Prevent proxy from starting if the SA does not match

[enj]

We get the SA name as user input, and process it here:

oauth-proxy/providers/openshift/provider.go

Lines 94 to 105 in a95fc9f

	// all OpenShift service accounts are OAuth clients, use this if we have it
	if len(serviceAccount) > 0 {
	if data, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/namespace"); err == nil && len(data) > 0 {
	defaults.ClientID = fmt.Sprintf("system:serviceaccount:%s:%s", strings.TrimSpace(string(data)), serviceAccount)
	log.Printf("Defaulting client-id to %s", defaults.ClientID)
	}
	tokenPath := "/var/run/secrets/kubernetes.io/serviceaccount/token"
	if data, err := ioutil.ReadFile(tokenPath); err == nil && len(data) > 0 {
	defaults.ClientSecret = strings.TrimSpace(string(data))
	log.Printf("Defaulting client-secret to service account token %s", tokenPath)
	}
	}

This code assumes the SA provided by user input is the same one that is running the pod (because we use that as the secret for the SA based OAuth client). It pulls the SA namespace from this as well.

We need to validate this instead of assuming the values are in agreement. We could do oc get user ~ with the SA token to make sure it matches (but I feel like there must be a better way to tell what SA is running a pod from inside the pod). The more correct thing would be a flag like --use-openshift-service-account=bool that just pulls the correct information from the pod / API.

xref: #60

[mrogers950]

@enj This sounds like a good idea to me.

[jparrill]

+1

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.