Adds support for kubernetes_users, extend interpolation (#3404) #3418
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@fspmarshall @russjones this is a forward port |
russjones
approved these changes
Mar 7, 2020
webvictim
approved these changes
Mar 7, 2020
lib/kube/proxy/forwarder.go
Outdated
| // If the users' role set does not include actual user name, it will be rejected, | ||
| // otherwise there will be no way to exclude the user from the list). | ||
| // | ||
| // If the `kuberentes_users` role set includes only one user |
lib/services/types.proto
Outdated
| @@ -566,6 +566,9 @@ message RoleConditions { | |||
| repeated string KubeGroups = 5 [(gogoproto.jsontag) = "kubernetes_groups,omitempty"]; | |||
|
|
|||
| AccessRequestConditions Request = 6 [(gogoproto.jsontag) = "request,omitempty"]; | |||
|
|
|||
| // KubeUsers is an optional kuberentes users to impersonate | |||
|
retest this please |
This commit fixes #3369, refs #3374 It adds support for kuberenetes_users section in roles, allowing Teleport proxy to impersonate user identities. It also extends variable interpolation syntax by adding suffix and prefix to variables and function `email.local`: Example: ```yaml kind: role version: v3 metadata: name: admin spec: allow: # extract email local part from the email claim logins: ['{{email.local(external.email)}}'] # impersonate a kubernetes user with IAM prefix kubernetes_users: ['IAM#{{external.email}}'] # the deny section uses the identical format as the 'allow' section. # the deny rules always override allow rules. deny: {} ``` Some notes on email.local behavior: * This is the only function supported in the template variables for now * In case if the email.local will encounter invalid email address, it will interpolate to empty value, will be removed from resulting output. Changes in impersonation behavior: * By default, if no kubernetes_users is set, which is a majority of cases, user will impersonate themselves, which is the backwards-compatible behavior. * As long as at least one `kubernetes_users` is set, the forwarder will start limiting the list of users allowed by the client to impersonate. * If the users' role set does not include actual user name, it will be rejected, otherwise there will be no way to exclude the user from the list). * If the `kuberentes_users` role set includes only one user (quite frequently that's the real intent), teleport will default to it, otherwise it will refuse to select. This will enable the use case when `kubernetes_users` has just one field to link the user identity with the IAM role, for example `IAM#{{external.email}}` * Previous versions of the forwarding proxy were denying all external impersonation headers, this commit allows 'Impesrsonate-User' and 'Impersonate-Group' header values that are allowed by role set. * Previous versions of the forwarding proxy ignored 'Deny' section of the roles when applied to impersonation, this commit fixes that - roles with deny kubernetes_users and kubernetes_groups section will not allow impersonation of those users and groups.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes #3369, refs #3374
It adds support for kuberenetes_users section in roles,
allowing Teleport proxy to impersonate user identities.
It also extends variable interpolation syntax by adding
suffix and prefix to variables and function
email.local:Example:
Some notes on email.local behavior:
it will interpolate to empty value, will be removed from resulting
output.
Changes in impersonation behavior:
By default, if no kubernetes_users is set, which is a majority of cases,
user will impersonate themselves, which is the backwards-compatible behavior.
As long as at least one
kubernetes_usersis set, the forwarder will startlimiting the list of users allowed by the client to impersonate.
If the users' role set does not include actual user name, it will be rejected,
otherwise there will be no way to exclude the user from the list).
If the
kuberentes_usersrole set includes only one user(quite frequently that's the real intent), teleport will default to it,
otherwise it will refuse to select.
This will enable the use case when
kubernetes_usershas just one field tolink the user identity with the IAM role, for example
IAM#{{external.email}}Previous versions of the forwarding proxy were denying all external
impersonation headers, this commit allows 'Impesrsonate-User' and
'Impersonate-Group' header values that are allowed by role set.
Previous versions of the forwarding proxy ignored 'Deny' section of the roles
when applied to impersonation, this commit fixes that - roles with deny
kubernetes_users and kubernetes_groups section will not allow
impersonation of those users and groups.