Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Evaluate conservative default authentication protection for mission applications #514

Open
rjferguson21 opened this issue Jun 27, 2024 · 1 comment
Open

Evaluate conservative default authentication protection for mission applications #514

rjferguson21 opened this issue Jun 27, 2024 · 1 comment
Labels
security sso Issues related to the SSO stack (Keycloak/Authservice)

Comments

@rjferguson21
Copy link
Contributor

rjferguson21 commented Jun 27, 2024
edited

As a follow on to adding authservice protection support in UDS Core we should evaluate if it makes sense to encourage/enforce default protection by authservice for all pods.

Currently as-implemented users opt-into protecting specific pods by using the enableAuthserviceSelector

apiVersion: uds.dev/v1alpha1
kind: Package
metadata:
  name: httpbin
  namespace: httpbin
spec:
  sso:
    - name: Demo SSO httpbin
      clientId: uds-core-httpbin
      redirectUris:
        - "https://httpbin.uds.dev/login"
      enableAuthserviceSelector:
        app: httpbin

An alternative approach would be encouraging the use of enableAuthserviceSelector: {} which results in authservice protection for all pods in a Package namespace.

Blake's original comment:
"Particularly, I want to ensure all Pods have authentication of some type. Postgres or other in-cluster databases can be excluded, but I actually would consider protecting mission app's backend HTTP services by default. This does require the mission app developers to pass the JWT from requests to the frontend to the backend app though.

One attack this protects mission apps from is XSRF between the frontend and backend Pods of the mission app itself. It also protects the backend Pod from other in-cluster attacks, but NetworkPolicies should block other in-cluster requests. Intra-namespace between frontend and backend Pods will always be allowed though and really is vulnerable to some things like XSRF vulnerabilities in the frontend mission app code.

As needed, sure people can configure enableAuthserviceSelector: to only specific labels. But then authservice doesn't actually protect the excluded Pods. I'd rather see us recommend a secure by default configuration. The cluster administer needs to do a careful review of any code that has no authservice-protection and ensure it has sufficient authentication (which may involve a deep code review of a mission app).

We should discuss this though. I think this was the default mission app deployment model in Party Bus. @ntwkninja, did you say you were requiring mission apps to pass a JWT from frontend to backend?"

Originally posted by @bburky in #201 (comment)
@rjferguson21 rjferguson21 changed the title Evaluate and implement conservative default authentication protection for mission applications Evaluate conservative default authentication protection for mission applications Jun 27, 2024
@rjferguson21 rjferguson21 mentioned this issue Jun 27, 2024
Merged
@mjnagel mjnagel added the sso Issues related to the SSO stack (Keycloak/Authservice) label Jul 2, 2024
@ntwkninja
Copy link
Member

did you say you were requiring mission apps to pass a JWT from frontend to backend?"

yes, that is currently how it is set up

@brianrexrode @RothAndrew can you confirm?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security sso Issues related to the SSO stack (Keycloak/Authservice)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rjferguson21 @mjnagel @ntwkninja