Merge pull request #11 from mlbiam/master

Updates for 1.0.0 release

.dockerignore

@@ -1,2 +1,2 @@
 *
-!/bin/kube-oidc-proxy-linux
+!/bin/kube-oidc-proxy

.github/workflows/build.yaml

@@ -0,0 +1,60 @@
+name: build
+on:
+  push:
+    branches:
+      - 'master'
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - uses: actions/checkout@v1
+
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: "1.17.0"
+
+      - name: Update go deps
+        run: go mod tidy
+
+      - name: install go mock
+        run: go install github.com/golang/mock/mockgen@v1.6.0
+
+      - name: install go-junit
+        run: go get -u github.com/jstemmer/go-junit-report
+
+      - name: run tests
+        run: make test
+
+      - name: build executable
+        run: make build; ls; ls bin
+
+
+
+
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v1 
+        with:
+          username: ${{ secrets.OU_REG_USER }}
+          password: ${{ secrets.OU_REG_PASSWORD }}
+
+
+
+
+      -
+        name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: "."
+          push: true
+          tags: ${{ secrets.OU_CONTAINER_DEST }}
+

CHANGELOG.md

@@ -0,0 +1,12 @@
+# 1.0.0
+
+**enhancements:**
+ - 1.0.0 Release [\#10](https://github.com/TremoloSecurity/kube-oidc-proxy/issues/10)
+ - Access logging to standard out [\#2](https://github.com/TremoloSecurity/kube-oidc-proxy/issues/2)
+ - create github action to automate builds [\#8](https://github.com/TremoloSecurity/kube-oidc-proxy/issues/8)
+ - Switch from alpine --> ubuntu 20.04 [\#9](https://github.com/TremoloSecurity/kube-oidc-proxy/issues/9)
+ - Support `kubectl --as` [\#3](https://github.com/TremoloSecurity/kube-oidc-proxy/issues/3)
+ - Upgrade KinD [\#1](https://github.com/TremoloSecurity/kube-oidc-proxy/issues/1)
+
+**bugs:**
+ - update dependencies [\#5](https://github.com/TremoloSecurity/kube-oidc-proxy/issues/5)

Dockerfile

@@ -1,10 +1,9 @@
 # Copyright Jetstack Ltd. See LICENSE for details.
-FROM alpine:3.10
+FROM ubuntu:20.04
 LABEL description="OIDC reverse proxy authenticator based on Kubernetes"
 
-RUN apk --no-cache add ca-certificates \
-    && apk --no-cache add --upgrade openssl
+RUN apt-get update;apt-get -y install ca-certificates;apt-get -y upgrade;apt-get clean;rm -rf /var/lib/apt/lists/*
 
-COPY ./bin/kube-oidc-proxy-linux /usr/bin/kube-oidc-proxy
+COPY ./bin/kube-oidc-proxy /usr/bin/kube-oidc-proxy
 
 CMD ["/usr/bin/kube-oidc-proxy"]

GenGitChangeLog.py

@@ -0,0 +1,86 @@
+# Generates OpenUnison Changelog
+# Call from the branch with 3 parameters:
+# 1. Date from which to start looking
+# 2. Github Token
+
+# requires python-dateutil and requests from pip
+
+from subprocess import *
+import re
+from datetime import datetime
+import dateutil.parser
+import sys
+import requests
+
+
+
+def parseIssues(message):
+    issuesRet = []
+    issues = re.findall('[#][0-9]+',message)
+    if issues != None:
+        for issue in issues:
+            issuesRet.append(issue[1:])
+    return issuesRet
+
+
+def f4(seq):
+   # order preserving
+   noDupes = []
+   [noDupes.append(i) for i in seq if not noDupes.count(i)]
+   return noDupes
+
+
+
+
+
+
+headers = {'Authorization':'token ' + sys.argv[2]}
+
+
+GIT_COMMIT_FIELDS = ['id', 'author_name', 'author_email', 'date', 'message']
+GIT_LOG_FORMAT = ['%H', '%an', '%ae', '%ai', '%s']
+GIT_LOG_FORMAT = '%x1f'.join(GIT_LOG_FORMAT) + '%x1e'
+
+#print repo.git.log(p=False)
+
+allIssues = []
+
+p = Popen('git log --format="%s" ' % GIT_LOG_FORMAT, shell=True, stdout=PIPE)
+(logb, _) = p.communicate()
+log = str(logb,"utf-8")
+log = log.strip('\n\x1e').split("\x1e")
+log = [row.strip().split("\x1f") for row in log]
+log = [dict(zip(GIT_COMMIT_FIELDS, row)) for row in log]
+
+notbefore = dateutil.parser.parse(sys.argv[1] + ' 00:00:00 -0400')
+
+for commit in log:
+    created = dateutil.parser.parse(commit['date'])
+    if created > notbefore:
+        message = commit['message']
+        allIssues.extend(parseIssues(message))
+
+
+allIssues = f4(allIssues)
+
+bylabels = {}
+
+for issue in allIssues:
+    issueURL = 'https://api.github.com/repos/TremoloSecurity/kube-oidc-proxy/issues/' + issue
+    r = requests.get(issueURL,headers=headers)
+    json = r.json();
+
+    if "labels" in json:
+        for label in json['labels']:
+            if not (label['name'] in bylabels):
+                labelGroup = []
+                bylabels[label["name"]] = labelGroup
+            labelGroup = bylabels[label['name']]
+            labelGroup.append(json)
+
+
+for label in bylabels:
+    print('**' + label + 's:**')
+    for issue in bylabels[label]:
+        print(' - ' + issue['title'] + ' [\\#' + str(issue['number']) + '](' + issue['html_url'] + ')')
+    print()

Makefile

@@ -100,7 +100,7 @@ build: generate ## build kube-oidc-proxy
 	CGO_ENABLED=0 go build -ldflags '-w $(shell hack/version-ldflags.sh)' -o ./bin/kube-oidc-proxy ./cmd/.
 
 docker_build: generate test build ## build docker image
-	GOARCH=$(ARCH) GOOS=linux CGO_ENABLED=0 go build -ldflags '-w $(shell hack/version-ldflags.sh)' -o ./bin/kube-oidc-proxy-linux  ./cmd/.
+	GOARCH=$(ARCH) GOOS=linux CGO_ENABLED=0 go build -ldflags '-w $(shell hack/version-ldflags.sh)' -o ./bin/kube-oidc-proxy  ./cmd/.
 	docker build -t kube-oidc-proxy .
 
 all: test build ## runs tests, build

README.md

@@ -1,15 +1,5 @@
 # kube-oidc-proxy
 
->  :warning:
->
->  kube-oidc-proxy is an experimental tool that we would like to get feedback
->  on from the community. Jetstack makes no guarantees on the soundness of the
->  security in this project, nor any suggestion that it's 'production ready'.
->  This server sits in the critical path of authentication to the Kubernetes
->  API.
->
->  :warning:
-
 `kube-oidc-proxy` is a reverse proxy server to authenticate users using OIDC to
 Kubernetes API servers where OIDC authentication is not available (i.e. managed 
 Kubernetes providers such as GKE, EKS, etc).
@@ -33,6 +23,10 @@ The following is a diagram of the request flow for a user request.
 ![kube-oidc-proxy request
 flow](https://storage.googleapis.com/kube-oidc-proxy/diagram-d9623e38a6cd3b585b45f47d80ca1e1c43c7e695.png)
 
+## Quickest Start
+
+OpenUnison integrates kube-oidc-proxy directly, and includes an identity provider and access portal for Kubernetes.  The quickest way to get started with kube-oidc-proxy is to follow the directions for OpenUnison's deployment at https://openunison.github.io/.
+
 ## Tutorial
 
 Directions on how to deploy OIDC authentication with multi-cluster can be found
@@ -131,8 +125,45 @@ users:
  - [Extra Impersonations Headers](./docs/tasks/extra-impersonation-headers.md)
  - [Auditing](./docs/tasks/auditing.md)
 
+## Logging
+
+In addition to auditing, kube-oidc-proxy logs all requests to standard out so the requests can be captured by a common Security Information and Event Management (SIEM) system.  SIEMs will typically import logs directly from containers via tools like fluentd.  This logging is also useful in debugging.  An example successful event:
+
+```
+[2021-11-25T01:05:17+0000] AuSuccess src:[10.42.0.5 / 10.42.1.3, 10.42.0.5] URI:/api/v1/namespaces/openunison/pods?limit=500 inbound:[mlbadmin1 / system:masters|system:authenticated /]
+```
+
+The first block, between `[]` is an ISO-8601 timestamp.  The next text, `AuSuccess`, indicates that authentication was successful.  the `src` block containers the remote address of the request, followed by the value of the `X-Forwarded-For` HTTP header if provided.  The `URI` is the URL path of the request.  The `inbound` section provides the user name, groups, and extra-info provided to the proxy from the JWT.
+
+When there's an error or failure:
+
+```
+[2021-11-25T01:05:24+0000] AuFail src:[10.42.0.5 / 10.42.1.3] URI:/api/v1/nodes
+```
+
+This is similar to success, but without the token information.
+
+## End-User Impersonation
+
+kube-oidc-proxy supports the impersonation headers for inbound requests.  This allowes the proxy to support `kubectl --as`.  When impersonation headers are included in a request, the proxy checks that the authenticated user is able to assume the identity of the impersonation headers by submitting `SubjectAccessReview` requests to the API server.  Once authorized, the proxy will send those identity headers instead of headers generated for the authenticated user.  In addition, three `Extra` impersonation headers are sent to the API server to identify the authenticated user who's making the request:
+
+| Header | Description |
+| ------ | ----------- |
+| `originaluser.jetstack.io-user` | The original username |
+| `originaluser.jetstack.io-groups` | The original groups |
+| `originaluser.jetstack.io-extra` | A JSON encoded map of arrays representing all of the `extra` headers included in the original identity |
+
+In addition to sending this `extra` information, the proxy adds an additional section to the logfile that will identify outbound identity data.  When impersonation headers are present, the `AuSuccess` log will look like:
+
+```
+[2021-11-25T01:05:17+0000] AuSuccess src:[10.42.0.5 / 10.42.1.3] URI:/api/v1/namespaces/openunison/pods?limit=500 inbound:[mlbadmin1 / system:masters|system:authenticated /] outbound:[mlbadmin2 / group2|system:authenticated /]
+```
+
+When using `Impersonate-Extra-` headers, the proxy's `ServiceAccount` must be explicitly authorized via RBAC to impersonate whatever the extra key is named.  This is because extras are treated as subresources which must be explicitly authorized.  
+
+
 ## Development
-*NOTE*: building kube-oidc-proxy requires Go version 1.12 or higher.
+*NOTE*: building kube-oidc-proxy requires Go version 1.17 or higher.
 
 To help with development, there is a suite of tools you can use to deploy a
 functioning proxy from source locally. You can read more

cmd/app/options/options.go

@@ -6,8 +6,9 @@ import (
 	"fmt"
 
 	"github.com/spf13/cobra"
+	"golang.org/x/term"
 	k8sErrors "k8s.io/apimachinery/pkg/util/errors"
-	"k8s.io/apiserver/pkg/util/term"
+
 	cliflag "k8s.io/component-base/cli/flag"
 )
 
@@ -45,7 +46,7 @@ func New() *Options {
 func (o *Options) AddFlags(cmd *cobra.Command) {
 	// pretty output from kube-apiserver
 	usageFmt := "Usage:\n  %s\n"
-	cols, _, _ := term.TerminalSize(cmd.OutOrStdout())
+	cols, _, _ := term.GetSize(0)
 	cmd.SetUsageFunc(func(cmd *cobra.Command) error {
 		fmt.Fprintf(cmd.OutOrStderr(), usageFmt, cmd.UseLine())
 		cliflag.PrintSections(cmd.OutOrStderr(), *o.nfs, cols)
@@ -91,10 +92,6 @@ func (o *Options) Validate(cmd *cobra.Command) error {
 		errs = append(errs, errors.New("cannot add extra user headers when impersonation disabled"))
 	}
 
-	if o.Audit.DynamicOptions.Enabled {
-		errs = append(errs, errors.New("The flag --audit-dynamic-configuration may not be set"))
-	}
-
 	if len(errs) > 0 {
 		return k8sErrors.NewAggregate(errs)
 	}

cmd/app/run.go

@@ -6,11 +6,13 @@ import (
 
 	"github.com/spf13/cobra"
 	"k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 
 	"github.com/jetstack/kube-oidc-proxy/cmd/app/options"
 	"github.com/jetstack/kube-oidc-proxy/pkg/probe"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy"
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/subjectaccessreview"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/tokenreview"
 	"github.com/jetstack/kube-oidc-proxy/pkg/util"
 )
@@ -83,9 +85,21 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 				ExtraUserHeadersClientIPEnabled: opts.App.ExtraHeaderOptions.EnableClientIPExtraUserHeader,
 			}
 
+			// Setup Subject Access Review
+			kubeclient, err := kubernetes.NewForConfig(restConfig)
+			if err != nil {
+				return err
+			}
+
+			subectAccessReviewer, err := subjectaccessreview.New(kubeclient.AuthorizationV1().SubjectAccessReviews())
+
+			if err != nil {
+				return err
+			}
+
 			// Initialise proxy with OIDC token authenticator
 			p, err := proxy.New(restConfig, opts.OIDCAuthentication, opts.Audit,
-				tokenReviewer, secureServingInfo, proxyConfig)
+				tokenReviewer, subectAccessReviewer, secureServingInfo, proxyConfig)
 			if err != nil {
 				return err
 			}

deploy/charts/kube-oidc-proxy/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
-appVersion: "v0.3.0"
+appVersion: "v1.0.0"
 description: A Helm chart for kube-oidc-proxy
 home: https://github.com/jetstack/kube-oidc-proxy
 name: kube-oidc-proxy
-version: 0.3.1
+version: 0.3.2
 maintainers:
 - name: mhrabovcin
 - name: joshvanl

deploy/charts/kube-oidc-proxy/templates/clusterrole.yaml

@@ -19,6 +19,10 @@ rules:
   - "userextras/scopes"
   - "userextras/remote-client-ip"
   - "tokenreviews"
+  # to support end user impersonation
+  - "userextras/originaluser.jetstack.io-user"
+  - "userextras/originaluser.jetstack.io-groups"
+  - "userextras/originaluser.jetstack.io-extra"
   verbs:
   - "create"
   - "impersonate"

deploy/yaml/kube-oidc-proxy.yaml

@@ -137,6 +137,10 @@ rules:
   - "userextras/scopes"
   - "userextras/remote-client-ip"
   - "tokenreviews"
+  # to support end user impersonation
+  - "userextras/originaluser.jetstack.io-user"
+  - "userextras/originaluser.jetstack.io-groups"
+  - "userextras/originaluser.jetstack.io-extra"
   verbs:
   - "create"
   - "impersonate"