-
Notifications
You must be signed in to change notification settings - Fork 885
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oauth2-proxy and programmatic access clients #2517
Comments
This should be addressed after #2516 |
10 tasks
kromanow94
added a commit
to kromanow94/kubeflow-internal-acls
that referenced
this issue
Jan 2, 2024
Contributions: * kubeflow/manifests#2544 * kubeflow/manifests#2588 * kubeflow/manifests#2516 * kubeflow/manifests#2517 * kubeflow/manifests#2229 (review) * kubeflow/kubeflow#7437 (comment) * https://kubeflow.slack.com/archives/CKBA5D0MU/p1702465109437099 * https://kubeflow.slack.com/archives/C01A7RYEYMB/p1702556772959959 * https://kubeflow.slack.com/archives/CE10KS9M4/p1700672066110009 * https://kubeflow.slack.com/archives/CE10KS9M4/p1700672066110009
google-oss-prow bot
pushed a commit
to kubeflow/internal-acls
that referenced
this issue
Jan 2, 2024
Contributions: * kubeflow/manifests#2544 * kubeflow/manifests#2588 * kubeflow/manifests#2516 * kubeflow/manifests#2517 * kubeflow/manifests#2229 (review) * kubeflow/kubeflow#7437 (comment) * https://kubeflow.slack.com/archives/CKBA5D0MU/p1702465109437099 * https://kubeflow.slack.com/archives/C01A7RYEYMB/p1702556772959959 * https://kubeflow.slack.com/archives/CE10KS9M4/p1700672066110009 * https://kubeflow.slack.com/archives/CE10KS9M4/p1700672066110009
10 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
This is a follow up for #2409.
It was discussed that the oauth2-proxy integration with Istio should also cover m2m setup with authorization bearer tokens issued by oidc provider with emphasis on also supporting the default kubernetes oidc served behind
https://kubernetes.default.svc.cluster.local
.The exact setup and reasoning was described it this and following comments: #2409 (comment).
oauth2-proxy
should be configured to skip jwt validation when a specificissuer=audience
pair is provided withextra_jwt_issuers
configuration option. This pair will behttps://kubernetes.default.svc.cluster.local=https://kubernetes.default.svc.cluster.local
for the default k8s oidc. This will forward the traffic directly to Istio and then we can have aRequestAuthentication
resource that will verify the JWT and authorize access to the services based on JWT Payload.As mentioned in the #2409, I'll provide a PR for this feature.
Considerations
Istio
When using the default k8s oidc (which k8s configures by default if not provided with external oidc client details), the issuer is somewhat problematic. This is because the issuer is served behind self-signed certificates and accessible under endpoint that requires authentication.
Configuring traffic with
RequestAuthentication
for the default k8s oidc like below will not work andistiod
will output following log:Following the log about JWKS and knowing the detail about cert and auth of oidc issuer, I was able to verify that if we were to take the JWKS and provide it directly as string in
RequestAuthentication
, this issue is not happening anymore.Example
oauth2-proxy
oauth2-proxy has to be configured with following config to skip verification of JWTs when issued by kubernetes oidc:
It's important to know that although the auth process will be skipped for a request with a jwt bearer token, oauth2-proxy will still verify the jwt against the oidc to verify if the token was indeed created by the issuer. Because of that it's still important to ensure that the self signed certs of default k8s oidc issuer are trusted in oauth2-proxy container.
I verified that if oauth2-proxy container has content of
/run/secrets/kubernetes.io/serviceaccount/ca.crt
in/etc/ssl/certs/ca-certificates.crt
, the certs ofhttps://kubernetes.default.svc.cluster.local
will be trusted. We could provide an init container that prepares thecertificates.crt
inemptyDir
volume and then it would be mounted in/etc/ssl/certs/
.Another thing is with configuration of anonymous access to the oidc endpoints. This could be simply achieved with:
The
ClusterRole
system:service-account-issuer-discovery
is created by default by kubernetes. It was verified in EKS, vcluster and dind that it exist.I'd appreciate some comment to confirm that the described method of achieving m2m tokens with oauth2-proxy is accepted.
@kimwnasptd @juliusvonkohout @axel7083
The text was updated successfully, but these errors were encountered: