-
Notifications
You must be signed in to change notification settings - Fork 55
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement an authorization layer for operator-to-workspace communicat…
…ion (#712) <!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md) for Pulumi's contribution guidelines. Help us merge your changes more quickly by adding more details such as labels, milestones, and reviewers.--> ### Overview This PR implements an authentication and authorization layer for the agent's RPC endpoint. Authentication is performed by authenticating a bearer token via the TokenReview API. The operator uses its built-in service account token. Authorization is performed via the SubjectAccessReview API, which checks for following RBAC permission: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role rules: - apiGroups: - auto.pulumi.com resources: - workspaces/rpc verbs: - use ``` The workspace pod's service account must be granted the `system:auth-delegator` role using a `ClusterRoleBinding`. For. convenience, the installer creates a service account named `pulumi` into the `default` namespace, with an associated binding. The operator itself is granted the necessary permission to access the RPC endpoint. ### Proposed changes <!--Give us a brief description of what you've done and what it solves. --> - [x] agent grpc interceptor - [x] agent command args (`--auth-mode=kube`, `--kube-workspace-name=random-yaml`) - [x] operator client credentials - [x] operator RBAC permissions - [ ] ~cluster role binding for workspace service account (to ClusterRole named `system:auth-delegator`)~ - [x] install a "default/pulumi" service account with RBAC - [x] Provide a Flux sample network policy - [x] Update the e2e test manifests to have requisite account, rbac, and network policy. ### Future Enhancement This implementation uses the operator's default service account token, but to further improve security it should use an audience-scoped token, where the audience is the agent service address as opposed to the API server. Such tokens may be created by the operator with a call to TokenRequest, and checked with TokenReview by adding the expected audience to the context (`authenticator.WithAudience`). ### Related issues (optional) <!--Refer to related PRs or issues: #1234, or 'Fixes #1234' or 'Closes #1234'. Or link to full URLs to issues or pull requests in other GitHub repositories. --> Closes #609 #### Examples Some example requests: ``` random-yaml-workspace-0 pulumi 2024-10-09T21:09:43.905Z INFO cmd.serve.grpc finished unary call with code OK {"grpc.start_time": "2024-10-09T21:09:43Z", "grpc.request.deadline": "2024-10-09T21:59:43Z", "system": "grpc", "span.kind": "server", "grpc.service": "agent.AutomationService", "grpc.method": "WhoAmI", "user.id": "81be050c-9ad4-4708-9a52-413064700747", "user.name": "system:serviceaccount:default:dev", "peer.address": "127.0.0.1:56394", "auth.mode": "kubernetes", "grpc.code": "OK", "grpc.time_ms": 441.086} random-yaml-workspace-0 pulumi 2024-10-09T21:09:52.934Z INFO cmd.serve.grpc finished unary call with code Unauthenticated {"grpc.start_time": "2024-10-09T21:09:52Z", "grpc.request.deadline": "2024-10-09T21:59:52Z", "system": "grpc", "span.kind": "server", "grpc.service": "agent.AutomationService", "grpc.method": "WhoAmI", "peer.address": "127.0.0.1:57380", "auth.mode": "kubernetes", "error": "rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer", "grpc.code": "Unauthenticated", "grpc.time_ms": 0.095} ```
- Loading branch information
1 parent
a4c8810
commit 7883699
Showing
27 changed files
with
1,018 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
# Apply this manifest file to create a token with which to authenticate to the agent. | ||
# To get the token, run the following command: kubectl describe secret/dev-token | ||
# To test: kubectl auth can-i use workspaces/random-yaml --subresource rpc --as system:serviceaccount:default:dev | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: dev | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: dev-token | ||
annotations: | ||
kubernetes.io/service-account.name: dev | ||
type: kubernetes.io/service-account-token | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: dev:cluster-admin | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
/* | ||
Copyright © 2024 Pulumi Corporation | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package client | ||
|
||
import ( | ||
"context" | ||
|
||
"golang.org/x/oauth2" | ||
"google.golang.org/grpc/credentials" | ||
"k8s.io/client-go/transport" | ||
) | ||
|
||
// NewTokenCredentials adds the provided bearer token to a request. | ||
// If tokenFile is non-empty, it is periodically read, | ||
// and the last successfully read content is used as the bearer token. | ||
// If tokenFile is non-empty and bearer is empty, the tokenFile is read | ||
// immediately to populate the initial bearer token. | ||
func NewTokenCredentials(bearer string, tokenFile string) (*TokenCredentials, error) { | ||
if len(tokenFile) == 0 { | ||
return &TokenCredentials{bearer, nil}, nil | ||
} | ||
source := transport.NewCachedFileTokenSource(tokenFile) | ||
if len(bearer) == 0 { | ||
token, err := source.Token() | ||
if err != nil { | ||
return nil, err | ||
} | ||
bearer = token.AccessToken | ||
} | ||
return &TokenCredentials{bearer, source}, nil | ||
} | ||
|
||
type TokenCredentials struct { | ||
bearer string | ||
source oauth2.TokenSource | ||
} | ||
|
||
// GetRequestMetadata gets the current request metadata, refreshing tokens | ||
// if required. This should be called by the transport layer on each | ||
// request, and the data should be populated in headers or other | ||
// context. If a status code is returned, it will be used as the status for | ||
// the RPC (restricted to an allowable set of codes as defined by gRFC | ||
// A54). uri is the URI of the entry point for the request. When supported | ||
// by the underlying implementation, ctx can be used for timeout and | ||
// cancellation. Additionally, RequestInfo data will be available via ctx | ||
// to this call. | ||
func (k *TokenCredentials) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) { | ||
token := k.bearer | ||
if k.source != nil { | ||
if refreshedToken, err := k.source.Token(); err == nil { | ||
token = refreshedToken.AccessToken | ||
} | ||
} | ||
return map[string]string{"authorization": "Bearer " + token}, nil | ||
} | ||
|
||
func (k *TokenCredentials) RequireTransportSecurity() bool { | ||
return false | ||
} | ||
|
||
var _ credentials.PerRPCCredentials = &TokenCredentials{} |
Oops, something went wrong.