New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apiserver Proxy should pass impersonated user information to kube-apiserver #2811
Comments
Please verify if it is still required to call authorizer before you forward call to apiserver. I think apiserver will verify impersonated user anyway and you can skip one step. And the same solution should be applied in UI API Layer component. |
We have to address also impersonate-group which is available as well. If the impersonate-user header is added in the request to the proxy, we have to validate it against user in the token. |
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions. |
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions. |
Impersonation is already done in the proxy with users and groups |
…ct#2811) * Remove --cluster-version param from provision gke scripts * add label for specific stable version
* Revert "Remove RELEASE_CHANNEL from `preset-gke-ver-stable` (kyma-project#2816)" This reverts commit 319ff3f. * Revert "Remove --cluster-version param from provision gke scripts (kyma-project#2811)" This reverts commit 59746bd. * Revert "Add pre-master-kyma-gke* jobs which use new GKE K8s version. (kyma-project#2783)" This reverts commit 84440a7.
Description
Authorization Proxy calls APIserver with service account
kyma-system:kube-rbac-proxy
. The information about the end user is only passed to kubernetes authorizer but it is not passed to apiserver when request is executed. As a result in the apiserver audit log all the entries made through authorization proxy are assigned to service account only (user information is missing).Authorization proxy should add
Impersonate-User
header to requests with value extracted from ID Token.Expected result
APIserver audit log contains information about the user who made the request to authorization proxy.
Example:
Actual result
Only service account is visible in audit log:
Steps to reproduce
Get pods with user id token through apiserver proxy:
and check audit log.
If you add header
Impersonate-User: admin@kyma.cx
the audit log contains user information.The text was updated successfully, but these errors were encountered: