Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: Using k8s idp instead of providing console-sa #2166

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 16 additions & 7 deletions api/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,15 @@ package api

import (
"crypto/x509"
"io/ioutil"
"net"
"strconv"
"strings"
"time"

xoauth2 "golang.org/x/oauth2"

"k8s.io/klog/v2"

"github.com/minio/operator/pkg/auth/idp/oauth2"

xcerts "github.com/minio/pkg/certs"
Expand Down Expand Up @@ -60,14 +63,20 @@ var (
GlobalTLSCertsManager *xcerts.Manager
)

// getK8sSAToken assumes the plugin is running inside a k8s pod and extract the current service account from the
// /var/run/secrets/kubernetes.io/serviceaccount/token file
func getK8sSAToken() string {
dat, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
if err != nil {
// getK8sSAToken assumes the plugin is running inside a k8s pod and gets the token directly from IdP as id_token
// if id_token is valid token for k8s, then user will have access as described in k8s documentation:
// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
func getK8sSAToken(oauth2Token *xoauth2.Token) string {
var idToken interface{}
if oauth2Token != nil {
// The extraction of id_token alone
idToken = oauth2Token.Extra("id_token")
}
if idToken == nil {
klog.Warning("we no longer provide console-sa access token but rather your should consider configuring k8s idp to get the token in a production environment")
return env.Get(OperatorSAToken, "")
}
return string(dat)
return idToken.(string)
}

// Get Marketplace deployment platform
Expand Down
5 changes: 4 additions & 1 deletion api/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ package api
import (
"os"
"testing"

xoauth2 "golang.org/x/oauth2"
)

func Test_getK8sSAToken(t *testing.T) {
Expand Down Expand Up @@ -47,7 +49,8 @@ func Test_getK8sSAToken(t *testing.T) {
os.Setenv(k, v)
}
}
if got := getK8sSAToken(); got != tt.want {
var oauth2Token *xoauth2.Token
if got := getK8sSAToken(oauth2Token); got != tt.want {
t.Errorf("getK8sSAToken() = %v, want %v", got, tt.want)
}
if tt.envs != nil {
Expand Down
9 changes: 7 additions & 2 deletions api/login.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,14 +184,19 @@ func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams) (*models.L
KeyFunc: oauth2.DefaultDerivedKey,
Client: oauth2Client,
}

// Pointer to extract the whole token from IdP
var oauth2Token *xoauth2.Token

// Validate user against IDP
_, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State)
oauth2Token, err = verifyUserAgainstIDP(ctx, identityProvider, *lr.Code, requestItems.State)
if err != nil {
return nil, ErrorWithContext(ctx, err)
}

// If we pass here that means the IDP correctly authenticate the user with the operator resource
// we proceed to use the service account token configured in the operator-console pod
creds, err := newConsoleCredentials(getK8sSAToken())
creds, err := newConsoleCredentials(getK8sSAToken(oauth2Token))
if err != nil {
return nil, ErrorWithContext(ctx, err)
}
Expand Down
Loading