Allow kube:admin to be scoped #21712
Conversation
This change moves the bootstrap OAuth user behind an interface to isolate the logic. The data needed to validate flows for this user are now stored in a BootstrapUserData struct to make it easier to extend the associated flows. Signed-off-by: Monis Khan <[email protected]>
When I originally wrote the authenticator for the bootstrap user, I was thinking of a user that could always perform any action, similar to an x509 cert based user. However, unlike a cert based user, the bootstrap user can go through OAuth flows, meaning that untrusted clients can get scoped tokens for it. We need those tokens to not be all powerful, otherwise we break the safety guarantees of those flows. This change removes the use of the system:masters group and instead uses the system:cluster-admins group. The former does not honor scopes or any other deny authorizer due to how it is wired. The latter is authorized via RBAC and thus interacts correctly with deny authorizers. This change also passes the token scopes via the standard extra field scopes.authorization.openshift.io (this was originally omitted due to my incorrect thought process around the bootstrap user). Signed-off-by: Monis Khan <[email protected]>
openshift-ci-robot
added
size/L
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/refresh |
|
/test e2e-gcp-serial |
|
/test e2e-aws-builds |
|
/skip |
|
/refresh |
|
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Move bootstrap user data to BootstrapUserData struct
This change moves the bootstrap OAuth user behind an interface to
isolate the logic. The data needed to validate flows for this user
are now stored in a BootstrapUserData struct to make it easier to
extend the associated flows.
Signed-off-by: Monis Khan [email protected]
Allow kube:admin to be scoped
When I originally wrote the authenticator for the bootstrap user, I
was thinking of a user that could always perform any action, similar
to an x509 cert based user. However, unlike a cert based user, the
bootstrap user can go through OAuth flows, meaning that untrusted
clients can get scoped tokens for it. We need those tokens to not
be all powerful, otherwise we break the safety guarantees of those
flows.
This change removes the use of the system:masters group and instead
uses the system:cluster-admins group. The former does not honor
scopes or any other deny authorizer due to how it is wired. The
latter is authorized via RBAC and thus interacts correctly with deny
authorizers.
This change also passes the token scopes via the standard extra
field scopes.authorization.openshift.io (this was originally omitted
due to my incorrect thought process around the bootstrap user).
Signed-off-by: Monis Khan [email protected]
xrefs:
#18922
#18966
#21530
kubernetes/kubernetes#70670
kubernetes/kubernetes#70671
@openshift/sig-auth
/assign @mrogers950