Add manual opt-in for legacy service account tokens #357
Conversation
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
ffdc6c1 to
a9c2ea9
Compare
kramaranya
changed the title
|
/lgtm |
|
@kramaranya, I think we have an audience token test, right? we might be able to drop it, if we do not have any tests without audience set, right? Maybe we could have a negative test case then, that the server fails if it isn't set? |
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
b11a610 to
f44889c
Compare
@ibihim If I understood you correctly, I've already added a negative test for this scenario (empty audiences when legacy tokens are not allowed) -- https://github.com/brancz/kube-rbac-proxy/pull/357/files#diff-770d985644314c26e2d1c0e8fb70e4714408a9888a4e2749a633144697201bacR191-R203 |
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
f44889c to
a8e9da6
Compare
test/e2e/basics.go
Outdated
| ), | ||
| ), | ||
| Then: kubetest.Actions( | ||
| kubetest.ClientSucceeds( |
There was a problem hiding this comment.
You're attempting to use a legacy token but the proxy does is not supposed to accept these in this case. This should fail.
test/e2e/basics.go
Outdated
| kubetest.ClientSucceeds( | ||
| client, | ||
| legacyCommand, | ||
| &kubetest.RunOptions{TokenAudience: "kube-rbac-proxy"}, |
There was a problem hiding this comment.
we don't need the options in this case, right?
test/e2e/basics.go
Outdated
| kubetest.ClientSucceeds( | ||
| client, | ||
| command, | ||
| &kubetest.RunOptions{TokenAudience: ""}, |
There was a problem hiding this comment.
This is equal to it being nil, right?
test/e2e/basics.go
Outdated
|
|
||
| func testLegacyTokenFlag(client kubernetes.Interface) kubetest.TestSuite { | ||
| return func(t *testing.T) { | ||
| legacyCommand := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/tokens/requestedtoken)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` |
There was a problem hiding this comment.
/var/run/secrets/tokens/requestedtoken does not actually house the legacy tokens. The below code appears to be creating such tokens:
kube-rbac-proxy/test/kubetest/kubernetes.go
Lines 524 to 544 in 670377f
We may actually want to rename the directory from /var/run/secrets/tokens to something else, like /var/run/projected/tokens, I personally find it a bit confusing.
You'll have to follow https://kubernetes.io/docs/concepts/configuration/secret/#serviceaccount-token-secrets to create a token secret along with your other manifests. Use a different directory than for the short-lived SA tokens so that we can distinguish these two in tests.
| func testLegacyTokenFlag(client kubernetes.Interface) kubetest.TestSuite { | ||
| return func(t *testing.T) { | ||
| legacyCommand := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/tokens/requestedtoken)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` | ||
| command := `curl --connect-timeout 5 -v -s -k --fail -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://kube-rbac-proxy.default.svc.cluster.local:8443/metrics` |
There was a problem hiding this comment.
I think this command should actually have /var/run/secrets/tokens/requestedtoken as an input for the token
There was a problem hiding this comment.
The LegacyAllowedNoAudience test checks a scenario with no audience set. But /var/run/secrets/tokens/requestedtoken sets an audience, so it wouldn't match our no-audience case.
kube-rbac-proxy/test/kubetest/kubernetes.go
Lines 524 to 532 in 670377f
That's why I use the default token
/var/run/secrets/kubernetes.io/serviceaccount/token instead.
There was a problem hiding this comment.
The /var/run/secrets/kubernetes.io/serviceaccount/token will also contain an audience.
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
2 times, most recently
from
dcf81c3 to
37debda
Compare
Signed-off-by: kramaranya <[email protected]>
Signed-off-by: kramaranya <[email protected]>
Signed-off-by: kramaranya <[email protected]>
kramaranya
force-pushed
the
legacy-sa-opt-in
branch
from
37debda to
6d1f5e5
Compare
stlaz
added
the
sig-auth-acceptance
| args: | ||
| - "--secure-port=8443" | ||
| - "--upstream=http://127.0.0.1:8081/" | ||
| - "--auth-token-audiences=kube-rbac-proxy,https://kubernetes.default.svc.cluster.local" |
There was a problem hiding this comment.
I see, I was wondering why the test was passing. This and the below configs were supposed to be the same, the difference should only be in "--allow-legacy-serviceaccount-tokens=true", not in audiences.
https://kubernetes.default.svc.cluster.local is an "implicit" audience, so when you use the legacy SA token, IIRC this is returned when there are no other audiences present. However, this implicit audience can be different depending on kube-apiserver configuration, and so we couldn't make a simple guidance on how to config the audiences.
@ibihim Should we treat the --allow-legacy-serviceaccount-tokens that allows empty --auth-token-audiences but will fail if there are audiences set? Or would we actually allow both legacy and bound SA tokens, the latter retains the audience check if audiences are set? Doing that might get unnecessarily complicated.
Fixes #336