Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure static certs in kubeconfig override exec plugin #107410

Merged
merged 1 commit into from
Mar 8, 2022
Merged

Ensure static certs in kubeconfig override exec plugin #107410

merged 1 commit into from
Mar 8, 2022

Conversation

margocrawf
Copy link
Contributor

@margocrawf margocrawf commented Jan 7, 2022
edited

Check whether static cert is already configured in UpdateTransportConfig

  • Also update test-cmd.sh to pass a signing ca to the kube controller
    manager, so CSRs work properly in integration tests.

fixed #99603

/kind bug

Fixed a bug that caused credentials in an exec plugin to override the static certificates set in a kubeconfig.

@k8s-ci-robot k8s-ci-robot added do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 7, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @margocrawf. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Jan 7, 2022
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. labels Jan 7, 2022
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jan 7, 2022
@enj
Copy link
Member

enj commented Jan 7, 2022

/triage accepted
/assign
/ok-to-test
/milestone v1.24
/priority important-longterm

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jan 7, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Jan 7, 2022
@k8s-ci-robot k8s-ci-robot removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 7, 2022
@neolit123
Copy link
Member

This seems like unexpected behavior because other statically configured credentials (i.e., basic auth, bearer token) take precedent over the stuff returned by the exec plugin.

Dynamic (plugins) taking precedence over static config seems like the more intuative pattern to me. But i am not very familiar with area of the code and it seems that making this alternative switch now can be more breaking.

@enj enj added this to Needs Triage in SIG Auth Old Jan 10, 2022
@enj enj moved this from Needs Triage to In Review in SIG Auth Old Jan 31, 2022
enj
enj suggested changes Mar 2, 2022
View reviewed changes
hack/testdata/auth/testcert.csr Outdated
@@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE REQUEST-----
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For all of these new testdata files, add:

  1. A comment describing how they were generated
  2. A note saying that this is a test-only credential and that no security vulnerabilities should be reported in regards to them being published to a public repo

test/cmd/authentication.sh Outdated
metadata:
name: testcert
spec:
request: $(base64 < hack/testdata/auth/testcert.csr | tr -d '\n')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is unclear what testcert.csr encodes.

test/cmd/authentication.sh Outdated
kubectl config set-credentials testcert --client-certificate="${TMPDIR:-/tmp}"/testcert.crt --client-key="hack/testdata/auth/testcert.key" --exec-api-version=client.authentication.k8s.io/v1beta1 --exec-command=/tmp/invalid_execcredential.sh
output6=$(kubectl "${kube_flags_without_token[@]:?}" --user testcert get namespace kube-system -o name)
if [[ "${output6}" =~ "Unauthorized" ]]; then
kube::log::status "Unexpected output when providing --client-certificate/--client-key for authentication - exec credential plugin likely triggered. Output: ${output6}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error message looks incorrect since this is testing the kubeconfig based cert creds.

test/cmd/authentication.sh Outdated
kube::test::get_object_assert 'csr/testcert' '{{range.status.conditions}}{{.type}}{{end}}' ''
kubectl certificate approve testcert
kube::test::get_object_assert 'csr/testcert' '{{range.status.conditions}}{{.type}}{{end}}' 'Approved'
kubectl get csr testcert -o jsonpath='{.status.certificate}' | base64 -d > "${TMPDIR:-/tmp}"/testcert.crt
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use kube::test::wait_object_assert or something equivalent to poll for this, otherwise you are racing the signer and this test will flake in CI.

SIG Auth Old automation moved this from In Review to Changes Requested Mar 2, 2022
@enj
Copy link
Member

enj commented Mar 2, 2022

This seems like unexpected behavior because other statically configured credentials (i.e., basic auth, bearer token) take precedent over the stuff returned by the exec plugin.

Dynamic (plugins) taking precedence over static config seems like the more intuative pattern to me. But i am not very familiar with area of the code and it seems that making this alternative switch now can be more breaking.

To be consistent with our behavior for tokens, static config must have precedence, i.e. #99603 (comment). In particular, CLI flags are considered static config, and they must override the client-go credential plugin.

In an ideal world, we would detect the difference between CLI flags and kubeconfig data, and make the combination of the latter and a client-go credential plugin result in an error (since it is ambiguous what credentials you want to use). With CLI flags, it is clear what credentials the user is intending to use, and that is what this change addresses.

I am okay with saying that static kubeconfig credentials takes precedence over client-go credential plugins simply because picking either is wrong/ambiguous, but at least then we are consistent across tokens/certs.

@margocrawf margocrawf force-pushed the master branch 2 times, most recently from c02605c to 16e93d8 Compare March 7, 2022 16:57
@margocrawf
Check whether static cert is already configured in UpdateTransportConfig
f015fd6 
- Also update test-cmd.sh to pass a signing ca to the kube controller
  manager, so CSRs work properly in integration tests.

Signed-off-by: Margo Crawford <margaretc@vmware.com>
@enj
Copy link
Member

enj commented Mar 8, 2022

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 8, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, margocrawf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 8, 2022
@margocrawf
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot merged commit 19935de into kubernetes:master Mar 8, 2022
SIG Auth Old automation moved this from Changes Requested to Closed / Done Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enj enj enj requested changes

@KnVerey KnVerey Awaiting requested review from KnVerey

@neolit123 neolit123 Awaiting requested review from neolit123

Assignees

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG Auth Old
Closed / Done
Milestone
v1.24
4 participants
@margocrawf @k8s-ci-robot @enj @neolit123