Added Addon Authn Pattern proposal #29714
Conversation
k8s-github-robot
added
kind/design
erictune
force-pushed
the
addon-auth-pattern
branch
from
493876d to
c2945d6
Compare
|
@kubernetes/sig-auth @bryk |
k8s-github-robot
added
the
do-not-merge
| 1. Dashboard is running with service `dashboard` in namespace `kube-system`. | ||
| 1. User runs `kubectl proxy -p 8001 &`. | ||
| - Same as before. | ||
| 1. User enters this into their browser navigation bar: `http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/?add-auth=true#/workload` |
There was a problem hiding this comment.
Hmm... Cannot kubectl proxy inject the header? E.g., currently when I do kubectl get pods it is equivalent to running curl -k -v -XGET -H "Authorization: Basic <redacted>==" https://<redacted>/api/v1/namespaces/default/pods. What if kubectl injected this auth:basic header to user's requests?
There was a problem hiding this comment.
It does inject the Authorization header with the user's long-lived, unscoped token. We want Dashboard to see a short-lived, scoped token.
|
is it unreasonable to require TLS between the API proxy and the pod? if we did that, the proxy could add a header containing user information, and identify itself to the pod using a client certificate (enabled in #26634). Pods could verify the client certificate on the request, then use the user information in the header. |
|
I like the idea of TLS, and I like the idea of the API server presenting a client cert. The reason I didn't include TLS in this proposal is I didn't know a nice way to generate and distribute a server cert for the "pod", signed by a CA that the apiserver would recognize. And I don't want to solve the general problem of cert distribution this month. Do you see any way to skirt the issue of distributing a valid TLS cert to the pod-as-a-server? |
|
Okay, I just read #26634. I that PR, the apiserver, as a client, accepts an invalid cert from the pod-as-server. Let me comment on that PR. |
apelisse
removed
the
do-not-merge
erictune
force-pushed
the
addon-auth-pattern
branch
from
c2945d6 to
26bdaf3
Compare
|
Updated to use client cert and #26634. |
erictune
added
release-note-none
|
@enisoc, you may be interested |
| 1. User runs `kubectl proxy -p 8001 &`. | ||
| - Same as before. | ||
| 1. User enters this into their browser navigation bar: `http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/?add-auth=true#/workload` | ||
| - Difference is the addition of the `add-auth=true` query parameter, which is handled by the APIserver. |
There was a problem hiding this comment.
What will the URL look like if the target service already has its own query parameters?
For example, what if the URL before add-auth is:
http://localhost:8001/api/v1/proxy/namespaces/default/services/my-dashboard/page?arg=value
There was a problem hiding this comment.
Good point, what I said won't work. I've changed this to not use a query parameter, but instead use an annotation on the service. This makes more sense than requiring the user to specify it, since the need for authentication headers is a property of the service.
|
Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test". This message will repeat several times in short succession due to jenkinsci/ghprb-plugin#292. Sorry. |
erictune
force-pushed
the
addon-auth-pattern
branch
from
26bdaf3 to
efba0ac
Compare
|
ok-to-test |
|
Could this also be used for monitoring (e.g., heapster) and logging (e.g., elasticsearch), or is the dashboard the main use case right now? |
erictune
force-pushed
the
addon-auth-pattern
branch
from
efba0ac to
76d57af
Compare
|
Other use case: federation apiserver hosted on one of the clusters of a On Wed, Aug 31, 2016 at 2:11 PM, Brian Grant notifications@github.com
|
|
Good point Solly, I updated to include this at the end of the doc. On Wed, Aug 31, 2016 at 2:58 PM, Eric Tune etune@google.com wrote:
|
|
GCE e2e build/test passed for commit 76d57af. |
|
I'm willing to help with this proposal. Still there are some things that are a bit vague to me and my background regarding security is not that great but as I'm going through the code It's getting more clear. Few questions:
There will be more once I dive into the code :) Some detailed scenario would help me understand it better if someone has time to write one. |
Presumably, it would work based on any auth method, then the strip the actual auth info, and the application would just use
This would be information passed through by the auth system, presumably -- it populates a nice |
Then apiserver authn should pretty much stay as it is and after that there should be new part(plugin?) that either proxies request directly to the application (should we skip apiserver authz and admission controller or only authz?) or uses default path (authz + admission controller) before passing it further.
Thanks! I've found that in the code and you're right. |
|
@pwittrock |
|
Adding label:do-not-merge because PR changes docs prohibited to auto merge |
k8s-github-robot
added
kind/design
|
cc @rf232 |
|
[APPROVALNOTIFIER] Needs approval from an approver in each of these OWNERS Files: We suggest the following people: |
|
This PR hasn't been active in 90 days. Closing this PR. Please reopen if you would like to work towards merging this change, if/when the PR is ready for the next round of review. cc @bgrant0607 @erictune @smarterclayton You can add 'keep-open' label to prevent this from happening again, or add a comment to keep it open another 90 days |
| 1. User enters this into their browser navigation bar: `http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload` | ||
| - This causes the API server to proxy a single HTTP request. | ||
| - The effect of the two proxies is that an HTTP request on localhost:8001 becomes an HTTP request for `/#/workloads` on port 80 on the pod IP of one of the Pods that backs services `dashboard` in namespace `kube-system`. So far so good. | ||
| 1. *NEW* When the API server proxies a request to a service with annotation `alpha.service-proxy.kubernetes.io/proxy-authentication`, it does the following extra steps: |
There was a problem hiding this comment.
it feels odd that the proxy-authentication annotation only works when proxy-ing through the API server, would it make sense to implement this lower in the stack (at the same level as kube-proxy for example) such that if the annotation is applied, a proxy-authn add-on will do the exact same logic as the proposed solution for the API server.
This way, this annotation is a lot more powerful since it will seamlessly be applied regardless of how the end-user chooses to access a service.
| 1. User enters this into their browser navigation bar: `http://localhost:8001/api/v1/proxy/namespaces/kube-system/services/kubernetes-dashboard/#/workload` | ||
| - This causes the API server to proxy a single HTTP request. | ||
| - The effect of the two proxies is that an HTTP request on localhost:8001 becomes an HTTP request for `/#/workloads` on port 80 on the pod IP of one of the Pods that backs services `dashboard` in namespace `kube-system`. So far so good. | ||
| 1. *NEW* When the API server proxies a request to a service with annotation `alpha.service-proxy.kubernetes.io/proxy-authentication`, it does the following extra steps: |
There was a problem hiding this comment.
Is there a backwards compat or performance reason to make it opt-in? Could the api server always add the header?
|
This PR hasn't been active in 90 days. Closing this PR. Please reopen if you would like to work towards merging this change, if/when the PR is ready for the next round of review. cc @bgrant0607 @erictune @smarterclayton You can add 'keep-open' label to prevent this from happening again, or add a comment to keep it open another 90 days |
|
Is there an update on this functionality? I'm trying to expose the Dashboard through address 0.0.0.0 port 8001 but sending the Authorization: Bearer XXXXX always gives a message Unauthorized anyways. How to access dashboard? |
This change is