Allow secure access to apiserver from Admission Controllers #31491
Conversation
|
Don't know if this is an acceptable work around for now, hence the WIP. Tested by modifying hack/local-up-cluster.sh like so http://paste.openstack.org/show/563759/ |
k8s-github-robot
added
size/M
dims
force-pushed
the
fixes-issue-13598
branch
2 times, most recently
from
4e3531f to
021a9df
Compare
|
@kubernetes/sig-auth This is an interesting idea. A few things that leap out at me:
|
dims
force-pushed
the
fixes-issue-13598
branch
from
021a9df to
f1cb1e9
Compare
k8s-github-robot
added
size/L
| clientConfig.BearerToken = uuid.NewRandom().String() | ||
| clientConfig.TLSClientConfig = restclient.TLSClientConfig{ | ||
| CertFile: s.TLSCertFile, | ||
| KeyFile: s.TLSPrivateKeyFile, |
There was a problem hiding this comment.
Private key? Isn't this just authenticating using the token?
There was a problem hiding this comment.
Since we switch off the insecure port, we just have the 6443 https port which is secure. Talking to this port you need the TLS Cert+Key.
There was a problem hiding this comment.
no, you need the CA bundle of the server's cert, not a client cert
There was a problem hiding this comment.
@liggitt So TLSClientConfig should have just one field which is a CAFile? where do i get that file path from? (is it a field from ServerRunOptions?)
There was a problem hiding this comment.
Anything that has a kubeconfig (kubelet, kube proxy, controller manager, etc) has it, but I don't think the server knows its own CA bundle currently
There was a problem hiding this comment.
Just realized, i don't need to set anything as i am setting the Insecure flag. Duh! thanks @liggitt and @ericchiang
dims
force-pushed
the
fixes-issue-13598
branch
from
f1cb1e9 to
5023d4b
Compare
dims
force-pushed
the
fixes-issue-13598
branch
from
5023d4b to
a83d4db
Compare
| if options.InsecurePort < 1 || options.InsecurePort > 65535 { | ||
| glog.Fatalf("--insecure-port %v must be between 1 and 65535, inclusive.", options.InsecurePort) | ||
| if options.InsecurePort < 0 || options.InsecurePort > 65535 { | ||
| glog.Fatalf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure port.", options.InsecurePort) | ||
| } |
There was a problem hiding this comment.
probably need to fail if both ports are turned off?
dims
force-pushed
the
fixes-issue-13598
branch
5 times, most recently
from
0726140 to
3878f70
Compare
|
@kubernetes/sig-auth @deads2k @lavalamp @smarterclayton - If the approach sounds good, i'll add tests and remove WIP. Please let me know |
The idea of a random token only good for a loopback connection to the API server seems reasonable to me. I'm not sure the particulars work for me though. I'm trying to think through how I would expect this to be combined with authorization and I'm not sure that I want this tied to a magic subject name. There are alternatives that would avoid any interaction with an existing authorizer. Say the username was random (same as the token maybe or prefixed?) and you specified the Alternatively, we could lay claim to certain group names. OpenShift did this with I don't like the |
|
I really do prefer the reserved group name pattern. I think it addresses a On Tue, Aug 30, 2016 at 8:53 AM, David Eads notifications@github.com
|
* Allow options.InsecurePort to be set to 0 to switch off insecure access * In NewSelfClient, Set the TLSClientConfig to the cert and key files if InsecurePort is switched off * Mint a bearer token that allows the client(s) created in NewSelfClient to talk to the api server * Add a new authenticator that checks for this specific bearer token Fixes kubernetes#13598
dims
force-pushed
the
fixes-issue-13598
branch
from
ebe9831 to
25d4a70
Compare
| @@ -213,12 +215,14 @@ func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, err | |||
| QPS: 50, | |||
| Burst: 100, | |||
| } | |||
| if s.SecurePort > 0 { | |||
| if s.SecurePort > 0 && len(s.TLSCAFile) > 0 { | |||
There was a problem hiding this comment.
@deads2k In theory we could have used s.ClientCAFile, but i think we should allow folks to separate the CA authority for the TLS cert and the one for to validating kubectl clients. So added another flag for this purpose. Please let me know if this is ok.
There was a problem hiding this comment.
tested by generating certs as mentioned in https://coreos.com/kubernetes/docs/latest/openssl.html and patching hack/local-up-cluster.sh as follows
diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index e580a3d..398deff 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -310,12 +310,16 @@ function start_apiserver {
--service-cluster-ip-range="10.0.0.0/24" \
--cloud-provider="${CLOUD_PROVIDER}" \
--cloud-config="${CLOUD_CONFIG}" \
+ --tls-cert-file=/home/dims/k8s/apiserver.pem \
+ --tls-private-key-file=/home/dims/k8s/apiserver-key.pem \
+ --tls-ca-file=/home/dims/k8s/ca.pem \
+ --basic-auth-file=/home/dims/k8s/basicauth.csv \
--cors-allowed-origins="${API_CORS_ALLOWED_ORIGINS}" >"${APISERVER_LOG}" 2>&1 &
APISERVER_PID=$!
# Wait for kube-apiserver to come up before launching the rest of the components.
echo "Waiting for apiserver to come up"
- kube::util::wait_for_url "http://${API_HOST}:${API_PORT}/api/v1/pods" "apiserver: " 1 ${WAIT_FOR_URL_API_SERVER} || exit 1
+ #kube::util::wait_for_url "http://${API_HOST}:${API_PORT}/api/v1/pods" "apiserver: " 1 ${WAIT_FOR_URL_API_SERVER} || exit 1
}
function start_controller_manager {
There was a problem hiding this comment.
@deads2k In theory we could have used s.ClientCAFile, but i think we should allow folks to separate the CA authority for the TLS cert and the one for to validating kubectl clients. So added another flag for this purpose. Please let me know if this is ok.
Yes, a new flag is appropriate.
dims
force-pushed
the
fixes-issue-13598
branch
from
6190aef to
364dd1a
Compare
|
@k8s-bot kubemark test this |
|
drive-by comment: @deads2k says "the token isn't valid across the cluster, only local to this API server. That's a little strange, but given usage I don't know that it bothers me." It actually is a problem if the client goes through a load balancer or something instead of directly to what the apiserver is listening on. |
|
@lavalamp We construct a special in-process client to talk to the ip/port that the same process is listening on. So it does not access anything outside the same process. hope this helps. |
| clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort)) | ||
| } else { | ||
| return nil, errors.New("Unable to set url for apiserver local client") |
There was a problem hiding this comment.
Very nice. Exactly what I was thinking.
|
@dims This is a great start, but I think there's more work to do. I'd like to see followup issues and pulls to:
This much is secure and lgtm. Merging what we have now. |
deads2k
added
lgtm
deads2k
added
the
priority/backlog
|
This pull is needed to set up secure bootstrapping for rbac roles. Bumping priority since work is waiting on it. |
|
@deads2k happy to pitch in with all that stuff over 1.5 time period. thanks |
|
@k8s-bot gce e2e test this |
|
Jenkins GCE e2e failed for commit 364dd1a. The magic incantation to run this job again is |
|
@k8s-bot gce e2e test this |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
|
Opened #33375 to track the local-up-cluster changes since it needs to take into account using that secure connection from the controller-manager. |
if InsecurePort is switched off
to talk to the api server
Fixes #13598
This change is