*: Support reviewing audiences of token #56
Conversation
brancz
force-pushed
the
token-audience-review
branch
from
3a12f24
to
7e5f3bc
Compare
|
do you mind to put the vendoring into a separate commit? |
brancz
force-pushed
the
token-audience-review
branch
from
7e5f3bc
to
583e1f4
Compare
|
Done. |
| @@ -0,0 +1,170 @@ | |||
| # non-resource-url example | |||
There was a problem hiding this comment.
hmm, how does this differ from examples/non-resource-url-token-request/README.md? Or is this duplication just accidentally?
There was a problem hiding this comment.
whops I haven't finished this yet it seems
| @@ -0,0 +1,170 @@ | |||
| # non-resource-url example | |||
There was a problem hiding this comment.
same question as above: how do these example differ?
|
@brancz looking good so far, just a couple of questions:
|
brancz
force-pushed
the
token-audience-review
branch
from
583e1f4
to
ede3776
Compare
brancz
force-pushed
the
token-audience-review
branch
2 times, most recently
from
41a4d7e
to
938f07a
Compare
Done, sorry about that.
Fixed this.
It doesn't really, I just wanted to provide some example showing the functionality. I added a note at the top of the example readme to make sure that's clearer:
This should be ready for another round of reviews now :) |
|
Are you still waiting for reviews or something else? |
|
Waiting for reviews :) |
| @@ -28,18 +28,22 @@ All command line flags: | |||
| ```txt | |||
| $ kube-rbac-proxy -h | |||
| Usage of _output/linux/amd64/kube-rbac-proxy: | |||
| --add_dir_header If true, adds the file directory to the header | |||
There was a problem hiding this comment.
I am wondering if this is used at all?
| --stderrthreshold severity logs at or above this threshold go to stderr (default 2) | ||
| --tls-cert-file string File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert) | ||
| --tls-cipher-suites strings Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be used | ||
| --tls-min-version string Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. (default "VersionTLS12") | ||
| --tls-private-key-file string File containing the default x509 private key matching --tls-cert-file. | ||
| --tls-reload-interval duration The interval at which to watch for TLS certificate changes, by default set to 1 minute. (default 1m0s) |
There was a problem hiding this comment.
This actually came in as I regenerated the help text
|
|
||
| > Token audience reviews can be combined with any of the other features of kube-rbac-proxy, such as reviewing permission for specific resources, this example merely chooses to show the functionality using a non-resource-url permission. | ||
|
|
||
| This examples is in essence similar to the [non-resource-url](../non-resource-url/) example, with the key difference, that this example requires the ServiceAccount token sent by a client must be scoped to the `kube-rbac-proxy.default.svc` audience. In this example the scoped ServiceAccount token is obtained via a projected volume and mounted into the client container from where it can be consumed. The reasoning here is that scroped tokens cannot be used to impersonate an entity by re-using the token to perform a request against the Kubernetes API itself. |
brancz
force-pushed
the
token-audience-review
branch
from
938f07a
to
47799f6
Compare
brancz
force-pushed
the
token-audience-review
branch
from
47799f6
to
96d3359
Compare
|
I split the PR into multiple commits, which should make it very easy to review now, as the actual code changes (in the second commit) are minimal and are mainly upgrading to using the v1 APIs. The rest are tests and docs (95% of this PR). |
| if len(authn.X509.ClientCAFile) > 0 { | ||
| p, err = dynamiccertificates.NewStaticCAContentFromFile(authn.X509.ClientCAFile) | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
just a nit: let's wrap this err, so context is visible in log lines.
|
this lgtm 🎉 I really just have one nit regarding error wrapping, else this looks great. A small code footprint, but great security improvement 👍 |
…hift-4.12-kube-rbac-proxy OCPBUGS-11645: Updating kube-rbac-proxy images to be consistent with ART
This adds the ability to verify the audience of a token, so clients can use audience scoped tokens, as opposed to essentially allowing the kube-rbac-proxy to impersonate the requesting client using its serviceaccount token.
Closes #18
@s-urbaniak @paulfantom @lilic @metalmatze