Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add sourceArn to sts through headers #749

Merged

Conversation

haoranleo
Copy link
Contributor

@haoranleo haoranleo commented Aug 23, 2024

What this PR does / why we need it:
Add cluster details (clusters_arn and account_id) as headers to STS when assuming a role to make requests. When sourceARN is not empty, it will panic if it fails to parse account id from the sourceARN (same behavior as verifying roleARN).

The reason to add sourceArn and sourceAccount to STS request headers is to avoid confusion deputy issue. AWS IAM supports these global conditional key in IAM roles trust policy https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html, and we want to include the caller identity into the STS requests when assuming the role. We have did same change for CCM in kubernetes/cloud-provider-aws#649

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 23, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @haoranleo. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 23, 2024
@bryantbiggs
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 23, 2024
@haoranleo
Copy link
Contributor Author

Thanks @bryantbiggs, could you review when you have a chance?

@bryantbiggs
Copy link
Member

code wise things look good - but I am not an IAM expert so I'll let Micah or someone else weigh in for final approval

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 23, 2024
@micahhausler
Copy link
Member

I don't think we can merge this. The additional header is not signed, and can be changed by a middleman. If you did add it to the signed header, thats not backward compatible. We do have an existing scoping/aud check with the cluster ID

@micahhausler
Copy link
Member

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 23, 2024
@micahhausler
Copy link
Member

Ok, I was misunderstanding, this is about the server side role assumption for EC2 instance verification. Yea I think this check is probably fine to add.

@haoranleo
Copy link
Contributor Author

@micahhausler would you like to review when you have a chance?

pkg/ec2provider/ec2provider.go Outdated Show resolved Hide resolved
pkg/ec2provider/ec2provider.go Outdated Show resolved Hide resolved
pkg/ec2provider/ec2provider.go Show resolved Hide resolved
@haoranleo haoranleo requested a review from micahhausler August 26, 2024 17:48
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2024
@haoranleo haoranleo requested a review from micahhausler August 26, 2024 21:55
@haoranleo haoranleo force-pushed the add-source-arc-to-sts-headers branch from 359acd9 to ea8bd8a Compare August 26, 2024 22:26
Copy link
Member

@micahhausler micahhausler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 26, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: haoranleo, micahhausler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2024
@haoranleo
Copy link
Contributor Author

haoranleo commented Aug 26, 2024

@micahhausler could you remove the hold label?

Also PR on release branch #751

@micahhausler
Copy link
Member

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 27, 2024
@k8s-ci-robot k8s-ci-robot merged commit 204cdc5 into kubernetes-sigs:master Aug 27, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants