-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubelet authn/authz #34381
kubelet authn/authz #34381
Conversation
initial implementation of Authenticated/Authorized access to kubelet API feature cc @kubernetes/sig-auth @kubernetes/sig-node |
Can you split out "Allow webhook authorizer to use SubjectAccessReviewInterface" and we can get it in separately? |
Already in #34071, as noted |
ClientCAFile string `json:"clientCAFile"` | ||
|
||
// enableWebhookToken enables bearer token authentication using the tokenreviews.authentication.k8s.io API | ||
EnableWebhookToken bool `json:"enableWebhookToken"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Group the two webhook related fields into a substruct to keep the associated. Also, add indications that this functions against the API server.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
attrs.Subresource = "metrics" | ||
case isSubpath(requestPath, logsPath): | ||
attrs.Verb = apiVerb | ||
attrs.Subresource = "log" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading through this I am confused why this is log vs logs. stats
above matches the resource /stats/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
trying to match existing log subresources (pods/log), to try to avoid typos in policy that controls both
overall looks fine. the subresource == log vs path == logs is confusing but if correct deserves a comment. |
// This allows subdividing access to the kubelet API | ||
switch { | ||
case isSubpath(requestPath, statsPath): | ||
attrs.Verb = apiVerb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Verb
is already initialized to apiVerb
above
@@ -96,6 +96,29 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) { | |||
fs.Var(componentconfig.IPVar{Val: &s.Address}, "address", "The IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces)") | |||
fs.Int32Var(&s.Port, "port", s.Port, "The port for the Kubelet to serve on.") | |||
fs.Int32Var(&s.ReadOnlyPort, "read-only-port", s.ReadOnlyPort, "The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable)") | |||
|
|||
// Authentication | |||
fs.BoolVar(&s.Authentication.Anonymous.Enabled, "anonymous-auth", s.Authentication.Anonymous.Enabled, ""+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This defaults on?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes
"Enables anonymous requests to the Kubelet server. Requests that are not rejected by another "+ | ||
"authentication method are treated as anonymous requests. Anonymous requests have a username "+ | ||
"of system:anonymous, and a group name of system:unauthenticated.") | ||
fs.BoolVar(&s.Authentication.Webhook.Enabled, "authentication-token-webhook", s.Authentication.Webhook.Enabled, ""+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see this default-on too. One level release skew should be safe since we supported the endpoint in 1.4.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we shouldn't default this on if the corresponding API isn't defaulted on
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we shouldn't default this on if the corresponding API isn't defaulted on
beta API that I thought I turned on by default. It's not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, the backing API is on. However, the kubelet isn't guaranteed to have an API client. I can look into dynamically enabling it as a follow up, but the stateless default has to be off, I think
// KubeletAuthorizationModeAlwaysAllow authorizes all authenticated requests | ||
KubeletAuthorizationModeAlwaysAllow KubeletAuthorizationMode = "AlwaysAllow" | ||
// KubeletAuthorizationModeWebhook uses the SubjectAccessReview API to determine authorization | ||
KubeletAuthorizationModeWebhook KubeletAuthorizationMode = "Webhook" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems more, "ClusterBased" or something right? As opposed to a generic webhook they get to choose a destination on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems more, "ClusterBased" or something right? As opposed to a generic webhook they get to choose a destination on.
the remote authz check runs against the kubelet's apiserver by default, but some deployments will not enable that API. I want to retain the future ability to point this at the same webhook the apiserver supports without duplicating all the associated cache flags.
// x509 contains settings related to x509 client certificate authentication | ||
X509 KubeletX509Authentication `json:"x509"` | ||
// webhook contains settings related to webhook bearer token authentication | ||
Webhook KubeletWebhookAuthentication `json:"webhook"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apiserver token based as opposed to generic webhook, isn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apiserver token based as opposed to generic webhook, isn't it?
same reasoning as the remote authorizer
relatively minor comments. Core code looks good. |
Jenkins GCI GKE smoke e2e failed for commit 1e87267b2b3e575fd0ede772b588e5d2f0a3b8bf. Full PR test history. The magic incantation to run this job again is |
05698df
to
0b4c46b
Compare
Jenkins unit/integration failed for commit 0b4c46bfdd2d6abf5ce2448fe9bc81911c7d87ca. Full PR test history. The magic incantation to run this job again is |
Jenkins verification failed for commit 137a304f5256ab420875050d90910f97e5d22c73. Full PR test history. The magic incantation to run this job again is |
lgtm |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
@cjcullen did you see this. |
Implements https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/kubelet-auth.md
Part of Authenticated/Authorized access to kubelet API feature
This change is