support partial anonymous authentication in the impersonation proxy#2869
Merged
support partial anonymous authentication in the impersonation proxy#2869
Conversation
✅ Deploy Preview for pinniped-dev canceled.
|
cfryanr
force-pushed
the
rr/partial_anon_auth
branch
3 times, most recently
from
9dc6d3f to
f505010
Compare
cfryanr
force-pushed
the
rr/partial_anon_auth
branch
from
f505010 to
736e247
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The impersonation proxy is how the Pinniped Concierge provides authentication on clusters which the Kubernetes signing keys are not available. These are usually could provider distributions such as GKE, EKS, and AKS. The impersonation proxy is not used at all on clusters where the signing key is available, such as a Kind cluster, TKG cluster, or VKS cluster. You can check if the impersonation proxy is being used on your cluster by looking at the
statusof theCredentialIssuerresource.One feature of the impersonation proxy is that it tries to mimic the cluster's Kubernetes API server's anonymous authentication behavior. If the cluster allows anonymous authentication, then the impersonation proxy also allowed anonymous authentication. (Of course, it still enforces authorization (RBAC) checks for every API.) If the cluster did not, then the impersonation proxy also did not.
Previously, anonymous authentication in Kubernetes was either on or off for the entire API surface. The impersonation proxy would auto-detect this by making an anonymous request to the k8s API server's
/healthzendpoint. If the response was Unauthorized, then this indicated that anonymous authentication was disabled. If the response was Forbidden, then this indicated that anonymous authentication was allowed and that the request was rejected due to RBAC configuration. If the response was success, then this also indicated that anonymous authentication was allowed. Based on this heuristic, the impersonation proxy would either allow or disallow anonymous authentication for the whole API surface.However, more recent versions of Kubernetes have configuration options to allow anonymous authentication to be partially enabled for only selected endpoints. The heuristic described above cannot determine these configurations. The most common configurations now seem to be:
/healthz,/readyz, and/livez, but is disabled for all other endpoints, such as on EKS clusters 1.32 and newer and by default on GKE clusters 1.35 and newer. However, note that on newer GKE clusters there is an option that allows the user to enable anonymous authentication for all APIs at cluster creation time.This implies that the impersonation proxy is no longer accurately mimicking the cluster's anonymous authentication configuration in all cases. When the
/healthzendpoint allows anonymous authentication, the impersonation proxy incorrectly assumes that the whole API surface should allow anonymous authentication. Of course, authorization checks are still performed for every API call, including anonymous calls. But since the goal is to accurately mimic the behavior of the API server, the impersonation proxy needs a behavior change.This PR updates that heuristic to instead make two probe requests. The
/healthzprobe is still made as described above, but its response is only interpreted to be representative of the three health endpoints. The/api/v1/nodesAPI is also called, and its response is interpreted to be representative of all other API endpoints. Then the impersonation proxy allows anonymous requests to the three health check endpoints only if the cluster allowed the anonymous request to the/healthzendpoint. And the impersonation proxy allows anonymous requests to the rest of the API's endpoints only if the cluster allowed the anonymous request to the/api/v1/nodesendpoint.This new heuristic cannot detect all possible configurations of anonymous authentication, but can capture the three most common configurations as described above. There is no practical way for Pinniped to auto-detect the exact configuration of which endpoints allow anonymous authentication, so the only alternative would be to allow more configuration of Pinniped's impersonation proxy. Adding more configuration is possible, but puts more burden on the user to configure it correctly. For now, automatically supporting the three most common configurations seems like a sufficient improvement, but the maintainers are always open to feedback from the community.
Release note: