From 57f326b518d841c22fcfdce46fa91cc92b5bd59c Mon Sep 17 00:00:00 2001 From: kramaranya Date: Tue, 4 Feb 2025 12:06:39 +0000 Subject: [PATCH 1/3] c/k/a/opts: add --allow-legacy-serviceaccount-tokens flag and validation Signed-off-by: kramaranya --- .../app/options/proxyoptions.go | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/cmd/kube-rbac-proxy/app/options/proxyoptions.go b/cmd/kube-rbac-proxy/app/options/proxyoptions.go index d2cfe30fa..dafb1be40 100644 --- a/cmd/kube-rbac-proxy/app/options/proxyoptions.go +++ b/cmd/kube-rbac-proxy/app/options/proxyoptions.go @@ -58,6 +58,8 @@ type ProxyOptions struct { TokenAudiences []string + AllowLegacyServiceAccountTokens bool + DisableHTTP2Serving bool } @@ -79,7 +81,10 @@ func (o *ProxyOptions) AddFlags(flagset *pflag.FlagSet) { flagset.StringVar(&o.UpstreamHeader.GroupsFieldName, "auth-header-groups-field-name", "x-remote-groups", "The name of the field inside a http(2) request header to tell the upstream server about the user's groups") flagset.StringVar(&o.UpstreamHeader.GroupSeparator, "auth-header-groups-field-separator", "|", "The separator string used for concatenating multiple group names in a groups header field's value") - flagset.StringSliceVar(&o.TokenAudiences, "auth-token-audiences", []string{}, "Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.") + flagset.StringSliceVar(&o.TokenAudiences, "auth-token-audiences", []string{}, "Comma-separated list of token audiences to accept. Tokens must have at least one audience from this list. If omitted, the token is considered legacy.") + + // legacy tokens are disabled by default. + flagset.BoolVar(&o.AllowLegacyServiceAccountTokens, "allow-legacy-serviceaccount-tokens", false, "If true, allow legacy service account tokens (without an audience). Legacy tokens are less secure and are disabled by default.") // proxy endpoints flag flagset.IntVar(&o.ProxyEndpointsPort, "proxy-endpoints-port", 0, "The port to securely serve proxy-specific endpoints (such as '/healthz'). Uses the host from the '--secure-listen-address'.") @@ -91,8 +96,10 @@ func (o *ProxyOptions) AddFlags(flagset *pflag.FlagSet) { func (o *ProxyOptions) Validate() []error { var errs []error - if len(o.UpstreamHeader.GroupSeparator) > 0 && len(o.UpstreamHeader.GroupsFieldName) == 0 { - errs = append(errs, fmt.Errorf("--auth-header-groups-field-name must be set along with --auth-header-groups-field-separator")) + if o.UpstreamHeader != nil { + if len(o.UpstreamHeader.GroupSeparator) > 0 && len(o.UpstreamHeader.GroupsFieldName) == 0 { + errs = append(errs, fmt.Errorf("--auth-header-groups-field-name must be set along with --auth-header-groups-field-separator")) + } } if len(o.AllowPaths) > 0 && len(o.IgnorePaths) > 0 { @@ -118,6 +125,13 @@ func (o *ProxyOptions) Validate() []error { errs = append(errs, err) } + // If no token audiences are provided, then tokens will be legacy. + // By default, we do not allow legacy tokens unless the user explicitly opts in. + if len(o.TokenAudiences) == 0 && !o.AllowLegacyServiceAccountTokens { + errs = append(errs, fmt.Errorf("legacy service account tokens (tokens without audience) are disabled "+ + "by default. Use --allow-legacy-serviceaccount-tokens to opt in")) + } + return errs } From a9c2ea964140eca7129fd729f2fd4d8033818647 Mon Sep 17 00:00:00 2001 From: kramaranya Date: Mon, 10 Feb 2025 13:52:11 +0000 Subject: [PATCH 2/3] c/k/a/opts: add test for legacy serviceaccount token validation Signed-off-by: kramaranya --- .../app/options/proxyoptions_test.go | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go b/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go index 84eed7635..1af68c294 100644 --- a/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go +++ b/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go @@ -17,6 +17,7 @@ limitations under the License. package options import ( + "github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders" "os" "path/filepath" "reflect" @@ -125,3 +126,93 @@ func Test_parseAuthorizationConfigFile(t *testing.T) { }) } } + +func TestProxyOptions_Validate(t *testing.T) { + type fields struct { + Upstream string + UpstreamForceH2C bool + UpstreamCAFile string + UpstreamClientCertFile string + UpstreamClientKeyFile string + UpstreamHeader *identityheaders.AuthnHeaderConfig + AuthzConfigFileName string + AllowPaths []string + IgnorePaths []string + ProxyEndpointsPort int + TokenAudiences []string + AllowLegacyServiceAccountTokens bool + DisableHTTP2Serving bool + } + + userKey := "User" + groupKey := "Group" + + tests := []struct { + name string + fields fields + wantErr bool + }{ + { + name: "valid config with explicit token audience", + fields: fields{ + Upstream: "http://127.0.0.1", + TokenAudiences: []string{"kube-apiserver"}, + AllowLegacyServiceAccountTokens: false, + UpstreamHeader: &identityheaders.AuthnHeaderConfig{ + UserFieldName: userKey, + GroupsFieldName: groupKey, + }, + }, + wantErr: false, + }, + { + name: "legacy tokens not allowed (empty audiences, flag false)", + fields: fields{ + Upstream: "http://127.0.0.1", + TokenAudiences: []string{}, + AllowLegacyServiceAccountTokens: false, + UpstreamHeader: &identityheaders.AuthnHeaderConfig{ + UserFieldName: userKey, + GroupsFieldName: groupKey, + }, + }, + wantErr: true, + }, + { + name: "legacy tokens allowed (empty audiences, flag true)", + fields: fields{ + Upstream: "http://127.0.0.1", + TokenAudiences: []string{}, + AllowLegacyServiceAccountTokens: true, + UpstreamHeader: &identityheaders.AuthnHeaderConfig{ + UserFieldName: userKey, + GroupsFieldName: groupKey, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + o := &ProxyOptions{ + Upstream: tt.fields.Upstream, + UpstreamForceH2C: tt.fields.UpstreamForceH2C, + UpstreamCAFile: tt.fields.UpstreamCAFile, + UpstreamClientCertFile: tt.fields.UpstreamClientCertFile, + UpstreamClientKeyFile: tt.fields.UpstreamClientKeyFile, + UpstreamHeader: tt.fields.UpstreamHeader, + AuthzConfigFileName: tt.fields.AuthzConfigFileName, + AllowPaths: tt.fields.AllowPaths, + IgnorePaths: tt.fields.IgnorePaths, + ProxyEndpointsPort: tt.fields.ProxyEndpointsPort, + TokenAudiences: tt.fields.TokenAudiences, + AllowLegacyServiceAccountTokens: tt.fields.AllowLegacyServiceAccountTokens, + DisableHTTP2Serving: tt.fields.DisableHTTP2Serving, + } + errs := o.Validate() + if (len(errs) > 0) != tt.wantErr { + t.Errorf("Validate() errors = %v, wantErr %v", errs, tt.wantErr) + } + }) + } +} From a8e9da65fe8ecddc1ec7dfc251b5d0e65ebda0b2 Mon Sep 17 00:00:00 2001 From: kramaranya Date: Thu, 13 Feb 2025 15:50:11 +0000 Subject: [PATCH 3/3] README, test/e2e: add --allow-legacy-serviceaccount-tokens flag Signed-off-by: kramaranya --- README.md | 3 +- .../app/options/proxyoptions.go | 2 +- .../app/options/proxyoptions_test.go | 72 +++++++++- test/e2e/allowpaths/deployment.yaml | 1 + test/e2e/basics.go | 124 ++++++++++++++++++ test/e2e/basics/deployment.yaml | 1 + .../deployment-wrongca.yaml | 1 + test/e2e/clientcertificates/deployment.yaml | 1 + test/e2e/h2c-upstream/deployment.yaml | 1 + test/e2e/http2/deployment-no-http2.yaml | 1 + test/e2e/http2/deployment.yaml | 1 + .../identityheaders/default/deployment.yaml | 1 + .../insecure/deployment-proxy.yaml | 1 + .../secure/deployment-proxy.yaml | 1 + test/e2e/ignorepaths/deployment.yaml | 1 + test/e2e/legacy/clusterRole-client.yaml | 7 + test/e2e/legacy/clusterRole.yaml | 13 ++ .../e2e/legacy/clusterRoleBinding-client.yaml | 12 ++ test/e2e/legacy/clusterRoleBinding.yaml | 12 ++ test/e2e/legacy/deployment-allowed-noaud.yaml | 32 +++++ test/e2e/legacy/deployment-allowed.yaml | 33 +++++ test/e2e/legacy/deployment-disallowed.yaml | 32 +++++ test/e2e/legacy/service.yaml | 14 ++ test/e2e/legacy/serviceAccount.yaml | 5 + test/e2e/main_test.go | 1 + test/e2e/static-auth/deployment.yaml | 1 + test/e2e/tokenrequest/deployment.yaml | 1 + 27 files changed, 370 insertions(+), 5 deletions(-) create mode 100644 test/e2e/legacy/clusterRole-client.yaml create mode 100644 test/e2e/legacy/clusterRole.yaml create mode 100644 test/e2e/legacy/clusterRoleBinding-client.yaml create mode 100644 test/e2e/legacy/clusterRoleBinding.yaml create mode 100644 test/e2e/legacy/deployment-allowed-noaud.yaml create mode 100644 test/e2e/legacy/deployment-allowed.yaml create mode 100644 test/e2e/legacy/deployment-disallowed.yaml create mode 100644 test/e2e/legacy/service.yaml create mode 100644 test/e2e/legacy/serviceAccount.yaml diff --git a/README.md b/README.md index 4a9c02319..e24e36391 100644 --- a/README.md +++ b/README.md @@ -91,11 +91,12 @@ Delegating authorization flags: Proxy flags: + --allow-legacy-serviceaccount-tokens If true, allow legacy service account tokens (without an audience). Legacy tokens are less secure and are disabled by default. --allow-paths strings Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the request doesn't match, kube-rbac-proxy responds with a 404 status code. If omitted, the incoming request path isn't checked. Cannot be used with --ignore-paths. --auth-header-groups-field-name string The name of the field inside a http(2) request header to tell the upstream server about the user's groups (default "x-remote-groups") --auth-header-groups-field-separator string The separator string used for concatenating multiple group names in a groups header field's value (default "|") --auth-header-user-field-name string The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user") - --auth-token-audiences strings Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience. + --auth-token-audiences strings Comma-separated list of token audiences to accept. Tokens must have at least one audience from this list. Must be set unless --allow-legacy-serviceaccount-tokens is true. --config-file string Configuration file to configure static and rewrites authorization of the kube-rbac-proxy. --disable-http2-serving If true, HTTP2 serving will be disabled [default=false] --ignore-paths strings Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths. diff --git a/cmd/kube-rbac-proxy/app/options/proxyoptions.go b/cmd/kube-rbac-proxy/app/options/proxyoptions.go index dafb1be40..30e4f36c6 100644 --- a/cmd/kube-rbac-proxy/app/options/proxyoptions.go +++ b/cmd/kube-rbac-proxy/app/options/proxyoptions.go @@ -81,7 +81,7 @@ func (o *ProxyOptions) AddFlags(flagset *pflag.FlagSet) { flagset.StringVar(&o.UpstreamHeader.GroupsFieldName, "auth-header-groups-field-name", "x-remote-groups", "The name of the field inside a http(2) request header to tell the upstream server about the user's groups") flagset.StringVar(&o.UpstreamHeader.GroupSeparator, "auth-header-groups-field-separator", "|", "The separator string used for concatenating multiple group names in a groups header field's value") - flagset.StringSliceVar(&o.TokenAudiences, "auth-token-audiences", []string{}, "Comma-separated list of token audiences to accept. Tokens must have at least one audience from this list. If omitted, the token is considered legacy.") + flagset.StringSliceVar(&o.TokenAudiences, "auth-token-audiences", []string{}, "Comma-separated list of token audiences to accept. Tokens must have at least one audience from this list. Must be set unless --allow-legacy-serviceaccount-tokens is true.") // legacy tokens are disabled by default. flagset.BoolVar(&o.AllowLegacyServiceAccountTokens, "allow-legacy-serviceaccount-tokens", false, "If true, allow legacy service account tokens (without an audience). Legacy tokens are less secure and are disabled by default.") diff --git a/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go b/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go index 1af68c294..93f94bb04 100644 --- a/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go +++ b/cmd/kube-rbac-proxy/app/options/proxyoptions_test.go @@ -17,7 +17,6 @@ limitations under the License. package options import ( - "github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders" "os" "path/filepath" "reflect" @@ -25,6 +24,7 @@ import ( "github.com/google/go-cmp/cmp" + "github.com/brancz/kube-rbac-proxy/pkg/authn/identityheaders" authz "github.com/brancz/kube-rbac-proxy/pkg/authorization" "github.com/brancz/kube-rbac-proxy/pkg/authorization/rewrite" "github.com/brancz/kube-rbac-proxy/pkg/authorization/static" @@ -144,14 +144,37 @@ func TestProxyOptions_Validate(t *testing.T) { DisableHTTP2Serving bool } - userKey := "User" - groupKey := "Group" + const ( + userKey = "User" + groupKey = "Group" + ) tests := []struct { name string fields fields wantErr bool }{ + { + name: "valid config with client cert, key, config, port, and token audience", + fields: fields{ + Upstream: "http://127.0.0.1", + UpstreamForceH2C: true, + UpstreamCAFile: "ca.crt", + UpstreamClientCertFile: "client.crt", + UpstreamClientKeyFile: "client.key", + AuthzConfigFileName: "authz.yaml", + AllowPaths: []string{"/path1", "/path2"}, + ProxyEndpointsPort: 8081, + TokenAudiences: []string{"kube-apiserver"}, + AllowLegacyServiceAccountTokens: false, + DisableHTTP2Serving: true, + UpstreamHeader: &identityheaders.AuthnHeaderConfig{ + UserFieldName: userKey, + GroupsFieldName: groupKey, + }, + }, + wantErr: false, + }, { name: "valid config with explicit token audience", fields: fields{ @@ -191,6 +214,49 @@ func TestProxyOptions_Validate(t *testing.T) { }, wantErr: false, }, + { + name: "invalid combination (both AllowPaths and IgnorePaths set)", + fields: fields{ + Upstream: "http://127.0.0.1", + AllowPaths: []string{"/path1"}, + IgnorePaths: []string{"/path2"}, + TokenAudiences: []string{"kube-apiserver"}, + AllowLegacyServiceAccountTokens: false, + UpstreamHeader: &identityheaders.AuthnHeaderConfig{ + UserFieldName: userKey, + GroupsFieldName: groupKey, + }, + }, + wantErr: true, + }, + { + name: "invalid AllowPaths", + fields: fields{ + Upstream: "http://127.0.0.1", + AllowPaths: []string{"[path"}, + TokenAudiences: []string{"kube-apiserver"}, + AllowLegacyServiceAccountTokens: false, + UpstreamHeader: &identityheaders.AuthnHeaderConfig{ + UserFieldName: userKey, + GroupsFieldName: groupKey, + }, + }, + wantErr: true, + }, + { + name: "invalid IgnorePaths", + fields: fields{ + Upstream: "http://127.0.0.1", + IgnorePaths: []string{"path\\"}, + TokenAudiences: []string{"kube-apiserver"}, + AllowLegacyServiceAccountTokens: false, + UpstreamHeader: &identityheaders.AuthnHeaderConfig{ + UserFieldName: userKey, + GroupsFieldName: groupKey, + }, + }, + wantErr: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/test/e2e/allowpaths/deployment.yaml b/test/e2e/allowpaths/deployment.yaml index 9610b9327..6453a03a7 100644 --- a/test/e2e/allowpaths/deployment.yaml +++ b/test/e2e/allowpaths/deployment.yaml @@ -22,6 +22,7 @@ spec: - "--proxy-endpoints-port=8643" - "--upstream=http://127.0.0.1:8081/" - "--allow-paths=/metrics,/api/v1/label/*" + - "--allow-legacy-serviceaccount-tokens=true" - "--authentication-skip-lookup" - "--v=10" ports: diff --git a/test/e2e/basics.go b/test/e2e/basics.go index 0e1da923c..4ee474fb0 100644 --- a/test/e2e/basics.go +++ b/test/e2e/basics.go @@ -519,3 +519,127 @@ func testIgnorePaths(client kubernetes.Interface) kubetest.TestSuite { }.Run(t) } } + +func testLegacyTokenFlag(client kubernetes.Interface) kubetest.TestSuite { + return func(t *testing.T) { + legacyCommand := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/tokens/requestedtoken)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` + command := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` + + kubetest.Scenario{ + Name: "LegacyAllowedAudienceSet", + Description: ` + As a client with --allow-legacy-serviceaccount-tokens=true and a valid audience, + I succeed with my request + `, + + Given: kubetest.Actions( + kubetest.CreatedManifests( + client, + "legacy/clusterRole.yaml", + "legacy/clusterRoleBinding.yaml", + "legacy/deployment-allowed.yaml", + "legacy/service.yaml", + "legacy/serviceAccount.yaml", + "legacy/clusterRole-client.yaml", + "legacy/clusterRoleBinding-client.yaml", + ), + ), + When: kubetest.Actions( + kubetest.PodsAreReady( + client, + 1, + "app=kube-rbac-proxy", + ), + kubetest.ServiceIsReady( + client, + "kube-rbac-proxy", + ), + ), + Then: kubetest.Actions( + kubetest.ClientSucceeds( + client, + legacyCommand, + &kubetest.RunOptions{TokenAudience: "kube-rbac-proxy"}, + ), + ), + }.Run(t) + + kubetest.Scenario{ + Name: "LegacyDisallowedAudienceSet", + Description: ` + As a client with --allow-legacy-serviceaccount-tokens=false and a valid audience, + I succeed with my request + `, + + Given: kubetest.Actions( + kubetest.CreatedManifests( + client, + "legacy/clusterRole.yaml", + "legacy/clusterRoleBinding.yaml", + "legacy/deployment-disallowed.yaml", + "legacy/service.yaml", + "legacy/serviceAccount.yaml", + "legacy/clusterRole-client.yaml", + "legacy/clusterRoleBinding-client.yaml", + ), + ), + When: kubetest.Actions( + kubetest.PodsAreReady( + client, + 1, + "app=kube-rbac-proxy", + ), + kubetest.ServiceIsReady( + client, + "kube-rbac-proxy", + ), + ), + Then: kubetest.Actions( + kubetest.ClientSucceeds( + client, + legacyCommand, + &kubetest.RunOptions{TokenAudience: "kube-rbac-proxy"}, + ), + ), + }.Run(t) + + kubetest.Scenario{ + Name: "LegacyAllowedNoAudience", + Description: ` + As a client with --allow-legacy-serviceaccount-tokens=true and no audience set, + I succeed with my request + `, + + Given: kubetest.Actions( + kubetest.CreatedManifests( + client, + "legacy/clusterRole.yaml", + "legacy/clusterRoleBinding.yaml", + "legacy/deployment-allowed-noaud.yaml", + "legacy/service.yaml", + "legacy/serviceAccount.yaml", + "legacy/clusterRole-client.yaml", + "legacy/clusterRoleBinding-client.yaml", + ), + ), + When: kubetest.Actions( + kubetest.PodsAreReady( + client, + 1, + "app=kube-rbac-proxy", + ), + kubetest.ServiceIsReady( + client, + "kube-rbac-proxy", + ), + ), + Then: kubetest.Actions( + kubetest.ClientSucceeds( + client, + command, + &kubetest.RunOptions{TokenAudience: ""}, + ), + ), + }.Run(t) + } +} diff --git a/test/e2e/basics/deployment.yaml b/test/e2e/basics/deployment.yaml index 20ea3fe46..6f33eb4e4 100644 --- a/test/e2e/basics/deployment.yaml +++ b/test/e2e/basics/deployment.yaml @@ -20,6 +20,7 @@ spec: args: - "--secure-port=8443" - "--upstream=http://127.0.0.1:8081/" + - "--allow-legacy-serviceaccount-tokens=true" - "--authentication-skip-lookup" - "--v=10" ports: diff --git a/test/e2e/clientcertificates/deployment-wrongca.yaml b/test/e2e/clientcertificates/deployment-wrongca.yaml index 8469daaab..b8debf842 100644 --- a/test/e2e/clientcertificates/deployment-wrongca.yaml +++ b/test/e2e/clientcertificates/deployment-wrongca.yaml @@ -21,6 +21,7 @@ spec: - "--secure-port=8443" - "--upstream=http://127.0.0.1:8081/" - "--client-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" + - "--allow-legacy-serviceaccount-tokens=true" - "--authentication-skip-lookup" - "--v=10" ports: diff --git a/test/e2e/clientcertificates/deployment.yaml b/test/e2e/clientcertificates/deployment.yaml index ba3e22e04..b27ca13a4 100644 --- a/test/e2e/clientcertificates/deployment.yaml +++ b/test/e2e/clientcertificates/deployment.yaml @@ -21,6 +21,7 @@ spec: - "--secure-port=8443" - "--upstream=http://127.0.0.1:8081/" - "--client-ca-file=/certs/ca.crt" + - "--allow-legacy-serviceaccount-tokens=true" - "--authentication-skip-lookup" - "--v=10" ports: diff --git a/test/e2e/h2c-upstream/deployment.yaml b/test/e2e/h2c-upstream/deployment.yaml index 16d61018d..577481e36 100644 --- a/test/e2e/h2c-upstream/deployment.yaml +++ b/test/e2e/h2c-upstream/deployment.yaml @@ -21,6 +21,7 @@ spec: - "--secure-port=8443" - "--upstream=http://127.0.0.1:8081/" - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" - "--upstream-force-h2c=true" - "--v=10" ports: diff --git a/test/e2e/http2/deployment-no-http2.yaml b/test/e2e/http2/deployment-no-http2.yaml index 40571a44f..a0e8429b6 100644 --- a/test/e2e/http2/deployment-no-http2.yaml +++ b/test/e2e/http2/deployment-no-http2.yaml @@ -21,6 +21,7 @@ spec: - "--secure-port=8443" - "--upstream=http://127.0.0.1:8081/" - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" - "--ignore-paths=/metrics,/api/v1/*" - "--disable-http2-serving=true" - "--v=10" diff --git a/test/e2e/http2/deployment.yaml b/test/e2e/http2/deployment.yaml index 46a18b124..5469a94c3 100644 --- a/test/e2e/http2/deployment.yaml +++ b/test/e2e/http2/deployment.yaml @@ -21,6 +21,7 @@ spec: - "--secure-port=8443" - "--upstream=http://127.0.0.1:8081/" - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" - "--ignore-paths=/metrics,/api/v1/*" - "--v=10" ports: diff --git a/test/e2e/identityheaders/default/deployment.yaml b/test/e2e/identityheaders/default/deployment.yaml index 2cc7536f6..c9f848cd6 100644 --- a/test/e2e/identityheaders/default/deployment.yaml +++ b/test/e2e/identityheaders/default/deployment.yaml @@ -24,6 +24,7 @@ spec: - "--auth-header-user-field-name=x-remote-user" - "--auth-header-groups-field-name=x-remote-groups" - "--auth-header-groups-field-separator=|" + - "--allow-legacy-serviceaccount-tokens=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/identityheaders/insecure/deployment-proxy.yaml b/test/e2e/identityheaders/insecure/deployment-proxy.yaml index a97f88cec..173908d3f 100644 --- a/test/e2e/identityheaders/insecure/deployment-proxy.yaml +++ b/test/e2e/identityheaders/insecure/deployment-proxy.yaml @@ -24,6 +24,7 @@ spec: - "--auth-header-user-field-name=x-remote-user" - "--auth-header-groups-field-name=x-remote-groups" - "--auth-header-groups-field-separator=|" + - "--allow-legacy-serviceaccount-tokens=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/identityheaders/secure/deployment-proxy.yaml b/test/e2e/identityheaders/secure/deployment-proxy.yaml index 20d0319c7..a4eb100ab 100644 --- a/test/e2e/identityheaders/secure/deployment-proxy.yaml +++ b/test/e2e/identityheaders/secure/deployment-proxy.yaml @@ -24,6 +24,7 @@ spec: - "--auth-header-user-field-name=x-remote-user" - "--auth-header-groups-field-name=x-remote-groups" - "--auth-header-groups-field-separator=|" + - "--allow-legacy-serviceaccount-tokens=true" - "--tls-cert-file=/usr/local/etc/kube-rbac-proxy/server-certs/tls.crt" - "--tls-private-key-file=/usr/local/etc/kube-rbac-proxy/server-certs/tls.key" - "--upstream-ca-file=/usr/local/etc/kube-rbac-proxy/upstream-trust/ca.crt" diff --git a/test/e2e/ignorepaths/deployment.yaml b/test/e2e/ignorepaths/deployment.yaml index 58d2daf4a..72f61939d 100644 --- a/test/e2e/ignorepaths/deployment.yaml +++ b/test/e2e/ignorepaths/deployment.yaml @@ -22,6 +22,7 @@ spec: - "--upstream=http://127.0.0.1:8081/" - "--ignore-paths=/metrics,/api/v1/*" - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/legacy/clusterRole-client.yaml b/test/e2e/legacy/clusterRole-client.yaml new file mode 100644 index 000000000..dd0d17d37 --- /dev/null +++ b/test/e2e/legacy/clusterRole-client.yaml @@ -0,0 +1,7 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics +rules: +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/test/e2e/legacy/clusterRole.yaml b/test/e2e/legacy/clusterRole.yaml new file mode 100644 index 000000000..30ba24d13 --- /dev/null +++ b/test/e2e/legacy/clusterRole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-rbac-proxy +rules: +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] diff --git a/test/e2e/legacy/clusterRoleBinding-client.yaml b/test/e2e/legacy/clusterRoleBinding-client.yaml new file mode 100644 index 000000000..d34563cfd --- /dev/null +++ b/test/e2e/legacy/clusterRoleBinding-client.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: metrics +subjects: +- kind: ServiceAccount + name: default + namespace: default diff --git a/test/e2e/legacy/clusterRoleBinding.yaml b/test/e2e/legacy/clusterRoleBinding.yaml new file mode 100644 index 000000000..f2e8d8a0a --- /dev/null +++ b/test/e2e/legacy/clusterRoleBinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: kube-rbac-proxy + namespace: default diff --git a/test/e2e/legacy/deployment-allowed-noaud.yaml b/test/e2e/legacy/deployment-allowed-noaud.yaml new file mode 100644 index 000000000..44887621d --- /dev/null +++ b/test/e2e/legacy/deployment-allowed-noaud.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-rbac-proxy + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: kube-rbac-proxy + template: + metadata: + labels: + app: kube-rbac-proxy + spec: + serviceAccountName: kube-rbac-proxy + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:local + args: + - "--secure-port=8443" + - "--upstream=http://127.0.0.1:8081/" + - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: prometheus-example-app + image: quay.io/brancz/prometheus-example-app:v0.1.0 + args: + - "--bind=127.0.0.1:8081" diff --git a/test/e2e/legacy/deployment-allowed.yaml b/test/e2e/legacy/deployment-allowed.yaml new file mode 100644 index 000000000..2311ea663 --- /dev/null +++ b/test/e2e/legacy/deployment-allowed.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-rbac-proxy + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: kube-rbac-proxy + template: + metadata: + labels: + app: kube-rbac-proxy + spec: + serviceAccountName: kube-rbac-proxy + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:local + args: + - "--secure-port=8443" + - "--upstream=http://127.0.0.1:8081/" + - "--auth-token-audiences=kube-rbac-proxy" + - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: prometheus-example-app + image: quay.io/brancz/prometheus-example-app:v0.1.0 + args: + - "--bind=127.0.0.1:8081" diff --git a/test/e2e/legacy/deployment-disallowed.yaml b/test/e2e/legacy/deployment-disallowed.yaml new file mode 100644 index 000000000..93c16caec --- /dev/null +++ b/test/e2e/legacy/deployment-disallowed.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-rbac-proxy + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: kube-rbac-proxy + template: + metadata: + labels: + app: kube-rbac-proxy + spec: + serviceAccountName: kube-rbac-proxy + containers: + - name: kube-rbac-proxy + image: quay.io/brancz/kube-rbac-proxy:local + args: + - "--secure-port=8443" + - "--upstream=http://127.0.0.1:8081/" + - "--auth-token-audiences=kube-rbac-proxy" + - "--authentication-skip-lookup" + - "--v=10" + ports: + - containerPort: 8443 + name: https + - name: prometheus-example-app + image: quay.io/brancz/prometheus-example-app:v0.1.0 + args: + - "--bind=127.0.0.1:8081" diff --git a/test/e2e/legacy/service.yaml b/test/e2e/legacy/service.yaml new file mode 100644 index 000000000..4e0f7d2e4 --- /dev/null +++ b/test/e2e/legacy/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: kube-rbac-proxy + name: kube-rbac-proxy + namespace: default +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + app: kube-rbac-proxy diff --git a/test/e2e/legacy/serviceAccount.yaml b/test/e2e/legacy/serviceAccount.yaml new file mode 100644 index 000000000..45feecc9c --- /dev/null +++ b/test/e2e/legacy/serviceAccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-rbac-proxy + namespace: default diff --git a/test/e2e/main_test.go b/test/e2e/main_test.go index 1e6622680..4be69793f 100644 --- a/test/e2e/main_test.go +++ b/test/e2e/main_test.go @@ -56,6 +56,7 @@ func Test(t *testing.T) { "IdentityHeaders": testIdentityHeaders(client), "ClientCertificates": testClientCertificates(client), "TokenAudience": testTokenAudience(client), + "LegacyTokenFlag": testLegacyTokenFlag(client), "AllowPath": testAllowPathsRegexp(client), "IgnorePath": testIgnorePaths(client), "TLS": testTLS(client), diff --git a/test/e2e/static-auth/deployment.yaml b/test/e2e/static-auth/deployment.yaml index 485593e04..2aac2d9b2 100644 --- a/test/e2e/static-auth/deployment.yaml +++ b/test/e2e/static-auth/deployment.yaml @@ -24,6 +24,7 @@ spec: - "--upstream=http://127.0.0.1:8081/" - "--config-file=/etc/kube-rbac-proxy/config-file.yaml" - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" - "--v=10" ports: - containerPort: 8443 diff --git a/test/e2e/tokenrequest/deployment.yaml b/test/e2e/tokenrequest/deployment.yaml index 93c16caec..2311ea663 100644 --- a/test/e2e/tokenrequest/deployment.yaml +++ b/test/e2e/tokenrequest/deployment.yaml @@ -22,6 +22,7 @@ spec: - "--upstream=http://127.0.0.1:8081/" - "--auth-token-audiences=kube-rbac-proxy" - "--authentication-skip-lookup" + - "--allow-legacy-serviceaccount-tokens=true" - "--v=10" ports: - containerPort: 8443