Kubernetes External Joining: `static_jwks` implementation by strideynet · Pull Request #30225 · gravitational/teleport

strideynet · 2023-08-09T16:51:39Z

Adds a static_jwks sub-variant of the kubernetes join method to support pods joining in clusters other than the one the Teleport Auth Server is running in.

Closes #25543
As per RFD: #29225

Example Token config:

kind: token
version: v2
metadata:
  name: docker-desktop-jwks
spec:
  roles: [Bot]
  bot_name: docker-desktop
  join_method: kubernetes
  kubernetes:
    type: static_jwks
    static_jwks:
      jwks: |
        {"keys":[{"use":"sig","kty":"RSA","kid":"KCk4tlf5yXj7GJ20L9XcvviNIiCf1QaUhw1Cyzd5VjA","alg":"RS256","n":"vYiAKomeNl--3-HaQ24DhJLlgg05gWIKmYRUxPx5vg4NLTdezUHxl70mygFNSYQrSgRqGpUp1j3_fOQYVKhWOVMPLtIYz4pnH-3mUBhNhpfLZiyMUqtjhijekqGOhlbEwHDvCm0tAMESSJBNHneR2tqEugsnDOpPmi3Z220MPJFO9FotFNd4vhmwEp9raWEIRSW3tRZiBoZ_1DAgR5LlO4q__sr125WL0n3s9exVrjQJxpkkUD4ECdO9020VtgPXL3sw__bE0UMuOWDvAY2sCb6rIN76rRLUbGc_IIP1ahLoFVDqdef-tsFM4pW_dbXu77YpfTfK_sTKOEVeGtKBJQ","e":"AQAB"}]}
    allow:
    - service_account: "default:tbot"

Example Audit Event:

{
  "attributes": {
    "raw": {
      "aud": [
        "leaf.tele.ottr.sh"
      ],
      "exp": 1692026408,
      "iat": 1692025808,
      "iss": "https://kubernetes.default.svc.cluster.local",
      "kubernetes.io": {
        "namespace": "default",
        "pod": {
          "name": "ubuntu",
          "uid": "f6dd8b5e-cafc-4d92-b5ac-1a124a019d72"
        },
        "serviceaccount": {
          "name": "tbot",
          "uid": "8b77ea6d-3144-4203-9a8b-36eb5ad65596"
        }
      },
      "nbf": 1692025808,
      "sub": "system:serviceaccount:default:tbot"
    },
    "type": "static_jwks",
    "username": "system:serviceaccount:default:tbot"
  },
  "bot_name": "docker-desktop",
  "cluster_name": "leaf.tele.ottr.sh",
  "code": "TJ001I",
  "ei": 0,
  "event": "bot.join",
  "method": "kubernetes",
  "success": true,
  "time": "2023-08-14T15:15:59.91Z",
  "token_name": "docker-desktop-jwks",
  "uid": "84922598-1ba6-499f-a8cf-0dba96cab1d5"
}

Example pod spec

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
spec:
  containers:
    - image: ubuntu
      command:
        - "sleep"
        - "604800"
      imagePullPolicy: IfNotPresent
      name: ubuntu
      volumeMounts:
        - mountPath: /var/run/secrets/tokens
          name: tbot-sa
  serviceAccountName: tbot
  restartPolicy: Always
  volumes:
    - name: tbot-sa
      projected:
        sources:
          - serviceAccountToken:
              path: tbot
              expirationSeconds: 600
              audience: leaf.tele.ottr.sh

Example invocation:

export KUBERNETES_TOKEN_PATH=/var/run/secrets/tokens/tbot
./tbot start  --destination-dir=./tbot-user  --token=docker-desktop-jwks  --auth-server=leaf.tele.ottr.sh:443  --join-method=kubernetes

…equest

strideynet · 2023-08-14T10:17:15Z

Blocked pending security review of #29225

…ed-kubernetes-external-join

strideynet · 2023-08-14T17:38:57Z

Docs will follow in a future PR

…ed-kubernetes-external-join

public-teleport-github-review-bot · 2023-09-11T11:18:25Z

@strideynet See the table below for backport results.

Branch	Result
branch/v12	Failed
branch/v13	Failed
branch/v14	Failed

* Add JWKS baseed kubernetes toekn validator * Add types for static_jwks kubernetes join type * Add validation for new fields on Provisiontoken * SPAG * Add support into tbot for kubernetes join method * Wire static_jwks implementation into auth.Server.checkKubernetesJoinRequest * fix-imports * Add JWKS tests for `kubernetestoken` * Fix TestIDTokenValidator_Validate * Ensure token is bound * Fix mistakenely renamed comments * Tidier return type * Refactor tests for slicker UI * Inject jwks token validator for test substitution * Add test cases for static_jwks to lib/auth kube joining test * Remove TODO * Add more test cases to token validation * Add enforcement of maximum TTL * Regenerate operator crd * Improve comments on proto * Rerun ?? generation ?? of ?? operator ?? protos ?? * Remove outdated comment

…) (#31704) * Kubernetes External Joining: `static_jwks` implementation (#30225) * Add JWKS baseed kubernetes toekn validator * Add types for static_jwks kubernetes join type * Add validation for new fields on Provisiontoken * SPAG * Add support into tbot for kubernetes join method * Wire static_jwks implementation into auth.Server.checkKubernetesJoinRequest * fix-imports * Add JWKS tests for `kubernetestoken` * Fix TestIDTokenValidator_Validate * Ensure token is bound * Fix mistakenely renamed comments * Tidier return type * Refactor tests for slicker UI * Inject jwks token validator for test substitution * Add test cases for static_jwks to lib/auth kube joining test * Remove TODO * Add more test cases to token validation * Add enforcement of maximum TTL * Regenerate operator crd * Improve comments on proto * Rerun ?? generation ?? of ?? operator ?? protos ?? * Remove outdated comment * Go mod tidy

…) (#31703) * Kubernetes External Joining: `static_jwks` implementation (#30225) * Add JWKS baseed kubernetes toekn validator * Add types for static_jwks kubernetes join type * Add validation for new fields on Provisiontoken * SPAG * Add support into tbot for kubernetes join method * Wire static_jwks implementation into auth.Server.checkKubernetesJoinRequest * fix-imports * Add JWKS tests for `kubernetestoken` * Fix TestIDTokenValidator_Validate * Ensure token is bound * Fix mistakenely renamed comments * Tidier return type * Refactor tests for slicker UI * Inject jwks token validator for test substitution * Add test cases for static_jwks to lib/auth kube joining test * Remove TODO * Add more test cases to token validation * Add enforcement of maximum TTL * Regenerate operator crd * Improve comments on proto * Rerun ?? generation ?? of ?? operator ?? protos ?? * Remove outdated comment * Add Kubernetes to repeatable bot join types * Go mod tidy

…31702) * Add JWKS baseed kubernetes toekn validator * Add types for static_jwks kubernetes join type * Add validation for new fields on Provisiontoken * SPAG * Add support into tbot for kubernetes join method * Wire static_jwks implementation into auth.Server.checkKubernetesJoinRequest * fix-imports * Add JWKS tests for `kubernetestoken` * Fix TestIDTokenValidator_Validate * Ensure token is bound * Fix mistakenely renamed comments * Tidier return type * Refactor tests for slicker UI * Inject jwks token validator for test substitution * Add test cases for static_jwks to lib/auth kube joining test * Remove TODO * Add more test cases to token validation * Add enforcement of maximum TTL * Regenerate operator crd * Improve comments on proto * Rerun ?? generation ?? of ?? operator ?? protos ?? * Remove outdated comment

strideynet added 9 commits August 9, 2023 16:58

Add JWKS baseed kubernetes toekn validator

6a46b8c

Add types for static_jwks kubernetes join type

1139bb3

Add validation for new fields on Provisiontoken

c2f4ecb

SPAG

f7ceea0

Add support into tbot for kubernetes join method

2a4c5ec

Wire static_jwks implementation into auth.Server.checkKubernetesJoinR…

d780f60

…equest

fix-imports

efd6268

Add JWKS tests for kubernetestoken

5235279

Fix TestIDTokenValidator_Validate

122fdac

strideynet commented Aug 10, 2023

View reviewed changes

Comment thread lib/kubernetestoken/token_validator.go Outdated

strideynet added 7 commits August 10, 2023 17:08

Ensure token is bound

27380f8

Fix mistakenely renamed comments

d79272a

Tidier return type

74b658c

Refactor tests for slicker UI

2303ea8

Inject jwks token validator for test substitution

246e9f5

Add test cases for static_jwks to lib/auth kube joining test

453ca20

Remove TODO

129f8b0

strideynet added the blocked is blocked by another item - please include the blocker label Aug 14, 2023

strideynet added backport/branch/v12 labels Aug 14, 2023

strideynet added 6 commits August 14, 2023 11:22

Add more test cases to token validation

eb797af

Add enforcement of maximum TTL

5748fb8

Merge remote-tracking branch 'origin/master' into strideynet/simplifi…

cee0b5a

…ed-kubernetes-external-join

Regenerate operator crd

d872ff1

Improve comments on proto

d03cc60

Rerun ?? generation ?? of ?? operator ?? protos ??

673c157

strideynet requested review from hugoShaka and tigrato August 14, 2023 15:25

Remove outdated comment

29a66d8

strideynet marked this pull request as ready for review August 14, 2023 16:53

strideynet added the changelog label Aug 14, 2023

github-actions Bot added the helm label Aug 14, 2023

github-actions Bot requested a review from r0mant August 14, 2023 16:53

github-actions Bot added kubernetes-access machine-id size/lg labels Aug 14, 2023

This was referenced Aug 14, 2023

External Kubernetes joining docs #30455

Closed

Kubernetes Remote Joining POC #30165

Closed

hugoShaka approved these changes Aug 15, 2023

View reviewed changes

Comment thread api/types/provisioning.go

tigrato approved these changes Aug 16, 2023

View reviewed changes

zmb3 added the backport/branch/v14 label Aug 30, 2023

Merge remote-tracking branch 'origin/master' into strideynet/simplifi…

a6039da

…ed-kubernetes-external-join

strideynet enabled auto-merge September 11, 2023 10:42

strideynet added this pull request to the merge queue Sep 11, 2023

Merged via the queue into master with commit 64f703a Sep 11, 2023

strideynet deleted the strideynet/simplified-kubernetes-external-join branch September 11, 2023 11:16

strideynet mentioned this pull request Sep 11, 2023

[v14] Kubernetes External Joining: static_jwks implementation (#30225) #31702

Merged

strideynet mentioned this pull request Sep 11, 2023

[v13] Kubernetes External Joining: static_jwks implementation (#30225) #31703

Merged

strideynet mentioned this pull request Sep 11, 2023

[v12] Kubernetes External Joining: static_jwks implementation (#30225) #31704

Merged

programmerq mentioned this pull request Oct 9, 2023

allow github tokens for unreachable github enterprise instances. #33171

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kubernetes External Joining: `static_jwks` implementation#30225

Kubernetes External Joining: `static_jwks` implementation#30225
strideynet merged 24 commits intomasterfrom
strideynet/simplified-kubernetes-external-join

strideynet commented Aug 9, 2023 •

edited

Loading

Uh oh!

Uh oh!

strideynet commented Aug 14, 2023

Uh oh!

strideynet commented Aug 14, 2023

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Sep 11, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

strideynet commented Aug 9, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

strideynet commented Aug 14, 2023

Uh oh!

strideynet commented Aug 14, 2023

Uh oh!

Uh oh!

public-teleport-github-review-bot Bot commented Sep 11, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

strideynet commented Aug 9, 2023 •

edited

Loading