diff --git a/lib/kube/proxy/forwarder.go b/lib/kube/proxy/forwarder.go index 9ab0612a55f39..80f4dad5516db 100644 --- a/lib/kube/proxy/forwarder.go +++ b/lib/kube/proxy/forwarder.go @@ -88,7 +88,6 @@ import ( "github.com/gravitational/teleport/lib/services" "github.com/gravitational/teleport/lib/srv" "github.com/gravitational/teleport/lib/sshca" - "github.com/gravitational/teleport/lib/tlsca" "github.com/gravitational/teleport/lib/utils" ) @@ -548,31 +547,20 @@ func (f *Forwarder) authenticate(req *http.Request) (*authContext, error) { if err != nil { return nil, authz.ConvertAuthorizerError(ctx, f.log, err) } - peers := req.TLS.PeerCertificates - if len(peers) > 1 { - // when turning intermediaries on, don't forget to verify - // https://github.com/kubernetes/kubernetes/pull/34524/files#diff-2b283dde198c92424df5355f39544aa4R59 - return nil, trace.AccessDenied("access denied: intermediaries are not supported") - } - if len(peers) == 0 { - return nil, trace.AccessDenied("access denied: only mutual TLS authentication is supported") - } - clientCert := peers[0] - clientIdentity, err := tlsca.FromSubject(clientCert.Subject, clientCert.NotAfter) - if err != nil { - return nil, trace.Wrap(err) - } + // kubeResource is the Kubernetes Resource the request is targeted at. // Currently only supports Pods and it includes the pod name and namespace. kubeResource := getPodResourceFromRequest(req.RequestURI) - authContext, err := f.setupContext(ctx, *userContext, req, isRemoteUser, clientIdentity, kubeResource) + authContext, err := f.setupContext(ctx, *userContext, req, isRemoteUser, kubeResource) if err != nil { f.log.WithError(err).Warn("Unable to setup context.") if trace.IsAccessDenied(err) { if kubeResource != nil { return nil, trace.AccessDenied( kubeResourceDeniedAccessMsg( - clientIdentity.Username, + // return the unmapped username to the client, otherwise for leaf + // clusters the client will see the "remote-username". + userContext.UnmappedIdentity.GetIdentity().Username, req.Method, kubeResource, ), @@ -754,7 +742,7 @@ func (f *Forwarder) formatStatusResponseError(rw http.ResponseWriter, respErr er } } -func (f *Forwarder) setupContext(ctx context.Context, authCtx authz.Context, req *http.Request, isRemoteUser bool, clientIdentity *tlsca.Identity, kubeResource *types.KubernetesResource) (*authContext, error) { +func (f *Forwarder) setupContext(ctx context.Context, authCtx authz.Context, req *http.Request, isRemoteUser bool, kubeResource *types.KubernetesResource) (*authContext, error) { ctx, span := f.cfg.tracer.Start( ctx, "kube.Forwarder/setupContext", @@ -955,8 +943,8 @@ func (f *Forwarder) setupContext(ctx context.Context, authCtx authz.Context, req recordingConfig: recordingConfig, kubeClusterName: kubeCluster, kubeResource: kubeResource, - certExpires: clientIdentity.Expires, - disconnectExpiredCert: srv.GetDisconnectExpiredCertFromIdentity(roles, authPref, clientIdentity), + certExpires: identity.Expires, + disconnectExpiredCert: srv.GetDisconnectExpiredCertFromIdentity(roles, authPref, &identity), teleportCluster: teleportClusterClient{ name: teleportClusterName, remoteAddr: utils.NetAddr{AddrNetwork: "tcp", Addr: req.RemoteAddr}, diff --git a/lib/kube/proxy/forwarder_test.go b/lib/kube/proxy/forwarder_test.go index 4275081c6ab6e..e3064d1335fd3 100644 --- a/lib/kube/proxy/forwarder_test.go +++ b/lib/kube/proxy/forwarder_test.go @@ -751,6 +751,7 @@ func TestAuthenticate(t *testing.T) { RouteToCluster: tt.routeToCluster, KubernetesCluster: tt.kubernetesCluster, ActiveRequests: tt.activeRequests, + Expires: certExpiration, }), } authorizer := mockAuthorizer{ctx: &authCtx} @@ -769,7 +770,6 @@ func TestAuthenticate(t *testing.T) { CommonName: username, Organization: []string{"example"}, }, - NotAfter: certExpiration, }, }, },