Add a new role.allow.request field called kubernetes_resources

[kimlisa]

part of #46742
rfd: #46691

Defines a new role.allow.request field called kubernetes_resources.

For now it holds a field kubernetes_resources that follows same format as existing allow.kubernetes_resources, except the only field we support in the options field is Kind (defining other fields will reject the role upserting actions).

The Kind allows admins to define what kube subresources a user can request during request creation and disallow requesting request for kube_cluster. It allows the wildcard to mean allow request to any kube subresources.

If role.allow.request.kubernetes_resources is not defined, or length 0, it means a user can request for kube_cluster or any of its subresources.

example, if requester role says:

kind: role
metadata:
  name: requester
spec:
  allow:
    request:
      search_as_roles:
      - kube-access
  options:
    request_mode:
      kubernetes_resources:
      - kind: namespace

requesting kind kube_cluster is denied:

tsh request create --resource /kimlisa22.cloud.gravitational.io/kube_cluster/coffee-kube-cluster 

Creating request...
ERROR: your Teleport role's "request.kubernetes_resources" field did not allow requesting to some or all of the requested Kubernetes resources. allowed kinds for each requestable roles: access-kube-pumpkin: [pod], access: [pod], access-kube-coffee: [namespace]
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

requesting kind pod is denied:

tsh request create --resource /kimlisa22.cloud.gravitational.io/pod/coffee-kube-cluster/kube-system/coredns-7db6d8ff4d-mhjlv

Creating request...
ERROR: your Teleport role's "request.kubernetes_resources" field did not allow requesting to some or all of the requested Kubernetes resources. allowed kinds for each requestable roles: access-kube-coffee: [namespace]
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

requesting kind namespace is allowed:

Creating request...
Request ID:     0192bc03-0421-765b-9f5d-db01d9f7f647                                                    
Username:       lisa+1@goteleport.com                                                                   
Roles:          access-kube-coffee                                                                      
Resources:      ["/kimlisa22.cloud.gravitational.io/namespace/coffee-kube-cluster/coffee-kube-cluster"] 
Reason:         [none]                                                                                  
Reviewers:      [none] (suggested)                                                                      
Access Expires: 2024-10-24 01:51:54                                                                     
Status:         PENDING                                                                                 

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...

wildcard example output:

tsh request create --resource /kimlisa22.cloud.gravitational.io/kube_cluster/coffee-kube-cluster 

Creating request...
ERROR: your Teleport role's "request.kubernetes_resources" field did not allow requesting to some or all of the requested Kubernetes resources. allowed kinds for each requestable roles: access-kube-coffee: [pod secret configmap namespace service serviceaccount kube_node persistentvolume persistentvolumeclaim deployment replicaset statefulset daemonset clusterrole kube_role clusterrolebinding rolebinding cronjob job certificatesigningrequest ingress]
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

changelog: Define a new role.allow.request field called kubernetes_resources that allows admins to define what kinds of Kubernetes resources a requester can make.

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[tigrato]

Can we use a dedicated type for this setting?
Reusing the KubernetesResource gives confusion because you can set a lot of data that isn't allowed

[kimlisa]

friendly ping @tigrato @nklaassen

[tigrato]

Can you please add unmarshal from/to yaml of roles with this section defined?

[kimlisa]

i made a few adjustments based on review:

the request mode found on the same role as the search as roles will be enforced:

• querying for kube resources with search as roles will prune roles that doesn't match request mode with request type
• when creating request, request modes will be enforced during:
  • pruning search as roles with only root resource request
  • pruning search as roles with leaf and root resources (pruning doesn't happen, but we will still enforce request mode without any special matchers)
  • requesting custom roles, users can manually change/request roles so this will skip pruning check altogether, but we will still enforce request mode checking without any special matchers

[tigrato]

In addition to these changes, you’ll also need to update the following code:

teleport/lib/kube/grpc/grpc.go

Lines 161 to 163 in 64922df

	if req.UseSearchAsRoles {
	extraRoles = append(extraRoles, userContext.Checker.GetAllowedSearchAsRoles()...)
	}

These changes are necessary to prevent users who are blocked from requesting access to specific types from being able to verify the existence of those assets in k8s.

GetSearchAsRoles must return the search as roles allowed to be used for the particular kubernetes subresource and deny if none match.

It's not a blocker but it must be released before v17

[tigrato]

should we check for len(xxx)==0?

[kimlisa]

sure i guess checking len is slightly safer b/c i'm thinking you're concerned this can happen

var array []string, by itself is nil
array := []string{} is not?

[tigrato]

Yeah. If someone changes the approach from using a non-initialized array to an initialized array, the code won't catch it.

[tigrato]

same as above

[tigrato]

godoc

[github-actions]

🤖 Vercel preview here: https://docs-6onolp5ve-goteleport.vercel.app/docs/ver/preview

[github-actions]

🤖 Vercel preview here: https://docs-dnfaf44ij-goteleport.vercel.app/docs/ver/preview

[public-teleport-github-review-bot]

@kimlisa - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

[github-actions]

🤖 Vercel preview here: https://docs-5jy8ahdem-goteleport.vercel.app/docs/ver/preview

[public-teleport-github-review-bot]

@kimlisa See the table below for backport results.

Branch	Result
branch/v16	Failed
branch/v17	Failed