New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow system:serviceaccounts to read the SA discovery endpoints #88344
Allow system:serviceaccounts to read the SA discovery endpoints #88344
Conversation
This needs discussion before being exposed. The original proposal explicitly said we wouldn't start by doing this:
|
Yup, and I figured this would help move the discussion along 😄
I do not see us adding anything new to the unauthenticated group regardless of how much we harden Kube. With that in mind, the question becomes "is this safe to bind to At the very least I think workloads on the cluster should be able to have some reasonable guarantee that this information will be available to them. |
Yes, though I do not know if folks have the bandwidth to review/discuss it. I opened kubernetes/enhancements#1567 to make the KEP match this change so things stay in sync if we move forward. |
Three things to consider:
By adding permission to read this document to system:authenticated, our info leak to scanners goes from "this is a Kubernetes cluster" to "this is X's Kubernetes cluster" when the above conditions are met. This is not something we could turn on in GKE. |
Could you be specific with an example? If you are using say, Google, it would make sense to restrict access via hosted domain. Similarly, if you are using GitHub, one would limit by organization. But I would say its on the cluster admin to place restrictions on who can authenticate.
You would learn that same information during the authentication process?
Why are scanners able to authenticate to the API?
Does GKE let anyone authenticate?
But you need (as Overall I do not see how Another approach would be to assign this permission to the |
Agree that these kinds of restrictions are ideal from a defense-in-depth perspective although we need to consider where the community is. Looking at search results, hits for "oidc-required-claim" are significantly lower than hits for "oidc-client-id" if that's any indication.
Please elaborate.
Anyone with a gmail account can authenticate. To GKE kube-apiservers. They use the same authentication stack as the rest of GCP. |
Will respond to comments shortly but moving to next milestone based on last SIG Auth discussion. /milestone v1.19 |
50133c0
to
db95586
Compare
Some examples:
I think I misunderstood the authentication flow. I assumed there would be an OIDC flow per cluster which would involve some form of redirection to the issuer URL in the process. This comment can be ignored.
Per the discussion on the last SIG Auth meeting, it seemed unlikely that GKE would be able to lock down who can authenticate to the GKE clusters (from what I understand, anyone can authenticate but authorization is limited to the appropriate subjects). To make this change reasonable in GKE environments while also usable by default by in-cluster workloads (without cluster admin interaction), I have scoped the binding down to all service accounts via the |
/retest |
1 similar comment
/retest |
/lgtm |
This change allows all service accounts to read the service account issuer discovery endpoints. This guarantees that in-cluster services can rely on this info being available to them. Signed-off-by: Monis Khan <mok@vmware.com>
db95586
to
a38071c
Compare
Comments addressed. |
/lgtm |
/retest |
2 similar comments
/retest |
/retest |
/remove-kind bug |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This change allows all service accounts to read the service account issuer discovery endpoints.
This guarantees that in-cluster services can rely on this info being available to them.
Signed-off-by: Monis Khan mok@vmware.com
/kind bug
/assign @mtaufen @liggitt @mikedanese
@kubernetes/sig-auth-pr-reviews
/sig auth
/milestone v1.18
/priority important-soon