[KEP-3104] Update KEP with credential plugin allowlist #5479
Conversation
|
|
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
the
sig/cli
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @pmengelbert! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @pmengelbert. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/M
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
|
This LGTM from a SIG Auth perspective (I added us as a participating SIG). |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
do-not-merge/invalid-commit-message
| reason. The user should instead use `credentialPluginPolicy: DisableAll` in | ||
| this case. | ||
|
|
||
| Commands that don't create a client, such as `kubectl config view` will not be |
There was a problem hiding this comment.
is there any other command that will be exceptional like kubectl config view?
There was a problem hiding this comment.
Off the top of my head, there are
kubectl config (any subcommand)
kubectl version
kubectl plugin list
Should I update the KEP with a full list?
There was a problem hiding this comment.
hmm... I think it's going to be hard to enumerate every specific command that won't actually use the client. There's lots of commands that only run locally with specific options (e.g. all kubectl create ... --dry-run=client commands, or kubectl {label,annotate,set} --local)
I think the implementation should be structured so that it intercepts attempts to use a non-allowlisted credential plugin and rejects them at time of use, so commands that don't even need the plugin don't start failing for no reason.
There was a problem hiding this comment.
I think the implementation should be structured so that it intercepts attempts to use a non-allowlisted credential plugin and rejects them at time of use, so commands that don't even need the plugin don't start failing for no reason.
So that significantly changes the implementation. Maybe we just need to get the list of plugins (allowed, disallowed, etc.) in kubectl/cmd and pass it to client-go (or cli-runtime) to accept/reject this credential exec plugin, when there is a request to API Server?
There was a problem hiding this comment.
I don't think this will change the implementation that much. Per my understanding, that was how it was going to work from start.
There was a problem hiding this comment.
I think the implementation should be structured so that it intercepts attempts to use a non-allowlisted credential plugin and rejects them at time of use, so commands that don't even need the plugin don't start failing for no reason.
So that significantly changes the implementation. Maybe we just need to get the list of plugins (allowed, disallowed, etc.) in kubectl/cmd and pass it to client-go (or cli-runtime) to accept/reject this credential exec plugin, when there is a request to API Server?
Per recent discussion in the sig-api-machinery biweekly, they are in agreement with the following:
- The allowlist can be specified in kuberc as described by this KEP so that
kubectlmay benefit from it. - The allowlist will be parsed by the kuberc parser.
- The allowlist parsing logic should be made public if it is not already, such that non-kubectl clients can use it to read allowlists configured there.
client-gowill be modified to permit a hook accepting a parsed allowlist on client creation.- Frontends other than
kubectlmay use this hook to use the allowlist - Go clients can use the hook as they wish
- The allowlist will be plumbed to the point of plugin execution and will be consulted before the
execcall.
There was a problem hiding this comment.
That sounds like a reasonable plan to me.
There was a problem hiding this comment.
This all sounds exactly what I was imagining it would, thank you!
|
I think, this PR needs a rebase to remove the invalid-commit label. Otherwise, this PR can't be merged. |
pmengelbert
force-pushed
the
pmengelbert/sig-cli/kuberc/4
branch
2 times, most recently
from
7e85530 to
23506b7
Compare
@liggitt done |
An example: a CI pipeline creates a cluster on-demand and generates a kubeconfig using bespoke tools. That generated kubeconfig is produced as an artifact for a cluster user to download. Now the bespoke tooling and the pipeline are targets because they generate a kubeconfig; the allowlist protects the user of that kubeconfig from compromised pipelines or tooling.
Agreed, I will add language clarifying this.
/sig security |
k8s-ci-robot
added
the
sig/security
pmengelbert
force-pushed
the
pmengelbert/sig-cli/kuberc/4
branch
2 times, most recently
from
c306ddc to
9a6f723
Compare
Currently, the kubeconfig may specify arbitrary binaries to run as
client-go credential plugins. Due to the fact that kubeconfig files are
often generated, and because they contain a lot of noise, there is
significant friction in manually inspecting the kubeconfig for
suspicious binaries after it is generated.
To encourage secure behavior, we want to introduce an allowlist to the
kuberc, which will describe the conditions under which a binary plugin
may be run. Currently the only condition is the name (absolute path or
basename of a binary found in `PATH`).
* Revise based on feedback
- Describe behavior when allowlist is `nil`
- Describe behavior when allowlist is empty
- Describe future plans for field additions
* Add SIG Auth as participating SIG
* Update TOC for KEP 3104
* Correct `os.LookPath` to `exec.LookPath`
* Add note about when the allowlist will not apply
* Avoid confusion between nil list and empty list
In the credential plugin allowlist, consider nil and empty lists an
error. Jordan Liggitt has pointed out that treating them differently is
generally avoided in APIs, as it can confuse users.
In order to make the user's intention more explicit, an additional
field, `credentialPluginPolicy` has been added. Its value must be one of
`EnableAll | DisableAll | Allowlist`. `EnableAll` and `DisableAll` are
self-explanatory and do not require an allowlist. `Allowlist` will use
the allowlist as defined in the KEP.
* Note that this change considers the following cases to be errors:
- a policy of `EnableAll` with an allowlist provided
- a policy of `DisableAll` with an allowlist provided
- a policy of `Allowlist` with no allowlist provided (i.e. a `nil`
- allowlist`
- a policy of `Allowlist` with an explicitly empty allowlist provided
* Clarify v1beta1 and kubectl v1.35 only (allowlist)
* Update kep.yaml
- Add sig-api-machinery as participating SIG
- Add enj as reviewer
- Update latest milestone to v1.35
* Allowlist: rename `name` field to `command`
* Clarify meaning of "the operation will fail"
* Specify appropriate api group and version
* Move detail to new section under `Design Details`
* Add table showing `command` comparison
Signed-off-by: Peter Engelbert <[email protected]>
pmengelbert
force-pushed
the
pmengelbert/sig-cli/kuberc/4
branch
from
9a6f723 to
536c62b
Compare
|
All comments have been addressed and this is ready for another round of review. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign mpuckett159 Not sure if I should wait until there's a review from someone in |
|
I'm approving from sig-cli POV |
k8s-ci-robot
added
do-not-merge/hold
|
|
||
| If `credentialPluginPolicy` is set to `Allowlist`, but a | ||
| `credentialPluginAllowlist` is not provided, it will be considered an | ||
| configuration error. Rather than guess at what the user intended, the operation |
There was a problem hiding this comment.
Configuration error should error out during parsing not during execution. We already have a separate validation step which I'd expect to be extended with validation for this new addition.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ardaguclu, liggitt, pmengelbert, soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
8 participants
Currently, the kubeconfig may specify arbitrary binaries to run as
client-go credential plugins. Due to the fact that kubeconfig files are
often generated, and because they contain a lot of noise, there is
significant friction in manually inspecting the kubeconfig for
suspicious binaries after it is generated.
To encourage secure behavior, we want to introduce an allowlist to the
kuberc, which will describe the conditions under which a binary plugin
may be run. Currently the only condition is the name (absolute path or
basename of a binary found in
PATH).