kubelet authn/authz #34381
kubelet authn/authz #34381
Conversation
k8s-github-robot
added
kind/api-change
liggitt
added
release-note
|
initial implementation of Authenticated/Authorized access to kubelet API feature cc @kubernetes/sig-auth @kubernetes/sig-node |
|
Can you split out "Allow webhook authorizer to use SubjectAccessReviewInterface" and we can get it in separately? |
Already in #34071, as noted |
| ClientCAFile string `json:"clientCAFile"` | ||
|
|
||
| // enableWebhookToken enables bearer token authentication using the tokenreviews.authentication.k8s.io API | ||
| EnableWebhookToken bool `json:"enableWebhookToken"` |
There was a problem hiding this comment.
Group the two webhook related fields into a substruct to keep the associated. Also, add indications that this functions against the API server.
| attrs.Subresource = "metrics" | ||
| case isSubpath(requestPath, logsPath): | ||
| attrs.Verb = apiVerb | ||
| attrs.Subresource = "log" |
There was a problem hiding this comment.
Reading through this I am confused why this is log vs logs. stats above matches the resource /stats/
There was a problem hiding this comment.
trying to match existing log subresources (pods/log), to try to avoid typos in policy that controls both
|
overall looks fine. the subresource == log vs path == logs is confusing but if correct deserves a comment. |
| // This allows subdividing access to the kubelet API | ||
| switch { | ||
| case isSubpath(requestPath, statsPath): | ||
| attrs.Verb = apiVerb |
There was a problem hiding this comment.
nit: Verb is already initialized to apiVerb above
| @@ -96,6 +96,29 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) { | |||
| fs.Var(componentconfig.IPVar{Val: &s.Address}, "address", "The IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces)") | |||
| fs.Int32Var(&s.Port, "port", s.Port, "The port for the Kubelet to serve on.") | |||
| fs.Int32Var(&s.ReadOnlyPort, "read-only-port", s.ReadOnlyPort, "The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable)") | |||
|
|
|||
| // Authentication | |||
| fs.BoolVar(&s.Authentication.Anonymous.Enabled, "anonymous-auth", s.Authentication.Anonymous.Enabled, ""+ | |||
| "Enables anonymous requests to the Kubelet server. Requests that are not rejected by another "+ | ||
| "authentication method are treated as anonymous requests. Anonymous requests have a username "+ | ||
| "of system:anonymous, and a group name of system:unauthenticated.") | ||
| fs.BoolVar(&s.Authentication.Webhook.Enabled, "authentication-token-webhook", s.Authentication.Webhook.Enabled, ""+ |
There was a problem hiding this comment.
I'd like to see this default-on too. One level release skew should be safe since we supported the endpoint in 1.4.
There was a problem hiding this comment.
we shouldn't default this on if the corresponding API isn't defaulted on
There was a problem hiding this comment.
we shouldn't default this on if the corresponding API isn't defaulted on
beta API that I thought I turned on by default. It's not?
There was a problem hiding this comment.
You're right, the backing API is on. However, the kubelet isn't guaranteed to have an API client. I can look into dynamically enabling it as a follow up, but the stateless default has to be off, I think
| // KubeletAuthorizationModeAlwaysAllow authorizes all authenticated requests | ||
| KubeletAuthorizationModeAlwaysAllow KubeletAuthorizationMode = "AlwaysAllow" | ||
| // KubeletAuthorizationModeWebhook uses the SubjectAccessReview API to determine authorization | ||
| KubeletAuthorizationModeWebhook KubeletAuthorizationMode = "Webhook" |
There was a problem hiding this comment.
This seems more, "ClusterBased" or something right? As opposed to a generic webhook they get to choose a destination on.
There was a problem hiding this comment.
This seems more, "ClusterBased" or something right? As opposed to a generic webhook they get to choose a destination on.
the remote authz check runs against the kubelet's apiserver by default, but some deployments will not enable that API. I want to retain the future ability to point this at the same webhook the apiserver supports without duplicating all the associated cache flags.
| // x509 contains settings related to x509 client certificate authentication | ||
| X509 KubeletX509Authentication `json:"x509"` | ||
| // webhook contains settings related to webhook bearer token authentication | ||
| Webhook KubeletWebhookAuthentication `json:"webhook"` |
There was a problem hiding this comment.
apiserver token based as opposed to generic webhook, isn't it?
There was a problem hiding this comment.
apiserver token based as opposed to generic webhook, isn't it?
same reasoning as the remote authorizer
|
relatively minor comments. Core code looks good. |
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
Jenkins GCI GKE smoke e2e failed for commit 1e87267b2b3e575fd0ede772b588e5d2f0a3b8bf. Full PR test history. The magic incantation to run this job again is |
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
added
size/XXL
liggitt
force-pushed
the
kubelet-auth
branch
2 times, most recently
from
05698df
to
0b4c46b
Compare
k8s-github-robot
removed
the
needs-rebase
|
Jenkins unit/integration failed for commit 0b4c46bfdd2d6abf5ce2448fe9bc81911c7d87ca. Full PR test history. The magic incantation to run this job again is |
|
Jenkins verification failed for commit 137a304f5256ab420875050d90910f97e5d22c73. Full PR test history. The magic incantation to run this job again is |
deads2k
added
the
lgtm
|
lgtm |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
@cjcullen did you see this. |
Implements https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/kubelet-auth.md
Part of Authenticated/Authorized access to kubelet API feature
This change is