kube-apiserver: add a bootstrap token authenticator for TLS bootstrapping

[ericchiang]

Follows up on #36101

Still needs:

• More tests.
• To be hooked up to the API server.
  • Do I have to do that in a separate PR after k8s.io/apiserver is synced?
• Docs (kubernetes.io PR).
• Figure out caching strategy.
• Release notes.

cc @kubernetes/sig-auth-api-reviews @liggitt @luxas @jbeda

Added a new secret type "bootstrap.kubernetes.io/token" for dynamically creating TLS bootstrapping bearer tokens.

[k8s-reviewable]

This change is 

[luxas]

Great start!

I had some comments initially, PTAL

/cc @deads2k @sttts who are familiar with k8s.io/apiserver in general

[luxas]

Could we instead do something like this so it's possible to pass a client-go ClientSet to it for example?

// SecretsGetter has a method to return a SecretInterface.
// A group's client should implement this interface.
type SecretsGetter interface {
	Secrets(namespace string) SecretInterface
}

// SecretInterface has methods to work with Secret resources.
type SecretInterface interface {
	List(opts meta_v1.ListOptions) (*v1.SecretList, error)
}

(taken from https://github.com/kubernetes/client-go/blob/master/kubernetes/typed/core/v1/secret.go)
Maybe the client-go clientset would do the caching for us then?

[sttts]

Probably some kind of informer should be used for secret lookup.

[luxas]

@ericchiang Can you add a secret informer here then?

[sttts]

Informer or internal storage access?

[luxas]

2017 now :)

[luxas]

Maybe it's better to depend on client-go here? I see that other parts of k8s.io/apiserver do so

[sttts]

Right, use client-go from the apiserver for kube types. Compare e.g. the webhook authn plugin.

[ericchiang]

I was trying to mimic the service account authenticator[0] and that uses the API server's internal storage directly[1]. That uses the API server package[2].

I planned to hook it up the same way we do the service account authenticator, and that's why it's this way. Is the service account authenticator using old practices?

[0]

kubernetes/pkg/kubeapiserver/authenticator/config.go

Line 69 in 8621bd3

ServiceAccountTokenGetter serviceaccount.ServiceAccountTokenGetter

[1]

kubernetes/cmd/kube-apiserver/app/server.go

Line 252 in 8621bd3

authenticatorConfig.ServiceAccountTokenGetter = serviceaccountcontroller.NewGetterFromStorageInterface(storageConfig, storageFactory.ResourcePrefix(api.Resource("serviceaccounts")), storageFactory.ResourcePrefix(api.Resource("secrets")))

[2]

kubernetes/pkg/serviceaccount/jwt.go

Line 32 in 8621bd3

"k8s.io/kubernetes/pkg/api/v1"

[sttts]

Where will your authenticator run if it is part of a kube-aggregator setup? On the aggregator side it won't have access to the internal storage, but has to use client-go. In contrast, some kind of delegation has to take place if it runs on the kube-apiserver side. /cc @deads2k

[luxas]

I think the argument token should equal fmt.Sprintf("%s:%s", secret.Data[TokenID], secret.Data[TokenSecret])

[ericchiang]

Doesn't that encourage setups reusing the same token-secrets for each token and just switching out the token-id? Why would this be preferred?

[luxas]

Hmm, I'm not sure I follow...
The full token tokenid:tokensecret is given as the token arg, right?
Then comparing that arg to only tokensecret will yield the wong behaviour. Or am I missing something here?

[ericchiang]

I assumed the header would look like:

Authorization: Bearer (token secret)

Would then map to userid: (token id)

Not:

Authorization: Bearer (token id):(token secret)

Happy to change it.

[luxas]

cc @jbeda @mikedanese I think the token will be

Authorization: Bearer (token id):(token secret)

because that's what we set in kubeconfig.AuthInfo[].Token in the kubeconfig that the kubelet uses

[sttts]

@ericchiang no need to wait for k8s.io/apiserver to sync. For internal consumation we have a link in the vendor directory. The staging directory is authorative, just change the code there.

[luxas]

@ericchiang Do you need more information or can you update this with the changes requested?

[ericchiang]

@luxas fine to make the changes, but I'm still a little confused about where this gets hooked up to the API server. I've normally been adding authentication plugins here: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubeapiserver/authenticator/config.go

But that code gets called from here: https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-apiserver/app/server.go

where we don't use client-go.

[liggitt]

a couple lines down, you can see us building a client for portions of the API (like admission plugins, etc) to talk to the API:

client, err := internalclientset.NewForConfig(genericConfig.LoopbackClientConfig)

I'm not sure about using that for an auth plugin, though. @deads2k, opinions?

[ericchiang]

@liggitt I think I can compose an internal secret informer from that client: https://godoc.org/k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/core/internalversion

Should I use that instead?

[deads2k]

I'm not sure about using that for an auth plugin, though. @deads2k, opinions?

You can use the loopback client config since it's recognized locally and ahead of others.

[ericchiang]

@deads2k to reuse the loopback client's shared informer[0], I was going to use the factory it creates[1], however there's no secret informer on that interface so I was going to add one. Is that code generated or manually editable?

[0]

kubernetes/cmd/kube-apiserver/app/server.go

Line 272 in 436fa5c

sharedInformers := informers.NewSharedInformerFactory(nil, client, 10*time.Minute)

[1] https://godoc.org/k8s.io/kubernetes/pkg/controller/informers#SharedInformerFactory

[liggitt]

I was going to use the factory it creates[1], however there's no secret informer on that interface so I was going to add one. Is that code generated or manually editable?

@ncdc do you have a shared secret informer in a PR yet?

[ncdc]

@liggitt nobody should be using pkg/controller/informers any more for new code. All generated informers are in pkg/client/informers/informers_generated. From an instance of the SharedInformerFactory, you'd do .Core().V1().Secrets() to get access to the one for secrets.

[ericchiang]

Updated plugin to use pkg/client/informers/informers_generated. Added a couple more tests and hooked it up to the kube-apiserver.

[ericchiang]

cc @liggitt @deads2k what do you think of this? I didn't want this package to import all of the internal generated client.

[liggitt]

I can live with it for now, would still like these two fields better factored

[ericchiang]

per @ncdc's comments I'm using 'pkg/client/informers/informers_generated' for the bootstrap token secret informer. It seems like the other uses of sharedInformer should switch over to this second informer? cc @deads2k

[ncdc]

Yes. I'm tracking my work for that here: https://trello.com/c/kpiFmic9/121-use-generated-shared-informers-listers-everywhere-possible. We also need to decide if the kube-apiserver should switch to using versioned informers instead of internal.

[luxas]

What does the 10*time.Minute do here? Does the user have to wait 10mins for the APIServer to notice that a new token was added?

[ericchiang]

After hunting it down it looks like how often it calls the underlying cache's resync method. Which seems to be this:

func (c *threadSafeMap) Resync() error {
	// Nothing to do
	return nil
}

https://github.com/kubernetes/client-go/blob/86a2be1b447d7abddae88de0a5f642935992b803/tools/cache/thread_safe_store.go#L277

So, I'm a bit confused.

[ncdc]

This is how often a full resync occurs. A full resync is defined as the shared informer's DeltaFIFO cache re-enqueing every item it has so all listeners can have an opportunity to reprocess them. The correct Resync() function is here (or, the equivalent in the kubernetes repo): https://github.com/kubernetes/client-go/blob/204f12b1f3125cc660f989655af4b5bd83cbd9dd/tools/cache/delta_fifo.go#L507

[ncdc]

And no, the user doesn't have to wait 10 minutes for the server to notice a new token was added. The shared informer uses a Reflector, which performs a list of all items currently in existence, then starts watching for modified items. It performs a full resync every 10 minutes (in this example). Also, in the event the watch is closed for some reason, the Reflector relists and rewatches.

[luxas]

Sweet! I had some nits that could be addressed.
Will test this on my cluster as soon as possible :)

[luxas]

There is a constant for this already: k8s.io/apimachinery/apis/meta/v1.NamespaceSystem

[ericchiang]

Was avoiding the import. I'll switch it.

[liggitt]

make the namespace an option when constructing the authenticator and inject it

[luxas]

( the private part of the token ) maybe?

[luxas]

bootstrap-token-( token id )

[jbeda]

The name of the token shouldn't matter as we are keying off of the SecretType. We shouldn't make assumptions about the name.

[luxas]

Can we only return Secrets of type bootstrap.kubernetes.io/token here?

[ericchiang]

Not here, but there might be a fancier way of doing it on the informer. Let me look into that.

[jbeda]

Not using the shared informer, but look at https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/bootstrap/tokencleaner.go#L75

[ericchiang]

woops this isn't used anymore.

[ericchiang]

Flag added here. Defaults to false.

[ericchiang]

Hope this is the correct way to do this detection for the internalverison api.

[luxas]

@sttts ^

I guess so, yes

[ericchiang]

Having trouble running the hack script to update the docs with the new flag. Seems I need a bigger machine :/

$ ./hack/update-generated-docs.sh 
make: Entering directory '/home/eric/src/k8s.io/kubernetes'
make[1]: Entering directory '/home/eric/src/k8s.io/kubernetes'
make[1]: Leaving directory '/home/eric/src/k8s.io/kubernetes'
+++ [0221 01:36:03] Building the toolchain targets:
    k8s.io/kubernetes/hack/cmd/teststale
    k8s.io/kubernetes/vendor/github.com/jteeuwen/go-bindata/go-bindata
+++ [0221 01:36:03] Generating bindata:
    test/e2e/generated/gobindata_util.go
~/src/k8s.io/kubernetes ~/src/k8s.io/kubernetes/test/e2e/generated
~/src/k8s.io/kubernetes/test/e2e/generated
+++ [0221 01:36:04] Building go targets for linux/amd64:
    cmd/gendocs
    cmd/genkubedocs
    cmd/genman
    cmd/genyaml
    federation/cmd/genfeddocs
# k8s.io/kubernetes/cmd/genkubedocs
/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: fork/exec /usr/bin/gcc: cannot allocate memory

# k8s.io/kubernetes/cmd/genman
/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: fork/exec /usr/bin/gcc: cannot allocate memory

!!! [0221 01:37:50] Call tree:
!!! [0221 01:37:51]  1: /home/eric/src/k8s.io/kubernetes/hack/lib/golang.sh:740 kube::golang::build_binaries_for_platform(...)
!!! [0221 01:37:51]  2: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [0221 01:37:51] Call tree:
!!! [0221 01:37:51]  1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
!!! [0221 01:37:51] Call tree:
!!! [0221 01:37:51]  1: hack/make-rules/build.sh:27 kube::golang::build_binaries(...)
Makefile:85: recipe for target 'all' failed
make: *** [all] Error 1
make: Leaving directory '/home/eric/src/k8s.io/kubernetes'
!!! Error in ./hack/update-generated-docs.sh:37
  Error in ./hack/update-generated-docs.sh:37. 'make -C "${KUBE_ROOT}" WHAT="${BINS[*]}"' exited with status 2
Call stack:
  1: ./hack/update-generated-docs.sh:37 main(...)
Exiting with status 1

Expecting verification to fail because of the added flag. Going to try to fix it tomorrow.

[sttts]

will this be done before merge?

[luxas]

@sttts no, but as a follow-up. It would be really important to get this in today

[sttts]

please clean up the duplicated comments below at least.

[sttts]

the client==nil case here looks "over commented" ;) 3x more or less the same.

[luxas]

It's ok, he actually got asked to clarify it :)

[ericchiang]

Yeah, I'll try to make this more concise.

[sttts]

lower case

[ericchiang]

done

[luxas]

LGTM!

Thanks for adding it behind a flag

[luxas]

@sttts no, but as a follow-up. It would be really important to get this in today

[luxas]

@sttts ^

I guess so, yes

[luxas]

This does now exist in bootstrapapi.BootstrapTokenSecretPrefix

[ericchiang]

Now uses constant defined in pkg/bootstrap/api

[ericchiang]

@luxas comments addressed and figured out the flags check.

[sttts]

👍

[jbeda]

I'd like more logging here, to be honest. But it isn't worth holding this up and that can come in a new PR.

[jbeda]

I feel like adding some logging for each of these failure cases might be really helpful for people. When auth fails it can be super frustrating to figure out what is wrong.

[ericchiang]

Sounds good. Will follow up once this is merged.

[jbeda]

/lgtm

[jbeda]

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

The following people have approved this PR: ericchiang, jbeda

Needs approval from an approver in each of these OWNERS Files:

• cmd/kube-apiserver/OWNERS [jbeda]
• hack/OWNERS [jbeda]
• hack/verify-flags/OWNERS [jbeda]
• pkg/OWNERS [jbeda]
• plugin/pkg/auth/OWNERS [jbeda]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 41812, 41665, 40007, 41281, 41771)