JWT:我们是否应该允许对非Kubernetes API服务器的观众进行Assert?

o0lyfsai  于 6个月前  发布在  Kubernetes
关注(0)|答案(6)|浏览(74)

一个webhook令牌验证器可以Assert哪个audiences令牌是有效的:
kubernetes/staging/src/k8s.io/api/authentication/v1/types.go
第91行到第102行
| | // Audiences是认证器选择的与TokenReview和token兼容的受众标识符。任何在TokenReviewSpec受众和令牌受众之间的交集中的标识符都是一个标识符。设置spec.audiences字段的TokenReview API客户端应该验证状态.audiences字段中返回的兼容受众标识符,以确保TokenReview服务器具有观众意识。如果TokenReview返回一个空的状态.audience字段,其中status.authenticated为"true",则该令牌对Kubernetes API服务器的观众有效。 // +optional // +listType=atomic
| | Audiences []stringjson:"audiences,omitempty" protobuf:"bytes,4,rep,name=audiences" |
audiences的空列表意味着“对Kubernetes API服务器的观众有效”。
JWT验证器无法表达这一点。相反,它只能表达“如果你看到这个列表中的任何一个受众,就认为它是等同于Kubernetes API服务器的观众”。

apiVersion: apiserver.config.k8s.io/v1beta1
kind: AuthenticationConfiguration
jwt:
- issuer:
    url: ...
    audiences:
    - audience1
    - audience2
    audienceMatchPolicy: MatchAny
  claimValidationRules: ...
...

例如,在上面的配置中,audience1audience2被认为是API服务器观众(无论API服务器观众的实际值是什么)。
这意味着如果某个带有观众foo的“服务器”想要使用令牌审查API进行令牌验证,那么“客户端”只能使用Kube SA令牌或来自webhook验证器的令牌来对其进行身份验证。服务器的解决方法是直接验证令牌本身,但这意味着它需要有效地实现整个JWT验证器逻辑本身。
一种可能的方法是允许使用CEL表达式来确定audiences:

apiVersion: apiserver.config.k8s.io/v1beta1
kind: AuthenticationConfiguration
jwt:
- issuer:
    url: ...
    audiences: null # must be empty
    audienceMatchPolicy: MatchViaCEL # allows the use of the audiencesExpression field
    # CEL expression that returns empty string array to mean
    # valid against the audience of the Kubernetes API server.
    # Otherwise the returned string array list is used to perform
    # an audience intersection check exactly as how it is performed
    # for the webhook token authenticator.
    audiencesExpression: "..."
  claimValidationRules: ...
...

/sig auth
/triage accepted
@aramase@liggitt

disho6za

disho6za1#

另一种方法是添加一个audienceMatchPolicy: MatchAnyWithPassthrough,它将继续将audiences列表Map到API服务器的观众中,但在其他情况下,将在authenticator.Response中原封不动地传递audiences列表,该列表将用于像webhook令牌验证器这样的观众交集检查。

wi3ka0sx

wi3ka0sx2#

嘿,@enj,我刚接触Kubernetes的投稿。你能帮我解决这个问题吗?这对我来说会有很大帮助。

lzfw57am

lzfw57am3#

hoisting my response from the slack thread
I think there are multiple weirdnesses with having kubeapiserver start validating non-kubeapiserver audiences with JWTs:

  1. the audience you explicitly specify in TokenReview may or may not be matched to the audience explicitly in the JWT - when validating a kube-apiserver audience, it would have to require exactly the oidc clientid configured in kube-apiserver, when validating a non-kube-apiserver audience, it would ... require an exact match to the token audience?
  2. it's weird to make kube-apiserver the authoritative token validator for tokens issued from another system and intended to be presented to another system
    I don't think encouraging presenting jwts issued by other systems and intended to be presented to other systems to kube-apiserver for validation (and interpretation as user info) is a great idea. I would probably just tell those systems to validate jwts normally themselves.
6ljaweal

6ljaweal4#

从那个松散的线程中,我的感受是,尽管这对于令牌webhooks "有效",但我们可能不应该使用它。因此,如果您需要为外部系统获取观众范围的令牌,您应该只使用Kube服务帐户令牌。
(slack thread image)

mftmpeh8

mftmpeh85#

此外,我的一个旧PR(Pull Request)也与此相关:#87612

bweufnob

bweufnob6#

嘿,@enj,我刚接触Kubernetes的投稿。你能帮我解决这个问题吗?这对我来说会有很大帮助。
抱歉,这不是一个适合新手贡献者的问题。目前也无法采取行动。

相关问题