Sig-Auth Pre-Acceptance TODOs

[ibihim]

• Remove insecure-listen-address as it is dangerous to do so with an auth proxy (link)
• Add client certificates for kube-rbac-proxy to upstream (link)
• Update developer documentation to emphasize the distinction between authn opts and authz configs and show the config format (link).
• Don't allow attributes requests without http methods (link).
• Improve logic coordination of in proxy.go to not rely on other parts of the code base to handle empty attributes (link).
• Check all headers with an AND logic (link).
• Remove unused DeepCopy (link).
• Diff with http.Transport defaults in k/k (link).
• H2C topics and disabling TLS (link).
• Return errors to users, when those happen (link, link).
• Mux logic needs 100% test coverage and / or improve readability (link, link).
• Explain what a bool return value on the kubeRBACProxy Handle means (link).
• Reuse k8s.io/apiserver serving logic (link).
• Use upstream authentication request logic fully: authenticator.Request -> filters.WithAuthentication (link).
• Verify that native library proxy isn't vulnerable to cve-2018-1002105 or consider using code from this implementation. (YouTube - SIG-AUTH Bi-Weekly Meeting)

Related: Post-Acceptance.

[enj]

When writing tests for the proxy, please make sure to have coverage for http1 only, http2 only and http1+http2. GHSA-pvxj-25m6-7vqr is an example of a proxy CVE that only occurs over http1.

[ibihim]

I discussed breaking changes like removing CLI API (insecure listen address: link) and we would like to keep the PR open and merge it at the very end and create warning logs until then.

[ibihim]

I tried to replicate the CVE based on go example and by reading through the blog.

I couldn't make it work, so I read through the fix and the native reverse proxy in use.

The native proxy checks for upstream to agree on an upgrade of the connection.

[ibihim]

Closing this as it doesn't have any use any more.