-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Profile controller and KFAM allow unauthenticated in-cluster traffic #7032
Profile controller and KFAM allow unauthenticated in-cluster traffic #7032
Conversation
are you using Kubeflow 1.7 ? |
Sorry, I thought the examples were straight forward enough, but now I'm realizing that is not the case. When KFAM adds contributors to a profile, it creates an AuthorizationPolicy. That authorization policy has a single rule that looks something like spec:
rules:
- when:
- key: request.headers[kubeflow-userid]
values:
- user@example.com For traffic coming through the ingress gateway, that's fine because the This is a curl request from a notebook to a notebook in another namespace. (base) jovyan@tensorflow-0:~$ curl -sS -D - http://jupyter-scipy.kubeflow-user-example-com.svc.cluster.local/notebook/kubeflow-user-example-com/jupyter-scipy/api/sessions -o /dev/null
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Tue, 07 Mar 2023 04:02:17 GMT
server: envoy
x-envoy-upstream-service-time: 4
# adding header `kubeflow-user=user@example.com`
(base) jovyan@tensorflow-0:~$ curl -H "kubeflow-userid: user@example.com" -sS -D - http://jupyter-scipy.kubeflow-user-example-com.svc.cluster.local/notebook/kubeflow-user-example-com/jupyter-scipy/api/sessions -o /dev/null
HTTP/1.1 200 OK
server: envoy
content-type: application/json
date: Tue, 07 Mar 2023 04:03:22 GMT
x-content-type-options: nosniff
content-security-policy: frame-ancestors 'self'; report-uri /notebook/kubeflow-user-example-com/jupyter-scipy/api/security/csp-report; default-src 'none'
access-control-allow-origin: *
etag: "97d170e1550eee4afc0af065b78cda302a97674c"
content-length: 2
x-envoy-upstream-service-time: 106 If the rules that allow traffic based on spec:
rules:
- when:
- key: request.headers[kubeflow-userid]
values:
- user@example.com
from:
- source:
principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"] This is how it works on master today and is only a problem for in cluster traffic. |
Yes, that is the same way it is done here https://github.com/kubeflow/manifests/blob/b1e29829b0d13d5493c8a3f5f720f87547a8abe2/apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml#L28 Only the istio-ingressgateway and some other serviceaccounts in the kubeflow namespace have verified headers. You still have to guess or have seen the notebook and contributor name but @kimwnasptd @akgraner this is security relevant. @johnhoman If you are interested in fixing security issues are you willing to help with the following two security issues? |
@johnhoman can you provide a public image for testing? |
/lgtm |
Sorry, must have missed this. Here are public images rebuilt from this commit
|
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kimwnasptd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@kimwnasptd I see that we have hard-coded the istio gateway's namespace as Similar to how we allow configuring this with the |
@thesuperzapper indeed, let's have the same configuration everywhere for allowing different Istio handlings |
@kimwnasptd we either need to revert this ASAP, because it will break Kubeflow as it currently stands. Specifically, we need to:
|
Also, another option is to use a single Which would have a value like: |
Yep, that would be the most dynamic of all. I'll send a PR |
This is similar to this kerve issue kserve/kserve#2197 (comment). Users can be impersonated without authentication by attaching the header
kubeflow-userid:
with a valid profile contributor name to a request going to any namespace within the mesh.Adding this change resolves that
kubectl patch deployment profiles-deployment -n kubeflow --type=json -p='[{"op": "replace", "path": "/spec/template/spec/containers/1/image", "value": "profile-controller:v1.7.0-rc.1-dirty"}]' deployment.apps/profiles-deployment patched
The authorization policy created by KFAM also has the same issue.