-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow delegated authorization to have privileged groups #70671
allow delegated authorization to have privileged groups #70671
Conversation
} | ||
|
||
func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { | ||
return &DelegatingAuthorizationOptions{ | ||
// very low for responsiveness, but high enough to handle storms | ||
AllowCacheTTL: 10 * time.Second, | ||
DenyCacheTTL: 10 * time.Second, | ||
|
||
// in a kube cluster, system:masters has full power. Use this as the default which could be later changed. | ||
AlwaysAllowGroups: []string{user.SystemPrivilegedGroup}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'm on board with defaulting to a value that allows coasting, but I expected a flag wired to this to surface it and allow control
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'm on board with defaulting to a value that allows coasting, but I expected a flag wired to this to surface it and allow control
This seems like a setting that individual binaries can choose to control how they like. I think a very small minority (if any) would want to allow an admin to control it and those binaries could choose to wire the value to whatever flag they like.
I'm worried that:
|
the same superuser exists in the kube-apiserver as the pinned first authorizer in the chain, independent of RBAC and prior to any configured authorizers |
Ahh... loopback stuff... I have similar concerns with that flow. While we couldn't make the same guarantees around preventing misconfiguration, I would strongly prefer if the loopback authorizer was appended to the authorizer chain rather than prepended. The usecase was outlined here #51862 |
I'm primarily concerned with introducing well known user/group strings that are capable of unilateral bypassing authorization when operators generally have little control over the users and groups of credentials (namely those provisioned by the certificates API).
Alternatively, we could enforce that the loopback authorizer could only authorize request from loopback addresses. Would this approach address the issues raised here? e.g. administrator needs port forward AND a system:master credential to bypass authorization of apiservers running in the cluster and apiservers running outside the cluster can be protected? |
I can make it optional, but I think that prepending is the correct default choice. This is already what the kube-apiserver does, so this is purely an optimization on asking. Again, a user of this API can wire or disable this in any way that they like and removing the default makes it purely opt-in. |
117f8bb
to
0b70b7a
Compare
Default removed. If someone requests it, then it will function as desired. |
/kind feature needs release note |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
In kube,
system:masters
is a special group that has full API powers. We use this group to be able to have kube-apiservers loopback with full power and to allow management of RBAC using a client cert with that group.Since DelegatedAuthorization is intended to be consistent with kube recommendations, this updates the default value to include an authorizer that lists
system:masters
as having full rights. This means that system:masters users will not have to have a remote authz call which improves performance and makes debugging very broken conditions possible.@smarterclayton
@kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-auth-pr-reviews