Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add manual opt-in for legacy service account tokens #357

Open
wants to merge 3 commits into
base: sig-auth-acceptance
Choose a base branch
from
Open

Add manual opt-in for legacy service account tokens #357

wants to merge 3 commits into from

Conversation

kramaranya
Copy link
Contributor

Fixes #336

@kramaranya
c/k/a/opts: add --allow-legacy-serviceaccount-tokens flag and validation
57f326b 
Signed-off-by: kramaranya <kramaranya15@gmail.com>
@kramaranya
c/k/a/opts: add test for legacy serviceaccount token validation
a9c2ea9 
Signed-off-by: kramaranya <kramaranya15@gmail.com>
@kramaranya kramaranya changed the title WIP: Add manual opt-in for legacy service account tokens Add manual opt-in for legacy service account tokens Feb 10, 2025
@kramaranya
Copy link
Contributor Author

@stlaz @ibihim could you please review this pr?

ibihim
ibihim reviewed Feb 13, 2025
View reviewed changes
Copy link
Collaborator

@ibihim ibihim left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The unit tests might not have been necessary, but fixing the e2e-tests would be crucial :)

You also need to regenerate the README.md with the make generate.

@ibihim
Copy link
Collaborator

ibihim commented Feb 13, 2025

/lgtm

@ibihim
Copy link
Collaborator

ibihim commented Feb 14, 2025

@kramaranya, I think we have an audience token test, right? we might be able to drop it, if we do not have any tests without audience set, right? Maybe we could have a negative test case then, that the server fails if it isn't set?

stlaz
stlaz requested changes Feb 18, 2025
View reviewed changes
Copy link
Collaborator

@stlaz stlaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will legacy SA tokens be denied when the new flag is unset but audiences are set?
Will they be accepted if both are set?

Please add e2e tests for all possible scenarios, I don't think I've found legacy SA tokens creation in the e2e tests.

cmd/kube-rbac-proxy/app/options/proxyoptions_test.go Outdated
@@ -17,6 +17,7 @@ limitations under the License.
package options

import (
"github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this belongs in the last import group below

README.md Outdated
--allow-paths strings Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the request doesn't match, kube-rbac-proxy responds with a 404 status code. If omitted, the incoming request path isn't checked. Cannot be used with --ignore-paths.
--auth-header-groups-field-name string The name of the field inside a http(2) request header to tell the upstream server about the user's groups (default "x-remote-groups")
--auth-header-groups-field-separator string The separator string used for concatenating multiple group names in a groups header field's value (default "|")
--auth-header-user-field-name string The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user")
--auth-token-audiences strings Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.
--auth-token-audiences strings Comma-separated list of token audiences to accept. Tokens must have at least one audience from this list. If omitted, the token is considered legacy.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
--auth-token-audiences strings Comma-separated list of token audiences to accept. Tokens must have at least one audience from this list. If omitted, the token is considered legacy.
--auth-token-audiences strings Comma-separated list of token audiences to accept. Tokens must have at least one audience from this list. Must be set unless --allow-legacy-serviceaccount-tokens is true.

cmd/kube-rbac-proxy/app/options/proxyoptions_test.go Outdated
Comment on lines 147 to 148
userKey := "User"
groupKey := "Group"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be const

cmd/kube-rbac-proxy/app/options/proxyoptions_test.go
Comment on lines +132 to +144
Upstream string
UpstreamForceH2C bool
UpstreamCAFile string
UpstreamClientCertFile string
UpstreamClientKeyFile string
UpstreamHeader *identityheaders.AuthnHeaderConfig
AuthzConfigFileName string
AllowPaths []string
IgnorePaths []string
ProxyEndpointsPort int
TokenAudiences []string
AllowLegacyServiceAccountTokens bool
DisableHTTP2Serving bool
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove fields that are currently untested. Or, preferrably, write tests for the rest of the fields 🙂

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I've added additional test cases to cover those fields :)

@kramaranya
Copy link
Contributor Author

@kramaranya, I think we have an audience token test, right? we might be able to drop it, if we do not have any tests without audience set, right? Maybe we could have a negative test case then, that the server fails if it isn't set?

@ibihim If I understood you correctly, I've already added a negative test for this scenario (empty audiences when legacy tokens are not allowed) -- https://github.com/brancz/kube-rbac-proxy/pull/357/files#diff-770d985644314c26e2d1c0e8fb70e4714408a9888a4e2749a633144697201bacR191-R203

stlaz
stlaz reviewed Feb 27, 2025
View reviewed changes
test/e2e/allowpaths/deployment.yaml
@@ -22,6 +22,7 @@ spec:
- "--proxy-endpoints-port=8643"
- "--upstream=http://127.0.0.1:8081/"
- "--allow-paths=/metrics,/api/v1/label/*"
- "--allow-legacy-serviceaccount-tokens=true"
Copy link
Collaborator

@stlaz stlaz Feb 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add e2e tests for scenarios that actually use the legacy token according to #357 (review)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops completely forgot about this comment. will do, thanks for the reminder!

@kramaranya
README, test/e2e: add --allow-legacy-serviceaccount-tokens flag
a8e9da6 
Signed-off-by: kramaranya <kramaranya15@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stlaz stlaz stlaz requested changes

@ibihim ibihim ibihim left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kramaranya @ibihim @stlaz