Merge pull request #84 from JoshVanL/no-impersonation

Adds option to disable impersonation on requests

Author: jetstack-bot

README.md

@@ -127,6 +127,7 @@ users:
 
 ## Configuration
  - [Token Passthrough](./docs/tasks/token-passthrough.md)
+ - [No Impersonation](./docs/tasks/no-impersonation.md)
 
 ## Development
 *NOTE*: building kube-oidc-proxy requires Go version 1.12 or higher.

cmd/options/kube_oidc_proxy.go

@@ -0,0 +1,38 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package options
+
+import (
+	"github.com/spf13/pflag"
+)
+
+type TokenPassthroughOptions struct {
+	Audiences []string
+	Enabled   bool
+}
+
+type KubeOIDCProxyOptions struct {
+	DisableImpersonation bool
+	TokenPassthrough     TokenPassthroughOptions
+}
+
+func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.StringSliceVar(&t.Audiences, "token-passthrough-audiences", t.Audiences, ""+
+		"(Alpha) List of the identifiers that the resource server presented with the token "+
+		"identifies as. The resoure server will verify that non OIDC tokens are intended "+
+		"for at least one of the audiences in this list. If no audiences are "+
+		"provided, the audience will default to the audience of the Kubernetes "+
+		"apiserver.")
+
+	fs.BoolVar(&t.Enabled, "token-passthrough", t.Enabled, ""+
+		"(Alpha) Requests with Bearer tokens that fail OIDC validation are tried against "+
+		"the API server using the Token Review endpoint. If successful, the request "+
+		"is sent on as is, with no impersonation.")
+}
+
+func (k *KubeOIDCProxyOptions) AddFlags(fs *pflag.FlagSet) {
+	fs.BoolVar(&k.DisableImpersonation, "disable-impersonation", k.DisableImpersonation,
+		"(Alpha) Disable the impersonation of authenticated requests. All "+
+			"authenticated requests will be forwarded as is.")
+
+	k.TokenPassthrough.AddFlags(fs)
+}

cmd/options/options.go cmd/options/oidc.gocmd/options/options.go renamed to cmd/options/oidc.go

@@ -9,25 +9,6 @@ import (
 	cliflag "k8s.io/component-base/cli/flag"
 )
 
-type TokenPassthroughOptions struct {
-	Audiences []string
-	Enabled   bool
-}
-
-func (t *TokenPassthroughOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.StringSliceVar(&t.Audiences, "token-passthrough-audiences", t.Audiences, ""+
-		"List of the identifiers that the resource server presented with the token "+
-		"identifies as. The resoure server will verify that non OIDC tokens are intended "+
-		"for at least one of the audiences in this list. If no audiences are "+
-		"provided, the audience will default to the audience of the Kubernetes "+
-		"apiserver.")
-
-	fs.BoolVar(&t.Enabled, "token-passthrough", t.Enabled, ""+
-		"Requests with Bearer tokens that fail OIDC validation are tried against "+
-		"the API server using the Token Review endpoint. If successful, the request "+
-		"is sent on as is, with no impersonation.")
-}
-
 type OIDCAuthenticationOptions struct {
 	APIAudiences   []string
 	CAFile         string

cmd/run.go

@@ -45,7 +45,7 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	}
 	ssoptionsWithLB := ssoptions.WithLoopback()
 
-	tpOptions := new(options.TokenPassthroughOptions)
+	kopOptions := new(options.KubeOIDCProxyOptions)
 
 	clientConfigFlags := genericclioptions.NewConfigFlags(true)
 
@@ -98,8 +98,8 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 
 			// Init token reviewer if enabled
 			var tokenReviewer *tokenreview.TokenReview
-			if tpOptions.Enabled {
-				tokenReviewer, err = tokenreview.New(restConfig, tpOptions.Audiences)
+			if kopOptions.TokenPassthrough.Enabled {
+				tokenReviewer, err = tokenreview.New(restConfig, kopOptions.TokenPassthrough.Audiences)
 				if err != nil {
 					return err
 				}
@@ -112,8 +112,13 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 				return err
 			}
 
-			p := proxy.New(restConfig, reqAuther, tokenReviewer,
-				secureServingInfo)
+			proxyOptions := &proxy.Options{
+				TokenReview:          kopOptions.TokenPassthrough.Enabled,
+				DisableImpersonation: kopOptions.DisableImpersonation,
+			}
+
+			p := proxy.New(restConfig, reqAuther,
+				tokenReviewer, secureServingInfo, proxyOptions)
 
 			// run proxy
 			waitCh, err := p.Run(stopCh)
@@ -134,12 +139,12 @@ func NewRunCommand(stopCh <-chan struct{}) *cobra.Command {
 	var namedFlagSets cliflag.NamedFlagSets
 	fs := cmd.Flags()
 
+	kopfs := namedFlagSets.FlagSet("Kube-OIDC-Proxy")
+	kopOptions.AddFlags(kopfs)
+
 	oidcfs := namedFlagSets.FlagSet("OIDC")
 	oidcOptions.AddFlags(oidcfs)
 
-	tpfs := namedFlagSets.FlagSet("Token Passthrough (Alpha)")
-	tpOptions.AddFlags(tpfs)
-
 	ssoptionsWithLB.AddFlags(namedFlagSets.FlagSet("secure serving"))
 
 	clientConfigFlags.CacheDir = nil

docs/tasks/no-impersonation.md

@@ -0,0 +1,14 @@
+# No Impersonation
+
+kube-oidc-proxy can be configured to disable impersonation. When a request has
+been successfully authenticated, the request is forwarded as-is, without changes
+to the HTTP header and no authentication injected by the proxy. The OIDC
+bearer token is also kept in the request. This can be useful for securing
+endpoints that do not provide OIDC or any authentication methods and do not
+implement any authorization.
+
+To disable impersonation, provide the following flag:
+
+```
+--disable-impersonation
+```

pkg/e2e/e2e.go

@@ -175,31 +175,10 @@ func (e *E2E) newIssuerProxyPair() (*http.Transport, error) {
 	}
 	e.proxyPort = proxyPort
 
-	cmd := exec.Command("../../kube-oidc-proxy",
-		fmt.Sprintf("--oidc-issuer-url=https://127.0.0.1:%s", issuer.Port()),
-		fmt.Sprintf("--oidc-ca-file=%s", e.issuer.KeyCertPair().CertPath),
-		"--oidc-client-id=kube-oidc-proxy_e2e_client-id",
-		"--oidc-username-claim=e2e-username-claim",
-		"--oidc-groups-claim=e2e-groups-claim",
-		"--oidc-signing-algs=RS256",
-
-		"--bind-address=127.0.0.1",
-		fmt.Sprintf("--secure-port=%s", e.proxyPort),
-		fmt.Sprintf("--tls-cert-file=%s", e.proxyKeyCertPair.CertPath),
-		fmt.Sprintf("--tls-private-key-file=%s", e.proxyKeyCertPair.KeyPath),
-
-		fmt.Sprintf("--kubeconfig=%s", e.kubeKubeconfig),
-	)
-	cmd.Stderr = os.Stderr
-	cmd.Stdout = os.Stdout
-	if err := cmd.Start(); err != nil {
+	if err := e.runProxy(); err != nil {
 		return nil, err
 	}
 
-	e.proxyCmd = cmd
-
-	time.Sleep(time.Second * 13)
-
 	return transport, nil
 }
 
@@ -266,9 +245,9 @@ func (e *E2E) cleanup() {
 			klog.Errorf("failed to kill kube-oidc-proxy process: %s",
 				err)
 		}
-
-		e.proxyCmd = nil
 	}
+
+	e.proxyCmd = nil
 }
 
 func (e *E2E) runProxy(extraArgs ...string) error {

pkg/e2e/noimpersonation_test.go

@@ -0,0 +1,51 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package e2e
+
+import (
+	"fmt"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	namespaceNoImpersonation = "kube-oidc-proxy-e2e-no-impersonation"
+)
+
+func TestNoImpersonation(t *testing.T) {
+	if e2eSuite == nil {
+		t.Skip("e2eSuite not defined")
+		return
+	}
+
+	coreclient := e2eSuite.kubeclient.CoreV1()
+
+	_, err := coreclient.Namespaces().Create(&corev1.Namespace{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: namespaceNoImpersonation,
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	e2eSuite.cleanup()
+	defer e2eSuite.cleanup()
+
+	if err := e2eSuite.runProxy("--disable-impersonation"); err != nil {
+		t.Error(err)
+		t.FailNow()
+	}
+
+	url := fmt.Sprintf(
+		"https://127.0.0.1:%s/api/v1/namespaces/%s/pods",
+		e2eSuite.proxyPort,
+		namespaceNoImpersonation,
+	)
+
+	// Should return an unathorized response from the API server - we authed with
+	// the proxy but the API server isn't set up for our OIDC auth
+	e2eSuite.testToken(t, e2eSuite.validToken(), url, 401,
+		`{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}`)
+}

pkg/proxy/proxy.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/authentication/request/bearertoken"
 	authuser "k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/server"
@@ -31,35 +32,46 @@ var (
 	impersonateExtraHeader = strings.ToLower(transport.ImpersonateUserExtraHeaderPrefix)
 )
 
+type Options struct {
+	DisableImpersonation bool
+	TokenReview          bool
+}
+
 type Proxy struct {
 	oidcAuther        *bearertoken.Authenticator
-	tokenAuther       *tokenreview.TokenReview
+	tokenReviewer     *tokenreview.TokenReview
 	secureServingInfo *server.SecureServingInfo
 
 	restConfig            *rest.Config
 	clientTransport       http.RoundTripper
 	noAuthClientTransport http.RoundTripper
+
+	options *Options
 }
 
 func New(restConfig *rest.Config, oidcAuther *bearertoken.Authenticator,
-	tokenAuther *tokenreview.TokenReview, ssinfo *server.SecureServingInfo) *Proxy {
+	tokenReviewer *tokenreview.TokenReview, ssinfo *server.SecureServingInfo, options *Options) *Proxy {
 	return &Proxy{
 		restConfig:        restConfig,
 		oidcAuther:        oidcAuther,
-		tokenAuther:       tokenAuther,
+		tokenReviewer:     tokenReviewer,
 		secureServingInfo: ssinfo,
+		options:           options,
 	}
 }
 
 func (p *Proxy) Run(stopCh <-chan struct{}) (<-chan struct{}, error) {
+	klog.Infof("waiting for oidc provider to become ready...")
+
+	// standard round tripper for proxy to API Server
 	clientRT, err := p.roundTripperForRestConfig(p.restConfig)
 	if err != nil {
 		return nil, err
 	}
 	p.clientTransport = clientRT
 
 	// No auth round tripper for no impersonation
-	if p.tokenAuther != nil {
+	if p.options.DisableImpersonation || p.options.TokenReview {
 		noAuthClientRT, err := p.roundTripperForRestConfig(&rest.Config{
 			APIPath: p.restConfig.APIPath,
 			Host:    p.restConfig.Host,
@@ -112,42 +124,38 @@ func (p *Proxy) serve(proxyHandler *httputil.ReverseProxy, stopCh <-chan struct{
 }
 
 func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) {
-	// auth request and handle unauthed
-	info, ok, err := p.oidcAuther.AuthenticateRequest(req)
+	// Clone the request here since successfully authenticating the request
+	// deletes those auth headers
+	reqCpy := utilnet.CloneRequest(req)
 
+	// auth request and handle unauthed
+	info, ok, err := p.oidcAuther.AuthenticateRequest(reqCpy)
 	if err != nil {
 
 		// attempt to passthrough request if valid token
-		if p.tokenAuther != nil {
-			klog.V(4).Infof("attempting to validate a token in request using TokenReview endpoint(%s)",
-				req.RemoteAddr)
-
-			ok, tkErr := p.tokenAuther.Review(req)
-			// no error so passthrough the request
-			if tkErr == nil && ok {
-				klog.V(4).Infof("passing request with valid token through (%s)",
-					req.RemoteAddr)
-				// Don't set impersonation headers and pass through without proxy auth
-				// and headers still set
-				return p.noAuthClientTransport.RoundTrip(req)
-			}
-
-			if tkErr != nil {
-				err = fmt.Errorf("%s, %s", err, tkErr)
-			}
+		if p.options.TokenReview {
+			return p.tokenReview(reqCpy)
 		}
 
-		klog.Errorf("unable to authenticate the request due to an error (%s): %s",
-			req.RemoteAddr, err)
 		return nil, errUnauthorized
 	}
 
+	// failed authorization
 	if !ok {
 		return nil, errUnauthorized
 	}
 
+	klog.V(4).Infof("authenticated request: %s", reqCpy.RemoteAddr)
+
+	// if we have disabled impersonation we can forward the request right away
+	if p.options.DisableImpersonation {
+		klog.V(2).Infof("passing on request with no impersonation: %s", reqCpy.RemoteAddr)
+		// Send original copy here with auth header intact
+		return p.noAuthClientTransport.RoundTrip(req)
+	}
+
 	// check for incoming impersonation headers and reject if any exists
-	if p.hasImpersonation(req.Header) {
+	if p.hasImpersonation(reqCpy.Header) {
 		return nil, errImpersonateHeader
 	}
 
@@ -182,7 +190,29 @@ func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) {
 	rt := transport.NewImpersonatingRoundTripper(conf, p.clientTransport)
 
 	// push request through round trippers to the API server
-	return rt.RoundTrip(req)
+	return rt.RoundTrip(reqCpy)
+}
+
+func (p *Proxy) tokenReview(req *http.Request) (*http.Response, error) {
+	klog.V(4).Infof("attempting to validate a token in request using TokenReview endpoint(%s)",
+		req.RemoteAddr)
+
+	ok, err := p.tokenReviewer.Review(req)
+	// no error so passthrough the request
+	if err == nil && ok {
+		klog.V(4).Infof("passing request with valid token through (%s)",
+			req.RemoteAddr)
+		// Don't set impersonation headers and pass through without proxy auth
+		// and headers still set
+		return p.noAuthClientTransport.RoundTrip(req)
+	}
+
+	if err != nil {
+		klog.Errorf("unable to authenticate the request via TokenReview due to an error (%s): %s",
+			req.RemoteAddr, err)
+	}
+
+	return nil, errUnauthorized
 }
 
 func (p *Proxy) hasImpersonation(header http.Header) bool {

pkg/proxy/proxy_test.go

@@ -259,6 +259,7 @@ func newTestProxy(t *testing.T) *fakeProxy {
 		Proxy: &Proxy{
 			oidcAuther:      bearertoken.New(fakeToken),
 			clientTransport: fakeRT,
+			options:         new(Options),
 		},
 	}
 }