Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add principal type to role assignment create parameters #4625

Merged
merged 1 commit into from
Mar 20, 2024
Merged

Add principal type to role assignment create parameters #4625

merged 1 commit into from
Mar 20, 2024

Conversation

whites11
Copy link
Contributor

@whites11 whites11 commented Mar 5, 2024

What type of PR is this?

/kind feature

What this PR does / why we need it:

Context: when using identity: SystemAssigned in an AzureMachineTemplate with role definition ID myrole.

Accordingly to the CAPZ documentation: https://capz.sigs.k8s.io/topics/vm-identity#system-assigned-managed-identity the service principal used to run CAPZ controller manager requires User Access Administrator on the Subscription of Workload cluster.

Based on customer feedback, we agree that this is a very wide permissions set assigned to the service principal at hand. The only restriction that can be achieved right now is to limit this access to Role Based Access Control Administrator with a condition on a role to be assigned, for example:

(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
 )
 OR 
 (
  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
 )
 OR 
 (
  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>
 )
)

This however creates a security flaw, where, if the CAPZ service principal is leaked, the myrole role can be assigned to any resource type, including users.

Desired behaviour: I would like to restrict the role assignment using a constraint like this one:

(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
 )
 OR 
 (
  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>  AND
  @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
 )
 OR 
 (
  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>
  AND
  @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
 )
)

This would prevent assigning the myrole role to a User or Group while still allowing assignment to Service Principals.

Problem: doing so without the changes introduced in this PR leads to a permission error:

E0305 14:05:39.993346      14 controller.go:329] "Reconciler error" err=<
	failed to reconcile AzureMachine: failed to reconcile AzureMachine service roleassignments: cannot assign role to VirtualMachine system assigned identity: failed to create or update resource systemassignedidentity-4639/244a1de6-b46f-4fe4-b9cf-58f9b57643fe (service: roleassignments): PUT https://management.azure.com/subscriptions/6b1f6e4a-6d0e-4aa4-9a5a-fbaca65a23b3/resourceGroups/systemassignedidentity-4639/providers/Microsoft.Authorization/roleAssignments/244a1de6-b46f-4fe4-b9cf-58f9b57643fe
	--------------------------------------------------------------------------------
	RESPONSE 403: 403 Forbidden
	ERROR CODE: AuthorizationFailed
	--------------------------------------------------------------------------------
	{
	  "error": {
	    "code": "AuthorizationFailed",
	    "message": "The client 'cab64998-4bbb-447d-a0f5-0f6590b46db7' with object id 'cab64998-4bbb-447d-a0f5-0f6590b46db7' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/6b1f6e4a-6d0e-4aa4-9a5a-fbaca65a23b3/resourceGroups/systemassignedidentity-4639/providers/Microsoft.Authorization/roleAssignments/244a1de6-b46f-4fe4-b9cf-58f9b57643fe' or the scope is invalid. If access was recently granted, please refresh your credentials."
	  }
	}
	--------------------------------------------------------------------------------

This is because in the RoleAssignmentCreate API call, the principalType field is not assigned.

This PR addresses that problem by setting the PrincipalType to ServicePrincipal in the role assignment creation API call.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

None that I'm aware of.

Special notes for your reviewer:

  • cherry-pick candidate

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Set `PrincipalType` in RoleAssignment creation API call when using `SystemAssigned` identity.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 5, 2024
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 5, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @whites11. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 5, 2024
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Mar 5, 2024
@willie-yao
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 5, 2024
@mboersma mboersma self-assigned this Mar 14, 2024
Copy link
Contributor

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @Jont828 @willie-yao
/cherrypick release-1.14
/cherrypick release-1.13

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 15, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: a5dc9adac08d18af234188d9019f38806d8058ed

@@ -352,6 +353,7 @@ func (m *MachineScope) RoleAssignmentSpecs(principalID *string) []azure.Resource
Scope: m.SystemAssignedIdentityScope(),
RoleDefinitionID: m.SystemAssignedIdentityDefinitionID(),
PrincipalID: principalID,
PrincipalType: armauthorization.PrincipalTypeServicePrincipal,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of hardcoding PrincipalType: armauthorization.PrincipalTypeServicePrincipal, would it be valuable to have the user specify PrincipalType in the MachinePool spec?

Is it possible that PrincipleType can take other values than PrincipalTypeServicePrincipal ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a great question. Thanks for reviewing @nawazkh!

I found these possible values for PrincipalType

const (
	PrincipalTypeDevice            = "Device"
	PrincipalTypeForeignGroup      = "ForeignGroup"
	PrincipalTypeGroup             = "Group"
	PrincipalTypeServicePrincipal  = "ServicePrincipal"
	PrincipalTypeUser              = "User"
)

and it seemed that the SP type would be associated with the PrincipalID, but it's not entirely clear to me. @whites11 can you clarify?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay, I missed the notification.

So, this role assignment is used only for system assigned role for VMs/VMSSes.
In this scenario, as far as I understood and as far as my tests proved, the only meaningful value for the principal type is service principal.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanation. I agree: none of the other values seemed relevant, and this is limited in scope.

@mboersma mboersma removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 19, 2024
Copy link
Contributor

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 20, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: a5dc9adac08d18af234188d9019f38806d8058ed

Copy link
Contributor

@willie-yao willie-yao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Copy link
Contributor

@mboersma mboersma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 20, 2024
@mboersma
Copy link
Contributor

/cherrypick release-1.14

@k8s-infra-cherrypick-robot

@mboersma: once the present PR merges, I will cherry-pick it on top of release-1.14 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mboersma
Copy link
Contributor

/cherrypick release-1.13

@k8s-infra-cherrypick-robot

@mboersma: once the present PR merges, I will cherry-pick it on top of release-1.13 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot merged commit 52d8380 into kubernetes-sigs:main Mar 20, 2024
17 checks passed
@k8s-infra-cherrypick-robot

@mboersma: new pull request created: #4663

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-infra-cherrypick-robot

@mboersma: new pull request created: #4664

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jackfrancis jackfrancis added this to the v1.15 milestone Apr 12, 2024
bdehri pushed a commit to giantswarm/cluster-api-provider-azure that referenced this pull request May 22, 2024
…-principal-type

Add principal type to role assignment create parameters
bdehri pushed a commit to giantswarm/cluster-api-provider-azure that referenced this pull request May 22, 2024
…-principal-type

Add principal type to role assignment create parameters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

8 participants