feat(kuma-cp) verify ServiceAccountToken bound to a Pod

[jakubdyszkiewicz]

Summary

When authenticating kuma-dp on Kubernetes, we are carrying ServiceAccountToken and verify it in Kuma CP.
So far, we were only verifying the namespace of this Service Account Token but not the name of the token itself.
That means that any kuma-dp in one namespace could impersonate others in the same namespace.

I think this was done this way because if as a team member you manage Deployment and ServiceAccount objects in one namespace. There is no built-in mechanism in Kubernetes to prevent a user from using another ServiceAccount in a namespace for your Deployment.

However, there are cases where users are not responsible for managing Deployment objects but some high-level provisioner does that for them.

Alternatively, you could have a controller or OPA for Kubernetes that would restrict ServiceAccountToken to given Deployment.

Therefore Kuma should be more strict about verifying the token to not only verify a namespace of a token but check the Pod for the serviceAccountTokenName and also verify a token name.

Issues resolved

No issues.

Documentation

• docs(security) service account token considerations kuma-website#528

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

• Add backport-to-stable label if the code is backwards compatible. Otherwise, list breaking changes.

[codecov-commenter]

Codecov Report

Merging #2745 (ea09e64) into master (858034a) will decrease coverage by 0.00%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #2745      +/-   ##
==========================================
- Coverage   51.99%   51.98%   -0.01%     
==========================================
  Files         877      877              
  Lines       51142    51162      +20     
==========================================
+ Hits        26589    26596       +7     
- Misses      22437    22449      +12     
- Partials     2116     2117       +1     

Impacted Files	Coverage Δ
pkg/xds/auth/k8s/authenticator.go	0.00% <0.00%> (ø)
test/e2e/hybrid/kuma_hybrid.go	0.00% <0.00%> (ø)
...est/framework/deployments/testserver/deployment.go	0.00% <0.00%> (ø)
...est/framework/deployments/testserver/kubernetes.go	0.00% <0.00%> (ø)
pkg/core/resources/store/customizable_store.go	77.77% <0.00%> (-11.12%)	⬇️
pkg/plugins/resources/memory/store.go	77.71% <0.00%> (-4.35%)	⬇️
api/observability/v1/mads.pb.go	35.56% <0.00%> (+1.03%)	⬆️
pkg/dns/vips_allocator.go	74.00% <0.00%> (+1.33%)	⬆️
pkg/mads/v1/client/client.go	43.75% <0.00%> (+2.50%)	⬆️
pkg/core/resources/manager/cache.go	84.41% <0.00%> (+2.59%)	⬆️
... and 1 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 858034a...ea09e64. Read the comment docs.

[jpeach]

nit:

Suggested change

	func WithServiceAccount(sa string) DeploymentOptsFn {
	func WithServiceAccount(accountName string) DeploymentOptsFn {

[jpeach]

Nit: might be useful to include the namespaced name in the error

[jpeach]

Nit:

Suggested change

	func (k *kubeAuthenticator) podServiceAccountName(ctx context.Context, name, namespace string) (string, error) {
	func (k *kubeAuthenticator) podServiceAccountName(ctx context.Context, podName types.NamespacedName) (string, error) {

[jpeach]

Nit: the parentheses in this error seem a bit out of place since no other error format uses them

[jpeach]

Suggested change

	return errors.Errorf("token must belong to a k8s system account, got %q", tokenReview.Status.User.Username)
	return errors.Errorf("user %q is not a service account", tokenReview.Status.User.Username)

[jpeach]

This error message substantially repeats the one in podServiceAccountName. Maybe trim or or the other?

Same in authZoneIngress.