Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use audience-scoped access token #715

Open
EronWright opened this issue Oct 12, 2024 · 3 comments
Open

Use audience-scoped access token #715

EronWright opened this issue Oct 12, 2024 · 3 comments
Labels
impact/security kind/enhancement Improvements or new features

Comments

@EronWright
Copy link
Contributor

EronWright commented Oct 12, 2024
edited
Loading

The operator transmits its own service account token to the workspace pod for authentication purposes. There is a risk of privilege elevation if the workspace pod were to capture the token and use it to impersonate the operator for arbitrary API Server interactions.

Kubernetes has a feature to prevent this: audience-scoped tokens. Rather than using the default token, the operator should call the TokenRequest API to get a token with a workspace-specific audience (e.g. the service endpoint). The token then has a specific workspace as its audience, and is useless for any other purpose. The TokenReview API validates such tokens as normal. On the agent side, one attaches the expected audience to the context when calling AuthenticateToken:

import "k8s.io/apiserver/pkg/authentication/authenticator"
...
ctx = authenticator.WithAudiences(ctx, []string{"http://my-audience"})
res, ok, err := a.authn.AuthenticateToken(ctx, token)

See also: https://adil.medium.com/how-to-use-tokenrequest-api-and-tokenvolume-projection-in-kubernetes-f007135b9994
@EronWright EronWright converted this from a draft issue Oct 12, 2024
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Oct 12, 2024
@cleverguy25
Copy link

Added to epic #586

@cleverguy25 cleverguy25 mentioned this issue Oct 12, 2024
Closed
5 tasks
@EronWright EronWright added kind/task Work that's part of an ongoing epic impact/security labels Oct 12, 2024
@rquitales rquitales removed the needs-triage Needs attention from the triage team label Oct 14, 2024
@EronWright EronWright added kind/enhancement Improvements or new features and removed kind/task Work that's part of an ongoing epic labels Oct 29, 2024
@EronWright EronWright mentioned this issue Nov 1, 2024
Open
@EronWright
Copy link
Contributor Author

EronWright commented Feb 10, 2025
edited
Loading

A positive side-effect of this would be that, in a dev environment, there'll be no need to provision a long-lived service account token for the operator.

@EronWright
Copy link
Contributor Author

EronWright commented Feb 11, 2025
edited
Loading

An example token:

{
  "aud": [
    "random-yaml-workspace.default:50051"
  ],
  "exp": 1739306657,
  "iat": 1739303057,
  "iss": "https://kubernetes.default.svc.cluster.local",
  "jti": "190a47cf-8963-44b4-b77c-18ece58bc4af",
  "kubernetes.io": {
    "namespace": "pulumi-kubernetes-operator",
    "serviceaccount": {
      "name": "controller-manager",
      "uid": "f48ad504-695a-4775-ba52-d66cd7ffdbb8"
    }
  },
  "nbf": 1739303057,
  "sub": "system:serviceaccount:pulumi-kubernetes-operator:controller-manager"
}

The behavior when the audience is rejected by the agent:

random-yaml-workspace-0 pulumi 2025-02-11T19:47:42.125Z WARN    cmd.serve.grpc  authentication failed with an error{error 26 0  [invalid bearer token, token audiences ["random-yaml-workspace.default:50051"] is invalid for the target audiences ["https://kubernetes.default.svc.cluster.local"]]}
random-yaml-workspace-0 pulumi 2025-02-11T19:47:42.126Z INFO    cmd.serve.grpc  finished unary call with code Unauthenticated      {"grpc.start_time": "2025-02-11T19:47:42Z", "system": "grpc", "span.kind": "server", "grpc.service": "agent.AutomationService", "grpc.method": "SelectStack", "peer.address": "127.0.0.1:59352", "auth.mode": "kubernetes", "error": "rpc error: code = Unauthenticated desc = [invalid bearer token, token audiences [\"random-yaml-workspace.default:50051\"] is invalid for the target audiences [\"https://kubernetes.default.svc.cluster.local\"]]", "grpc.code": "Unauthenticated", "grpc.time_ms": 45.925}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/security kind/enhancement Improvements or new features
Projects
No open projects
Pulumi Kubernetes Operator v2
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@EronWright @cleverguy25 @rquitales @pulumi-bot