFTER:

%~> aws-vault exec gwddev -- kubergrunt helm grant --tiller-namespace kube-system --rbac-user foo@bar --tls-common-name foo --tls-org bar                 [0]
INFO[2019-05-31T11:55:25-07:00] No context name provided. Using default.      name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] No kube config path provided. Using default (/Users/yoriy/.kube/config)  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Granting access Tiller server deployed in namespace kube-system to:  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00]         - the RBAC users [foo@bar]                   name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Checking if Tiller is deployed in the namespace.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Found a valid Tiller instance in the namespace kube-system.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Downloading the CA TLS certificates for Tiller deployed in namespace kube-system.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Using /var/folders/n2/pljz6dq52bd1ksmw23qyr3sr0000gn/T/240456894 as temp path for storing certificates  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully downloaded CA TLS certificates for Tiller deployed in namespace kube-system.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Granting access to deployed Tiller in namespace kube-system to RBAC groups  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully granted access to deployed Tiller in namespace kube-system to RBAC groups  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Granting access to deployed Tiller in namespace kube-system to RBAC users  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Generating and storing certificate key pair for foo@bar (1 of 1)  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Using /var/folders/n2/pljz6dq52bd1ksmw23qyr3sr0000gn/T/566110469 as temp path for storing client certificates  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Generating client certificates for entity foo@bar  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Generating signed TLS certificate key pair    name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Done generating signed TLS Certificate key pair  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully generated client certificates for entity foo@bar  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Uploading client certificate key pair as secret in namespace kube-system with name tiller-client-cca210311c3caf70e4a335aad6fa1047-certs  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully uploaded client certificate key pair as a secret  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully generated and stored certificate key pair for foo@bar  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Creating and binding RBAC roles to foo@bar    name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Creating RBAC role to grant access to Tiller in namespace kube-system to foo@bar  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully created RBAC role foo@bar-kube-system-tiller-access  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Creating binding for role foo@bar-kube-system-tiller-access to foo@bar  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Loading Kubernetes Client                     name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] No direct auth methods provided. Using config on disk and context.  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully bound role foo@bar-kube-system-tiller-access to foo@bar  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully bound RBAC roles to foo@bar      name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully granted access to deployed Tiller in namespace kube-system to RBAC users  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Granting access to deployed Tiller in namespace kube-system to Service Accounts  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully granted access to deployed Tiller in namespace kube-system to Service Accounts  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00] Successfully granted access to deployed Tiller server in namespace kube-system to:  name=kubergrunt
INFO[2019-05-31T11:55:25-07:00]         - the RBAC users [foo@bar]                   name=kubergrunt

Your users should now be able to setup their local helm client to access Tiller now. To configure their client, they should use the "kubergrunt helm configure" command:

   kubergrunt helm configure --tiller-namespace kube-system

They must pass in one of --rbac-user, --rbac-group, or --service-account, depending on what entity they are authenticating as.

If they wish to further setup kubectl to default to the managed namespace, they can pass in the following options:

   kubergrunt helm configure \
     --tiller-namespace kube-system \
     --resource-namespace RESOURCE_NAMESPACE \
     --set-kubectl-namespace

@yorinasub17
Copy link
Contributor Author

UPDATE: I started hitting the char length limit as well, so decided to switch to using just entity ID instead of including the full resource name.

Note that this makes the revoke command backwards incompatible. Note that v0.4.0 revoke is compatible with successfully granted entities in v0.4.0, so a workaround would be to temporarily downgrade to that version and run the revoke command.

autero1
autero1 approved these changes Jun 3, 2019
View reviewed changes
Copy link
Contributor

@autero1 autero1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@yorinasub17
Copy link
Contributor Author

Thanks for the review Petri! Will merge and release.

@yorinasub17 yorinasub17 merged commit 0a591c2 into master Jun 3, 2019
@yorinasub17 yorinasub17 deleted the yori-bugfixes-on-revoke branch June 3, 2019 05:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@autero1 autero1 autero1 approved these changes

@robmorgan robmorgan Awaiting requested review from robmorgan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@yorinasub17 @autero1