adding a new enhancement for fixing anonymous user access

vareti · vareti · commit 36fdc00d42a7 · 2020-05-13T15:34:15.000-05:00
diff --git a/enhancements/authentication/unauthenticated-subjects.md b/enhancements/authentication/unauthenticated-subjects.md
@@ -0,0 +1,116 @@
+---
+title: cleaning-up-unauthenticated-subjects-from-cluster-role-bindings
+authors:
+  - "@vareti"
+reviewers:
+  - "@marun"
+  - "@sttts"
+  - "@deads2k"
+approvers:
+  - "@sttts"
+creation-date: 2020-05-07
+last-updated: 2020-05-07
+status: implementable
+see-also:
+replaces:
+superseded-by:
+---
+
+# Cleaning Up Unauthenticated Subject from Cluster Role Bindings
+
+## Release Signoff Checklist
+
+- [x] Enhancement is `implementable`
+- [ ] Design details are appropriately documented from clear requirements
+- [ ] Test plan is defined
+- [ ] Graduation criteria for dev preview, tech preview, GA
+- [ ] User-facing documentation is created in [openshift-docs](https://github.com/openshift/openshift-docs/)
+
+## Open Questions [optional]
+
+## Summary
+
+In earlier releases of OpenShift, the authorization module would allow anonymous users to access discovery endpoints. This enhancement proposes a way to remove unauthenticated subjects from cluster role bindings after an upgrade from this earlier release. It is possible that a customer is relying on anonymous user behavior in an implementation. This enhancement also proposes a way to opt-out of this reconciliation mechanism. Thus helping cases where changes are not desirable to customer implementations. Later releases of OpenShift removed this access for anonymous users. So, this enhancement would not affect the customers who install a fresh cluster using these later releases.
+
+## Motivation
+
+  * In earlier releases of OpenShift, an anonymous user could access “/” endpoint. Later releases revoked this access by removing unauthenticated subjects from cluster role bindings. Because of the way default policy resources are reconciled, after an upgrade from the earlier release, an anonymous user could still access "/" endpoint.
+  * Exposing unauthenticated endpoints to anonymous users can lead to information leakage. This is undesirable and needs prevention if possible. A user can see the list of available groups and endpoints on an API server using "/" endpoint. As this list could contain sensitive information, it is important to NOT allow anonymous users to access API Server discovery endpoints.
+
+### Goals
+
+> 1. In clusters upgraded from OCP 4.1, remove unauthenticated subjects from cluster role bindings with annotation "rbac.authorization.k8s.io/autoupdate=true".
+> 2. Users can opt-out of reconciliation if they set the annotation to "false".
+
+### Non-Goals
+
+## Proposal
+
+* Background
+  * A user who does not provide enough details for authentication with the kube-apiserver is considered anonymous and will be part of "system:unauthenticated" group.
+  * Both kube-apiserver and openshift-apiserver create a set of cluster roles and cluster role bindings during bootstrap.
+    * This [link](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings) has the list of default cluster roles and cluster role bindings in Kubernetes.
+	* This [link](https://docs.openshift.com/container-platform/4.4/authentication/using-rbac.html#default-roles_using-rbac) has the list of default cluster roles in OpenShift
+  * "rbac.authorization.k8s.io/autoupdate=true" annotation is also added to default policy resources.
+  * On start-up both openshift-apiserver and kube-apiserver reconcile default policy resources. They do the following operations if the annotation is not modified.
+    * create the missing policy resource
+	* add the missing permissions to cluster roles or add the missing subjects to cluster role bindings.
+  * reconciliation does not delete any existing permissions or subjects.
+  * Resources with the annotation set to "false" skips above operations. This allows an admin to opt-out of reconciliation for specific resource.
+  * Detailed behavior can be found at this [link](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation).
+
+* Openshift-apiserver operator implements a new RBACController to reconcile following cluster role bindings created by openshift-apiserver.
+  * cluster-status-binding
+  * discovery
+  * system:openshift:discovery
+  * basic-users
+* If the annotation is not modified, controller removes the unauthenticated subject from the list of subjects and updates the resource in the API sserver.
+* Customers can opt-out of this reconciliation by setting the annoation to "false".
+
+### User Stories [optional]
+
+N/A
+
+### Implementation Details/Notes/Constraints [optional]
+
+N/A
+
+### Risks and Mitigations
+
+Because of the earlier releases of OpenShift allowing access to “/” endpoint, some customer implementations might be expecting this privileged access to anonymous users. Removing unauthenticated subject on an upgrade might break some of these implementations. Informing customers beforehand of this change would help the customer to decide better. Customers can either opt-out of reconciliation or change their implementation to match the new requirements. A customer can opt-out of reconciliation by setting the annotation to "false" before the upgrade.
+
+## Design Details
+
+### Test Plan
+
+Existing e2e test can be re-used to validate the change.
+
+### Graduation Criteria
+
+As this enhancement fixes a bug, graduation criteria is not applicable.
+
+##### Removing a deprecated feature
+
+N/A
+
+### Upgrade / Downgrade Strategy
+
+N/A
+
+### Version Skew Strategy
+
+N/A
+
+## Implementation History
+
+N/A
+
+## Drawbacks
+
+N/A
+
+## Alternatives
+
+An alternate implementation is to add an alert to warn of potentially insecure bootstrap policy with instructions to fix. This would not break existing clusters and ensures that they could fix the problem.
+
+## Infrastructure Needed [optional]
