Kube rbac proxy

kube-rbac-proxy/01_deploy.sh

@@ -1,9 +1,17 @@
 #!/bin/bash
 
-# deploy dex
-sed "s/{{MINIKUBE_IP}}/$( minikube ip )/g" deploy.yaml | kubectl apply -n che -f -
+NAMESPACE=${1}
+USER=${2:-${NAMESPACE}@che}
 
-until [ $( kc get ingress -n che | grep kube-rbac-app | grep -o $( minikube ip ) | wc -l) -eq 2 ]; do echo "Waiting for ingress ..."; sleep 3; done
+if [ -z ${NAMESPACE} ]; then
+  echo "you have to define the namespace './01_deploy <namespace>'"
+  exit 1
+fi
+
+# deploy app with kube-rbac-proxy
+sed "s/{{MINIKUBE_IP}}/$( minikube ip )/g; s/{{NAMESPACE}}/${NAMESPACE}/g" deploy.yaml | kubectl apply -n ${NAMESPACE} -f -
+
+until [ $( kubectl get ingress -n ${NAMESPACE} | grep kube-rbac-app | grep -o $( minikube ip ) | wc -l) -eq 2 ]; do echo "Waiting for ingress ..."; sleep 3; done
 echo
-echo "http://kube-rbac-app.$( minikube ip ).nip.io"
+echo "http://${NAMESPACE}-kube-rbac-app.$( minikube ip ).nip.io"
 echo

kube-rbac-proxy/03_test.sh

@@ -1,10 +1,11 @@
 #!/bin/bash
 
-TOKEN=${1}
+NAMESPACE=${1:-che}
+TOKEN=${2}
 
 if [ -z ${TOKEN} ]; then
   echo
-  echo "You can pass the token to the script like './03_test.sh <token>'"
+  echo "You can pass the token to the script like './03_test.sh <namespace> <token>'"
   echo "If you've deployed with minikube+dex setup, you can get the token after login at http://oidc-example-app.$( minikube ip ).nip.io/"
   echo
   echo
@@ -14,4 +15,4 @@ fi
 MINIKUBE_IP=$( minikube ip )
 set -x
 
-curl -H "Authorization: Bearer ${TOKEN}" "http://kube-rbac-app.${MINIKUBE_IP}.nip.io/query"
+curl -X GET -H "Authorization: Bearer ${TOKEN}" "http://${NAMESPACE}-kube-rbac-app.${MINIKUBE_IP}.nip.io/query?namespace=${NAMESPACE}"

kube-rbac-proxy/README.md

@@ -0,0 +1,36 @@
+# Setup demo application with kube-rbac-proxy as a sidecar
+
+## How to run it
+__minikube_dex__ setup has defined 5 static users user[1-5]@che and script `minikube_dex/13_prepareNamespaces.sh` has created 5 namespaces `user[1-5]` with users `user[1-5]@che` having admin ClusterRole in their matching namespace.
+
+`./01_deploy.sh <namespace> <user>` will deploy demo application to given namespace (`<user>` parameter is optional. The script derives the user from namespace like `<namespace>@che`). Users having `services/proxy` permissions in the namespace will be able to access the application.
+
+### Test
+You need to obtain a token for the user (see `minikube_dex/README.md`). Then run `./03_test.sh <namespace> <token>`.
+
+You can then run `01_deploy.sh` for different user and try to use one token for various namespaces.
+
+If you open endpoint in the browser, you should get `Unauthorized`, because you're not passing the token header.
+
+### Notes
+
+#### permissions
+kube-rbac-proxy needs following rules on cluster level (ClusterRoleBinding)
+```
+rules:
+- apiGroups: ["authentication.k8s.io"]
+  resources:
+  - tokenreviews
+  verbs: ["create"]
+- apiGroups: ["authorization.k8s.io"]
+  resources:
+  - subjectaccessreviews
+  verbs: ["create"]
+```
+
+#### Authorization header with bearer token
+kube-rbac-proxy does not pass bearer token header to upstream application. 
+
+It removes the header in authentication phase. It allows to pass the user and groups in `x-remote-user` and `x-remote-groups` headers (configurable with `auth-header-fields-enabled`, `auth-header-groups-field-name`, `auth-header-groups-field-separator`, `auth-header-user-field-name`).
+
+I've created an issue (https://github.com/brancz/kube-rbac-proxy/issues/114) and proposed the PR (https://github.com/brancz/kube-rbac-proxy/pull/115) to allow passing the token to upstream application.

kube-rbac-proxy/deploy.yaml

@@ -67,9 +67,9 @@ data:
     authorization:
       resourceAttributes:
         apiVersion: v1
-        resource: service
-        subresource: kube-rbac-app
-        namespace: "che"
+        resource: services
+        subresource: proxy
+        namespace: "{{NAMESPACE}}"
 ---
 kind: Service
 apiVersion: v1
@@ -93,7 +93,7 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
 spec:
   rules:
-    - host: kube-rbac-app.{{MINIKUBE_IP}}.nip.io
+    - host: {{NAMESPACE}}-kube-rbac-app.{{MINIKUBE_IP}}.nip.io
       http:
         paths:
           - path: /
@@ -112,20 +112,20 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: kube-rbac-proxy
+  name: {{NAMESPACE}}-kube-rbac-proxy
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: kube-rbac-proxy
+  name: che-kube-rbac-proxy
 subjects:
 - kind: ServiceAccount
   name: kube-rbac-proxy
-  namespace: che
+  namespace: {{NAMESPACE}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kube-rbac-proxy
+  name: che-kube-rbac-proxy
 rules:
 - apiGroups: ["authentication.k8s.io"]
   resources:

minikube_dex/11_tokenapp.sh

@@ -10,5 +10,11 @@ until [ $( kubectl get ingress -n che | grep oidc-example-app | grep -o $( minik
 
 echo
 echo "http://oidc-example-app.$( minikube ip ).nip.io"
-echo "email login credentials => che@eclipse.org:password"
+echo "email login credentials:"
+echo "   che@eclipse.org:password"
+echo "   user1@che:password"
+echo "   user2@che:password"
+echo "   user3@che:password"
+echo "   user4@che:password"
+echo "   user5@che:password"
 echo

minikube_dex/13_prepareNamespaces.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+for i in {1..5}; do
+  NAMESPACE="user${i}"
+  USER="user${i}@che"
+  echo "Preparing namespace '${NAMESPACE}' for user '${USER}'"
+
+  kubectl create namespace ${NAMESPACE}
+
+  echo "
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ${NAMESPACE}-admin
+subjects:
+  - kind: User
+    name: ${USER}
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+" | kubectl apply -n ${NAMESPACE} -f -
+done

minikube_dex/README.md

@@ -33,7 +33,7 @@ Starts simple minikube instance
 Generates self-signed tls certificates for subdomains of minikube's ip `*.$( minikube ip ).nip.io`. Copies certificate authority into minikube folder, so _apiserver_ can later see it. __Don't forget to import `ssl/ca.pem` into your browser.__
 
 #### 03_dex.sh
-Deploys dex with specific configuration to this minikube instance. There is one static user set with credentials `che@eclipse.org:password`. Optionally set GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET env variables prior running this script, to have github authentication working.
+Deploys dex with specific configuration to this minikube instance. There is six static users set with credentials `che@eclipse.org:password` and `user[1-5]@che:password`. Optionally set GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET env variables prior running this script, to have github authentication working.
 
 #### 04_minikube_apiserver.sh
 Configures minikube apiserver with dex as oidc provider.
@@ -42,4 +42,7 @@ Configures minikube apiserver with dex as oidc provider.
 Deploys dex's example app https://github.com/dexidp/dex/tree/master/examples/example-app. With this web app it's easy to get the oidc token.
 
 #### 12_testapp.sh
-Deploys my authentication test app https://github.com/sparkoo/che-auth-testapp. This is useful to test if authentication and authorization with the token is actually working. This will add admin permissions to namespace `che` for user `che@eclipse.org`.
+Deploys my authentication test app https://github.com/sparkoo/che-auth-testapp. This is useful to test if authentication and authorization with the token is actually working. This will add admin permissions to namespace `che` for user `che@eclipse.org`.
+
+#### 13_prepareNamespaces.sh
+Creates 5 namespaces `user[1-5]` with admin permissions for corresponding user.

minikube_dex/dex.yaml

@@ -105,6 +105,26 @@ data:
       hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
       username: "admin"
       userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+    - email: "user1@che"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "user1"
+      userID: "1"
+    - email: "user2@che"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "user2"
+      userID: "2"
+    - email: "user3@che"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "user3"
+      userID: "3"
+    - email: "user4@che"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "user4"
+      userID: "4"
+    - email: "user5@che"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "user5"
+      userID: "5"
 ---
 apiVersion: v1
 kind: Service