surface authz webhook flags to configure an external authorization webhook

On-behalf-of: @SAP [email protected]

Author: xrstf

pkg/server/options/authorization.go

@@ -84,6 +84,11 @@ func (s *Authorization) AddFlags(fs *pflag.FlagSet) {
 func (s *Authorization) ApplyTo(config *genericapiserver.Config, kubeInformers, globalKubeInformers kcpkubernetesinformers.SharedInformerFactory, kcpInformers, globalKcpInformers kcpinformers.SharedInformerFactory) error {
 	var authorizers []authorizer.Authorizer
 
+	// re-use the authorizer from the generic control plane (this is only set for webhooks)
+	if authorizer := config.Authorization.Authorizer; authorizer != nil {
+		authorizers = append(authorizers, authorizer)
+	}
+
 	localLogicalClusterLister := kcpInformers.Core().V1alpha1().LogicalClusters().Lister()
 	globalLogicalClusterLister := globalKcpInformers.Core().V1alpha1().LogicalClusters().Lister()
 

pkg/server/options/flags.go

@@ -55,8 +55,8 @@ var (
 		"audit-webhook-truncate-max-batch-size", // Maximum size of the batch sent to the underlying backend. Actual serialized size can be several hundreds of bytes greater. If a batch exceeds this limit, it is split into several batches of smaller size.
 		"audit-webhook-truncate-max-event-size", // Maximum size of the audit event sent to the underlying backend. If the size of an event is greater than this number, first request and response are removed, and if this doesn't reduce the size enough, event is discarded.
 		"audit-webhook-version",                 // API group and version used for serializing audit events written to webhook.
-
 		// authentication flags
+
 		"anonymous-auth",                           // Enables anonymous requests to the secure port of the API server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.
 		"api-audiences",                            // Identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If the --service-account-issuer flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL.
 		"authentication-token-webhook-cache-ttl",   // The duration to cache responses from the webhook token authenticator.
@@ -80,6 +80,12 @@ var (
 		"requestheader-username-headers",           // List of request headers to inspect for usernames. X-Remote-User is common.
 		"token-auth-file",                          // If set, the file that will be used to secure the secure port of the API server via token authentication.
 
+		// authorization
+		"authorization-webhook-config-file",            // File with webhook configuration in kubeconfig format, used with --authorization-mode=Webhook. The API server will query the remote service to determine access on the API server's secure port.
+		"authorization-webhook-version",                // The API version of the authorization.k8s.io SubjectAccessReview to send to and expect from the webhook.
+		"authorization-webhook-cache-authorized-ttl",   // The duration to cache 'authorized' responses from the webhook authorizer.
+		"authorization-webhook-cache-unauthorized-ttl", // The duration to cache 'unauthorized' responses from the webhook authorizer.
+
 		// Kubernetes ServiceAccount Authentication flags
 		"service-account-extend-token-expiration", // Turns on projected service account expiration extension during token generation, which helps safe transition from legacy token to bound service account token feature. If this flag is enabled, admission injected tokens would be extended up to 1 year to prevent unexpected failure during transition, ignoring value of service-account-max-token-expiration.
 		"service-account-issuer",                  // Identifier of the service account token issuer. The issuer will assert this identifier in "iss" claim of issued tokens. This value is a string or URI. If this option is not a valid URI per the OpenID Discovery 1.0 spec, the ServiceAccountIssuerDiscovery feature will remain disabled, even if the feature gate is set to true. It is highly recommended that this value comply with the OpenID spec: https://openid.net/specs/openid-connect-discovery-1_0.html. In practice, this means that service-account-issuer must be an https URL. It is also highly recommended that this URL be capable of serving OpenID discovery documents at {service-account-issuer}/.well-known/openid-configuration. When this flag is specified multiple times, the first is used to generate tokens and all are used to determine which issuers are accepted.
@@ -204,5 +210,10 @@ var (
 		// authentication flags
 		// TODO(embik): look at enabling this feature.
 		"authentication-config", // File with Authentication Configuration to configure the JWT Token authenticator. Note: This feature is in Alpha since v1.29.--feature-gate=StructuredAuthenticationConfiguration=true needs to be set for enabling this feature.This feature is mutually exclusive with the oidc-* flags.
+
+		// authorization flags
+		"authorization-mode",        // Ordered list of plug-ins to do authorization on secure port. Defaults to AlwaysAllow if --authorization-config is not used. Comma-delimited list of: Webhook
+		"authorization-config",      // File with Authorization Configuration to configure the authorizer chain.
+		"authorization-policy-file", // File with authorization policy in json line by line format, used with --authorization-mode=ABAC, on the secure port.
 	)
 )

pkg/server/options/options.go

@@ -29,7 +29,7 @@ import (
 	genericapiserveroptions "k8s.io/apiserver/pkg/server/options"
 	cliflag "k8s.io/component-base/cli/flag"
 	controlplaneapiserver "k8s.io/kubernetes/pkg/controlplane/apiserver/options"
-	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
+	authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
 
 	kcpadmission "github.com/kcp-dev/kcp/pkg/admission"
 	etcdoptions "github.com/kcp-dev/kcp/pkg/embeddedetcd/options"
@@ -114,18 +114,8 @@ func NewOptions(rootDir string) *Options {
 
 	// override all the stuff
 	o.GenericControlPlane.SecureServing.ServerCert.CertDirectory = rootDir
-	o.GenericControlPlane.Authentication = kubeoptions.NewBuiltInAuthenticationOptions().
-		WithAnonymous().
-		WithBootstrapToken().
-		WithClientCert().
-		WithOIDC().
-		WithRequestHeader().
-		WithServiceAccounts().
-		WithTokenFile().
-		WithWebHook()
 	o.GenericControlPlane.Authentication.ServiceAccounts.Issuers = []string{"https://kcp.default.svc"}
 	o.GenericControlPlane.Etcd.StorageConfig.Transport.ServerList = []string{"embedded"}
-	o.GenericControlPlane.Authorization = nil // we have our own
 
 	// override set of admission plugins
 	kcpadmission.RegisterAllKcpAdmissionPlugins(o.GenericControlPlane.Admission.GenericAdmission.Plugins)
@@ -313,6 +303,16 @@ func (o *Options) Complete(rootDir string) (*CompletedOptions, error) {
 		o.GenericControlPlane.ServiceAccountSigningKeyFile = o.Controllers.SAController.ServiceAccountKeyFile
 	}
 
+	// kcp uses the generic control plane's authorization flags, but only supports the webhook mode;
+	// to prevent misconfigurations the --authorization-mode flag is not exposed, but set here
+	// automatically based on the presence of the other webhook related flags.
+	if o.GenericControlPlane.Authorization.WebhookConfigFile != "" {
+		o.GenericControlPlane.Authorization.Modes = []string{authzmodes.ModeWebhook}
+	} else {
+		// if no webhook is used, completely disable upstream authz, as kcp has its own authorization logic
+		o.GenericControlPlane.Authorization = nil
+	}
+
 	completedGenericServerRunOptions, err := o.GenericControlPlane.Complete(nil, nil)
 	if err != nil {
 		return nil, err