Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce Impersonate-UID header #99961

Merged
merged 1 commit into from Jul 7, 2021
Merged

Introduce Impersonate-UID header #99961

merged 1 commit into from Jul 7, 2021

Conversation

margocrawf
Copy link
Contributor

@margocrawf margocrawf commented Mar 8, 2021
edited

What type of PR is this?

/kind-bug

What this PR does / why we need it:

This introduces an Impersonate-Uid header to server side code.
While UserInfo contains a uid field alongside groups, username and extra, it was not possible to pass a UID through as an impersonation header like you can with Impersonate-Group, Impersonate-User and Impersonate-Extra.

This PR contains:

  • Changes to impersonation.go to parse the Impersonate-Uid header and authorize uid impersonation
  • Unit tests for allowed and disallowed impersonation cases
  • An integration test that creates a CertificateSigningRequest using impersonation, and ensures that the API server populates the correct impersonated spec.uid upon creation.

Which issue(s) this PR fixes:

This PR is a step towards fixing #93699.

Does this PR introduce a user-facing change?

Kube API server accepts Impersonate-Uid header to impersonate a user with a specific UID, in the same way that you can currently use Impersonate-User, Impersonate-Group and Impersonate-Extra

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 8, 2021
@k8s-ci-robot
Copy link
Contributor

Welcome @margocrawf!

It looks like this is your first PR to kubernetes/kubernetes 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kubernetes has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 8, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @margocrawf. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 8, 2021
@k8s-ci-robot k8s-ci-robot requested review from enj and SataQiu March 8, 2021 21:38
@k8s-ci-robot k8s-ci-robot added area/apiserver area/test kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 8, 2021
@fejta-bot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@fedebongio
Copy link
Contributor

/assign @deads2k
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 9, 2021
enj
enj suggested changes Mar 26, 2021
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly minor stuff.

staging/src/k8s.io/api/authentication/v1/types.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
@@ -67,6 +67,7 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
username := ""
groups := []string{}
userExtra := map[string][]string{}
uid := ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe in a separate PR, can you move groupsSpecified to its single point of use and update the comment to note that it only applies to service accounts (the newer group logic below has superseded this comment).

staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go Show resolved Hide resolved
test/integration/auth/auth_test.go Outdated Show resolved Hide resolved
test/integration/auth/auth_test.go Outdated Show resolved Hide resolved
test/integration/auth/auth_test.go
t.Errorf("body should contain a uid, but it didn't.")
}
}()

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change

staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go Show resolved Hide resolved
@enj
Copy link
Member

enj commented Mar 26, 2021

/ok-to-test
/assign
/kind feature
/priority important-longterm
/milestone v1.22

@margocrawf

  1. Add a more descriptive commit message + PR message (dev facing - can be the same), ex: 9b23f22, 30eb668
  2. Release note (end user facing), ex: Fix GC uid races and handling of conflicting ownerReferences #92743 (comment)
  3. Squash into one commit
  4. There are probably docs that need updating - see if you can find them and open a PR to update them.

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. kind/feature Categorizes issue or PR as related to a new feature. labels Mar 26, 2021
@margocrawf
Copy link
Contributor Author

/retest

@margocrawf
This introduces an Impersonate-Uid header to server side code.
74f5ed6 
UserInfo contains a uid field alongside groups, username and extra.
This change makes it possible to pass a UID through as an impersonation header like you
can with Impersonate-Group, Impersonate-User and Impersonate-Extra.

This PR contains:

* Changes to impersonation.go to parse the Impersonate-Uid header and authorize uid impersonation
* Unit tests for allowed and disallowed impersonation cases
* An integration test that creates a CertificateSigningRequest using impersonation,
  and ensures that the API server populates the correct impersonated spec.uid upon creation.
margocrawf added a commit to margocrawf/website that referenced this pull request Jul 6, 2021
@margocrawf
Add Impersonate-Uid description to Authentication docs page.
023e3b5 
This change goes with kubernetes/kubernetes#99961
in the Kubernetes repo.
@enj
Copy link
Member

enj commented Jul 6, 2021

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 6, 2021
@margocrawf
Copy link
Contributor Author

/retest

1 similar comment
@margocrawf
Copy link
Contributor Author

/retest

@deads2k
Copy link
Contributor

deads2k commented Jul 6, 2021

/approve

@margocrawf
Copy link
Contributor Author

/retest

@liggitt liggitt self-assigned this Jul 6, 2021
@liggitt
Copy link
Member

liggitt commented Jul 6, 2021

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj, liggitt, margocrawf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2021
@enj
Copy link
Member

enj commented Jul 6, 2021

/retest

Unrelated quota integration test flake.

@k8s-ci-robot k8s-ci-robot merged commit e1acbbd into kubernetes:master Jul 7, 2021
SIG Auth Old automation moved this from In Review (v1.22) to Closed / Done Jul 7, 2021
@liggitt liggitt mentioned this pull request Jul 8, 2021
Closed
margocrawf added a commit to margocrawf/website that referenced this pull request Jul 12, 2021
@margocrawf
Add Impersonate-Uid description to Authentication docs page.
d773681 
This change goes with kubernetes/kubernetes#99961
in the Kubernetes repo.
@enj enj mentioned this pull request Jul 23, 2021
Open
@margocrawf margocrawf mentioned this pull request Aug 20, 2021
Merged
@margocrawf margocrawf mentioned this pull request Oct 20, 2021
Merged
margocrawf added a commit to margocrawf/kubernetes that referenced this pull request Nov 5, 2021
@margocrawf
--as-uid flag in kubectl and kubeconfigs.
7e079f5 
This corresponds to previous work to allow impersonating UIDs:
* Introduce Impersonate-UID header: kubernetes#99961
* Add UID to client-go impersonation config kubernetes#104483

Signed-off-by: Margo Crawford <margaretc@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enj enj enj requested changes

@deads2k deads2k deads2k left review comments

@SataQiu SataQiu Awaiting requested review from SataQiu

Assignees

@liggitt liggitt

@enj enj

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
SIG Auth Old
Closed / Done
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@margocrawf @k8s-ci-robot @fejta-bot @fedebongio @enj @deads2k @liggitt