-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inject a jwtproxy container into each Pod instead of creating a separated Pod for it #10404
Comments
Also, it may be an issue for Che |
I like this approach |
Is it implemented by using PVC? If yes - I think there is no issue with that. I mean the way of communication with LS which I investigated some time ago #8171 (comment) |
I have created an issue for reworking internal servers not to use Services for exposing. |
It's always nice to improve security but in this particular case, I think the flow with a single namespace for several users can make system design more error-prone for the sake of non-clear (to me personally) profit. I added my thoughts about it below.
The general idea from me is that it might make sense to go this direction to secure APIs in some cases, but I'm not sure we know exact important use cases for that right now and that these use cases would compensate our efforts and complexity of the system we would bring to it. |
I would like to explore too. Generally, I agree with you and I think it would be OK to document that for non-development workflows different namespaces must be used for different users. The only one thing that I want to note: there is the same security issue when each user has a unique namespace (like OSIO configuration) and share his running workspace while there are other running workspaces (it's not OSIO use case since there is limitation to have only one running workspace at the same time). |
Issues go stale after Mark the issue as fresh with If this issue is safe to close now please do so. Moderators: Add |
Description
The initial implementation of secure servers for Kubernetes/OpenShift infrastructures is implemented in the following way:
So, a secure server is exposed with Kubernetes Service withing namespace but does not have an externally accessible endpoint.
There is created Ingress/Route that exposes externally the corresponding JWTProxy container port, which traffic will be proxied to original service ports if a correct machine token is present.
During a discussion with @l0rd @ibuziuk @skabashnyuk it was mentioned that it may have the following security issue: in a case when Che is configured to use the same namespace for workspaces of different users, there is an ability for a user to request another user security servers without specified machine token. It would be more secure to inject JWTProxy into each pod as a container. Then JWTProxy may be configured to proxy requests directly to
localhost:{PORT}
via internal pod network. In this case, a bare secure server won't be exposed by Service and it won't be possible to request secure server outside of pod without a correct machine token.The only possible issue that is here - there is a possible conflict of ports that will be solved as a separated issue. It may happen because different containers in the same pod used the common ports pool. JwtProxy needs to occupy some ports, and the conflict may happen if the server (or just process) is configured to use the same port as JwtProxy chosen.
Looks like we are not able to predict all ports that may be occupied with processes.
The simple solution here is the same as we did for installers conflicts: use non-used by server port from configured scope https://github.com/eclipse/che/blob/242f56a8fd88a9ce1e57a40654d608330fafb0b4/infrastructures/kubernetes/src/main/java/org/eclipse/che/workspace/infrastructure/kubernetes/provision/InstallerServersPortProvisioner.java#L63-L64
So, within this issue it is also needed to decide if this solution is good enough or not, and implement the described algorithm of ports choosing or create a separated issue for finding better solution and implement the simplest algorithm for choosing ports for JwtProxy.
The text was updated successfully, but these errors were encountered: