Skip to content

Commit

Permalink
Merge pull request #300 from ibihim/sig-auth-acceptance-bump
Browse files Browse the repository at this point in the history
Introduce changes from master to sig-auth-acceptance branch
  • Loading branch information
ibihim authored Sep 11, 2024
2 parents 60234c7 + 027349e commit 155cd10
Show file tree
Hide file tree
Showing 52 changed files with 678 additions and 809 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ on: [push, pull_request]

env:
QUAY_PATH: quay.io/brancz/kube-rbac-proxy
go-version: '1.22.1'
kind-version: 'v0.22.0'
go-version: '1.22.4'
kind-version: 'v0.23.0'

jobs:
check-license:
Expand Down Expand Up @@ -71,7 +71,7 @@ jobs:
go-version: ${{ env.go-version }}
- name: Create container & run tests
run: |
VERSION=local make container
VERSION=local VERSION_SEMVER=$(cat ./VERSION) make container
kind load docker-image ${QUAY_PATH}:local
until docker exec $(kind get nodes) crictl images | grep "${QUAY_PATH}"; do
echo "no kube-rbac-proxy image"
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
ARG GOARCH=amd64
FROM gcr.io/distroless/static:nonroot-$GOARCH
ARG BASEIMAGE=gcr.io/distroless/static:nonroot-amd64
FROM $BASEIMAGE

ARG BINARY=kube-rbac-proxy-linux-amd64
COPY _output/$BINARY /usr/local/bin/kube-rbac-proxy
Expand Down
31 changes: 17 additions & 14 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,22 @@ all: check-license build generate test
GO111MODULE=on
export GO111MODULE

PROGRAM_NAME?=kube-rbac-proxy
GITHUB_URL=github.com/brancz/kube-rbac-proxy
GOOS?=$(shell uname -s | tr A-Z a-z)
GOARCH?=$(shell go env GOARCH)
BASEIMAGE?=gcr.io/distroless/static:nonroot-$(GOARCH)
OUT_DIR=_output
BIN?=kube-rbac-proxy
VERSION?=$(shell cat VERSION)-$(shell git rev-parse --short HEAD)
VERSION_SEMVER?=$(shell echo $(VERSION) | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+')
PKGS=$(shell go list ./... | grep -v /test/e2e)
DOCKER_REPO?=quay.io/brancz/kube-rbac-proxy
KUBECONFIG?=$(HOME)/.kube/config
CONTAINER_NAME?=$(DOCKER_REPO):$(VERSION)

ALL_ARCH=amd64 arm arm64 ppc64le s390x
ALL_PLATFORMS=$(addprefix linux/,$(ALL_ARCH))
ALL_BINARIES ?= $(addprefix $(OUT_DIR)/$(BIN)-, \
ALL_BINARIES ?= $(addprefix $(OUT_DIR)/$(PROGRAM_NAME)-, \
$(addprefix linux-,$(ALL_ARCH)) \
darwin-amd64 \
windows-amd64.exe)
Expand All @@ -33,29 +35,29 @@ check-license:

crossbuild: $(ALL_BINARIES)

$(OUT_DIR)/$(BIN): $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH)
cp $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH) $(OUT_DIR)/$(BIN)
$(OUT_DIR)/$(PROGRAM_NAME): $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH)
cp $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) $(OUT_DIR)/$(PROGRAM_NAME)

$(OUT_DIR)/$(BIN)-%:
@echo ">> building for $(GOOS)/$(GOARCH) to $(OUT_DIR)/$(BIN)-$*"
$(OUT_DIR)/$(PROGRAM_NAME)-%:
@echo ">> building for $(GOOS)/$(GOARCH) to $(OUT_DIR)/$(PROGRAM_NAME)-$*"
GOARCH=$(word 2,$(subst -, ,$(*:.exe=))) \
GOOS=$(word 1,$(subst -, ,$(*:.exe=))) \
CGO_ENABLED=0 \
go build --installsuffix cgo -o $(OUT_DIR)/$(BIN)-$* $(GITHUB_URL)/cmd/kube-rbac-proxy
go build --installsuffix cgo -ldflags="-X k8s.io/component-base/version.gitVersion=$(VERSION_SEMVER) -X k8s.io/component-base/version.gitCommit=$(shell git rev-parse HEAD) -X k8s.io/component-base/version/verflag.programName=$(PROGRAM_NAME)" -o $(OUT_DIR)/$(PROGRAM_NAME)-$* $(GITHUB_URL)/cmd/kube-rbac-proxy

clean:
-rm -r $(OUT_DIR)

build: clean $(OUT_DIR)/$(BIN)
build: clean $(OUT_DIR)/$(PROGRAM_NAME)

update-go-deps:
@for m in $$(go list -mod=readonly -m -f '{{ if and (not .Indirect) (not .Main)}}{{.Path}}{{end}}' all); do \
go get -d $$m; \
done
go mod tidy

container: $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH) Dockerfile
docker build --build-arg BINARY=$(BIN)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) -t $(CONTAINER_NAME)-$(GOARCH) .
container: $(OUT_DIR)/$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) Dockerfile
docker build --build-arg BINARY=$(PROGRAM_NAME)-$(GOOS)-$(GOARCH) --build-arg BASEIMAGE=$(BASEIMAGE) -t $(CONTAINER_NAME)-$(GOARCH) .
ifeq ($(GOARCH), amd64)
docker tag $(DOCKER_REPO):$(VERSION)-$(GOARCH) $(CONTAINER_NAME)
endif
Expand All @@ -76,6 +78,9 @@ manifest-push: manifest-tool

push: crossbuild manifest-tool $(addprefix push-,$(ALL_ARCH)) manifest-push

test-container: $(OUT_DIR)/$(PROGRAM_NAME)-linux-$(GOARCH) Dockerfile
docker build --build-arg BINARY=$(PROGRAM_NAME)-linux-$(GOARCH) --build-arg BASEIMAGE=$(BASEIMAGE) -t $(CONTAINER_NAME) .

curl-container:
docker build -f ./examples/example-client/Dockerfile -t quay.io/brancz/krp-curl:v0.0.2 .

Expand All @@ -96,11 +101,9 @@ test-e2e:

test-local-setup: VERSION = local
test-local-setup: VERSION_SEMVER = $(shell cat VERSION)
test-local-setup: container kind-create-cluster
test-local-setup: clean test-container kind-create-cluster
test-local: test-local-setup test

test-e2e-local: test-local-setup test-e2e

kind-delete-cluster:
kind delete cluster

Expand All @@ -122,4 +125,4 @@ $(TOOLING): $(TOOLS_BIN_DIR)
@echo Installing tools from scripts/tools.go
@cat scripts/tools.go | grep _ | awk -F'"' '{print $$2}' | GOBIN=$(TOOLS_BIN_DIR) xargs -tI % go install -mod=readonly -modfile=scripts/go.mod %

.PHONY: all check-license crossbuild build container push push-% manifest-push curl-container test test-unit test-e2e generate update-go-deps clean kind-delete-cluster kind-create-cluster
.PHONY: all check-license crossbuild build container push push-% manifest-push test-container curl-container test test-unit test-e2e generate update-go-deps clean kind-delete-cluster kind-create-cluster
33 changes: 12 additions & 21 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ Usage:
Secure serving flags:
--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. (default 0.0.0.0)
--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces and IP address families will be used. (default 0.0.0.0)
--cert-dir string The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. (default "apiserver.local.config/certificates")
--http2-max-streams-per-connection int The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default.
--permit-address-sharing If true, SO_REUSEADDR will be used when binding the port. This allows binding to wildcard IPs like 0.0.0.0 and specific IPs in parallel, and it avoids waiting for the kernel to release sockets in TIME_WAIT state. [default=false]
Expand Down Expand Up @@ -97,6 +97,7 @@ Proxy flags:
--auth-header-user-field-name string The name of the field inside a http(2) request header to tell the upstream server about the user's name (default "x-remote-user")
--auth-token-audiences strings Comma-separated list of token audiences to accept. By default a token does not have to have any specific audience. It is recommended to set a specific audience.
--config-file string Configuration file to configure static and rewrites authorization of the kube-rbac-proxy.
--disable-http2-serving If true, HTTP2 serving will be disabled [default=false]
--ignore-paths strings Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
--proxy-endpoints-port int The port to securely serve proxy-specific endpoints (such as '/healthz'). Uses the host from the '--secure-listen-address'.
--upstream string The upstream URL to proxy to once requests have successfully been authenticated and authorized.
Expand All @@ -107,29 +108,19 @@ Proxy flags:
OIDC flags:
--oidc-ca-file string If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
--oidc-clientID string The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
--oidc-groups-claim string Identifier of groups in JWT claim, by default set to 'groups' (default "groups")
--oidc-groups-prefix string If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.
--oidc-issuer string The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
--oidc-sign-alg stringArray Supported signing algorithms, default RS256 (default [RS256])
--oidc-username-claim string Identifier of the user in JWT claim, by default set to 'email' (default "email")
--oidc-ca-file string If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
--oidc-clientID string The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
--oidc-groups-claim string Identifier of groups in JWT claim, by default set to 'groups' (default "groups")
--oidc-groups-prefix string If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.
--oidc-issuer string The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
--oidc-sign-alg stringArray Supported signing algorithms, default RS256 (default [RS256])
--oidc-username-claim string Identifier of the user in JWT claim, by default set to 'email' (default "email")
--oidc-username-prefix string If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.
Global flags:
--add-dir-header If true, adds the file directory to the header of the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
-h, --help help for kube-rbac-proxy
--log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-dir string If non-empty, write log files in this directory (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-file string If non-empty, use this log file (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--log-file-max-size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--logtostderr log to standard error instead of files (default true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--skip-headers If true, avoid header prefixes in the log messages (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--skip-log-headers If true, avoid headers when opening log files (no effect when -logtostderr=true) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2) (DEPRECATED: will be removed in a future release, see https://github.com/kubernetes/enhancements/tree/master/keps/sig-instrumentation/2845-deprecate-klog-specific-flags-in-k8s-components)
--version version[=true] Print version information and quit
-h, --help help for kube-rbac-proxy
--version version[=true] --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version
```

### Authorization configuration
Expand Down
6 changes: 3 additions & 3 deletions cmd/kube-rbac-proxy/app/kube-rbac-proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ func (opts *completedProxyRunOptions) ProxyConfig() (*server.KubeRBACProxyConfig
return nil, err
}

if err := opts.ProxyOptions.ApplyTo(proxyConfig.KubeRBACProxyInfo, proxyConfig.DelegatingAuthentication); err != nil {
if err := opts.ProxyOptions.ApplyTo(proxyConfig.KubeRBACProxyInfo, proxyConfig.DelegatingAuthentication, proxyConfig.SecureServing); err != nil {
return nil, err
}

Expand Down Expand Up @@ -196,7 +196,7 @@ func Run(cfg *server.KubeRBACProxyConfig) error {
var authenticator authenticator.Request
// If OIDC configuration provided, use oidc authenticator
if cfg.KubeRBACProxyInfo.OIDC.IssuerURL != "" {
oidcAuthenticator, err := authn.NewOIDCAuthenticator(cfg.KubeRBACProxyInfo.OIDC)
oidcAuthenticator, err := authn.NewOIDCAuthenticator(ctx, cfg.KubeRBACProxyInfo.OIDC)
if err != nil {
return fmt.Errorf("failed to instantiate OIDC authenticator: %w", err)
}
Expand Down Expand Up @@ -232,7 +232,7 @@ func Run(cfg *server.KubeRBACProxyConfig) error {

handler := identityheaders.WithAuthHeaders(proxy, cfg.KubeRBACProxyInfo.UpstreamHeaders)
handler = kubefilters.WithAuthorization(handler, authz, scheme.Codecs)
handler = kubefilters.WithAuthentication(handler, authenticator, http.HandlerFunc(filters.UnauthorizedHandler), cfg.DelegatingAuthentication.APIAudiences)
handler = kubefilters.WithAuthentication(handler, authenticator, http.HandlerFunc(filters.UnauthorizedHandler), cfg.DelegatingAuthentication.APIAudiences, nil)
// passing an empty RequestInfoFactory results in attaching a non-resource RequestInfo to the context
handler = kubefilters.WithRequestInfo(handler, &request.RequestInfoFactory{})
handler = rewrite.WithKubeRBACProxyParamsHandler(handler, cfg.KubeRBACProxyInfo.Authorization.RewriteAttributesConfig)
Expand Down
3 changes: 2 additions & 1 deletion cmd/kube-rbac-proxy/app/options/oidcoptions.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,9 @@ func (o *OIDCOptions) AddFlags(flagset *pflag.FlagSet) {
//Authn OIDC flags
flagset.StringVar(&o.IssuerURL, "oidc-issuer", "", "The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).")
flagset.StringVar(&o.ClientID, "oidc-clientID", "", "The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.")
flagset.StringVar(&o.GroupsClaim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
flagset.StringVar(&o.UsernameClaim, "oidc-username-claim", "email", "Identifier of the user in JWT claim, by default set to 'email'")
flagset.StringVar(&o.GroupsClaim, "oidc-groups-claim", "groups", "Identifier of groups in JWT claim, by default set to 'groups'")
flagset.StringVar(&o.UsernamePrefix, "oidc-username-prefix", "", "If provided, the username will be prefixed with this value to prevent conflicts with other authentication strategies.")
flagset.StringVar(&o.GroupsPrefix, "oidc-groups-prefix", "", "If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.")
flagset.StringArrayVar(&o.SupportedSigningAlgs, "oidc-sign-alg", []string{"RS256"}, "Supported signing algorithms, default RS256")
flagset.StringVar(&o.CAFile, "oidc-ca-file", "", "If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.")
Expand Down
24 changes: 15 additions & 9 deletions cmd/kube-rbac-proxy/app/options/proxyoptions.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ type ProxyOptions struct {
ProxyEndpointsPort int

TokenAudiences []string

DisableHTTP2Serving bool
}

func (o *ProxyOptions) AddFlags(flagset *pflag.FlagSet) {
Expand All @@ -81,6 +83,9 @@ func (o *ProxyOptions) AddFlags(flagset *pflag.FlagSet) {

// proxy endpoints flag
flagset.IntVar(&o.ProxyEndpointsPort, "proxy-endpoints-port", 0, "The port to securely serve proxy-specific endpoints (such as '/healthz'). Uses the host from the '--secure-listen-address'.")

// http2 serving flag, remove with k8s 1.31
flagset.BoolVar(&o.DisableHTTP2Serving, "disable-http2-serving", o.DisableHTTP2Serving, "If true, HTTP2 serving will be disabled [default=false]")
}

func (o *ProxyOptions) Validate() []error {
Expand Down Expand Up @@ -116,29 +121,30 @@ func (o *ProxyOptions) Validate() []error {
return errs
}

func (o *ProxyOptions) ApplyTo(c *server.KubeRBACProxyInfo, a *serverconfig.AuthenticationInfo) error {
func (o *ProxyOptions) ApplyTo(krpInfo *server.KubeRBACProxyInfo, authInfo *serverconfig.AuthenticationInfo, serving *serverconfig.SecureServingInfo) error {
var err error

c.UpstreamURL, err = url.Parse(o.Upstream)
krpInfo.UpstreamURL, err = url.Parse(o.Upstream)
if err != nil {
return fmt.Errorf("failed to parse upstream URL: %w", err)
}

if err := c.SetUpstreamTransport(o.UpstreamCAFile, o.UpstreamClientCertFile, o.UpstreamClientKeyFile); err != nil {
if err := krpInfo.SetUpstreamTransport(o.UpstreamCAFile, o.UpstreamClientCertFile, o.UpstreamClientKeyFile); err != nil {
return fmt.Errorf("failed to setup transport for upstream: %w", err)
}

if configFileName := o.ConfigFileName; len(configFileName) > 0 {
c.Authorization, err = parseAuthorizationConfigFile(configFileName)
krpInfo.Authorization, err = parseAuthorizationConfigFile(configFileName)
if err != nil {
return fmt.Errorf("failed to read the config file: %w", err)
}
}

c.UpstreamHeaders = o.UpstreamHeader
c.IgnorePaths = o.IgnorePaths
c.AllowPaths = o.AllowPaths
a.APIAudiences = o.TokenAudiences
serving.DisableHTTP2 = o.DisableHTTP2Serving
krpInfo.UpstreamHeaders = o.UpstreamHeader
krpInfo.IgnorePaths = o.IgnorePaths
krpInfo.AllowPaths = o.AllowPaths
authInfo.APIAudiences = o.TokenAudiences

return nil
}
Expand All @@ -156,7 +162,7 @@ func validateSecureConnectionConfig(o *ProxyOptions) error {
return fmt.Errorf("loopback address is required for h2c: %w", errLoopback)
}

klog.V(4).Info("Failed to validate loopback address: %v", errLoopback)
klog.V(4).Infof("Failed to validate loopback address: %v", errLoopback)

u, err := url.Parse(o.Upstream)
if err != nil {
Expand Down
1 change: 0 additions & 1 deletion examples/non-resource-url-token-request/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,6 @@ spec:
- "--secure-port=8443"
- "--upstream=http://127.0.0.1:8081/"
- "--auth-token-audiences=kube-rbac-proxy.default.svc"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
Expand Down
1 change: 0 additions & 1 deletion examples/non-resource-url-token-request/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,6 @@ spec:
- "--secure-port=8443"
- "--upstream=http://127.0.0.1:8081/"
- "--auth-token-audiences=kube-rbac-proxy.default.svc"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
Expand Down
Loading

0 comments on commit 155cd10

Please sign in to comment.