Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new role.options field called request_mode.kubernetes_resources #47173

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Add a new role.options field called request_mode.kubernetes_resources #47173

wants to merge 11 commits into from
+3,895 −2,262

Conversation

kimlisa
Copy link
Contributor

@kimlisa kimlisa commented Oct 3, 2024
edited
Loading

part of #46742
rfd: #46691

Defines a new role.options field called request_mode.

For now it holds a field kubernetes_resources that follows same format as existing allow.kubernetes_resources, except the only field we support in the options field is Kind (defining other fields will reject the role upserting actions).

The Kind allows admins to define what kube subresources a user can request during request creation and disallow requesting request for kube_cluster. It allows the wildcard to mean allow request to any kube subresources.

If role.options.request_mode is not defined, or length 0, it means a user can request for kube_cluster or any of its subresources.

example, if requester role says:

kind: role
metadata:
  name: requester
spec:
  allow:
    request:
      search_as_roles:
      - kube-access
  options:
    request_mode:
      kubernetes_resources:
      - kind: namespace

requesting kind kube_cluster is denied:

tsh request create --resource /kimlisa22.cloud.gravitational.io/kube_cluster/coffee-kube-cluster 
Creating request...
ERROR: Not allowed to request Kubernetes resource kind "kube_cluster". Allowed kinds: [namespace].
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

requesting kind pod is denied:

tsh request create --resource /kimlisa22.cloud.gravitational.io/pod/coffee-kube-cluster/kube-system/coredns-7db6d8ff4d-mhjlv
Creating request...
ERROR: Not allowed to request Kubernetes resource kind "pod". Allowed kinds: [namespace].
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

requesting kind namespace is allowed:

tsh request create --resource /kimlisa22.cloud.gravitational.io/namespace/coffee-kube-cluster/coffee-1
Creating request...
Request ID:     01925493-ea75-7641-ba4c-7cb01ff35fbe                                         
Username:       [email protected]                                                        
Roles:          access-kube-coffee, access-kube-pumpkin                                      
Resources:      ["/kimlisa22.cloud.gravitational.io/namespace/coffee-kube-cluster/coffee-1"] 
Reason:         [none]                                                                       
Reviewers:      [none] (suggested)                                                           
Access Expires: 2024-10-03 23:49:01                                                          
Status:         PENDING                                                                      

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...

wildcard example output:

tsh request create --resource /kimlisa22.cloud.gravitational.io/kube_cluster/coffee-kube-cluster 
Creating request...
ERROR: Not allowed to request Kubernetes resource kind "kube_cluster". Allowed kinds: [cronjob configmap kube_node deployment clusterrolebinding clusterrole rolebinding job daemonset ingress namespace service persistentvolumeclaim replicaset statefulset kube_role certificatesigningrequest pod secret serviceaccount persistentvolume].
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

changelog: Define a new role.options field called request_mode.kubernetes_resources that allows admins to define what kinds of Kubernetes resources a requester can make.

@kimlisa kimlisa requested a review from tigrato October 3, 2024 22:43
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 3, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@kimlisa kimlisa changed the title Lisa/add request mode role option Add a new role.options field called request_mode.kubernetes_resources Oct 3, 2024
tigrato
tigrato reviewed Oct 4, 2024
View reviewed changes
api/proto/teleport/legacy/types/types.proto Outdated
@@ -2664,6 +2666,13 @@ message AccessCapabilitiesRequest {
bool FilterRequestableRolesByResource = 6 [(gogoproto.jsontag) = "filter_requestable_roles_by_resource,omitempty"];
}

message AccessRequestMode {
repeated KubernetesResource KubernetesResources = 1 [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use a dedicated type for this setting?
Reusing the KubernetesResource gives confusion because you can set a lot of data that isn't allowed

@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 3 times, most recently from ae41067 to b03a2f3 Compare October 4, 2024 21:58
@kimlisa kimlisa requested a review from tigrato October 4, 2024 21:59
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 2 times, most recently from 945322f to 70ecfbb Compare October 7, 2024 03:18
@kimlisa
Copy link
Contributor Author

kimlisa commented Oct 8, 2024

friendly ping @tigrato @nklaassen

This was referenced Oct 8, 2024
Open
Open
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch from 70ecfbb to 352dbb1 Compare October 9, 2024 04:12
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch from 352dbb1 to ec9b6a8 Compare October 9, 2024 06:15
tigrato
tigrato reviewed Oct 9, 2024
View reviewed changes
Copy link
Contributor

@tigrato tigrato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add unmarshal from/to yaml of roles with this section defined?

api/proto/teleport/legacy/types/types.proto Outdated
@@ -2639,6 +2639,8 @@ message AccessCapabilities {
// AutoRequest indicates whether the request strategy indicates that a
// request should be automatically generated on login.
bool AutoRequest = 6 [(gogoproto.jsontag) = "auto_request,omitempty"];
// RequestMode defines what resource kinds a user can request for applicable resources.
AccessRequestMode RequestMode = 7 [(gogoproto.jsontag) = "request_mode,omitempty"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
AccessRequestMode RequestMode = 7 [(gogoproto.jsontag) = "request_mode,omitempty"];
AccessRequestMode request_mode = 7 [(gogoproto.jsontag) = "request_mode,omitempty"];

Recently we started adopting the camel case for new fields

api/proto/teleport/legacy/types/types.proto Outdated
// Modeled after existing message KubernetesResource.
message RequestModeKubernetesResource {
// Kind specifies the Kubernetes Resource type.
string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];
string kind = 1 [(gogoproto.jsontag) = "kind,omitempty"];

api/proto/teleport/legacy/types/types.proto
@@ -3295,7 +3322,6 @@ message DatabasePermission {
// KubernetesResource is the Kubernetes resource identifier.
message KubernetesResource {
// Kind specifies the Kubernetes Resource type.
// At the moment only "pod" is supported.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😃

lib/services/access_request.go Outdated

// Validate kube request kinds.
// If request mode is defined, then any request for kube_cluster will be rejected.
isResourceRequest := len(req.GetRequestedResourceIDs()) > 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what happens if multiple roles back this access request?
Should we return an error only if none of them support the kind. If role doesn't support the kind Y, we won't use for access to resources of Kind Y

@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 2 times, most recently from 4892231 to f987020 Compare October 16, 2024 07:26
@kimlisa
Copy link
Contributor Author

kimlisa commented Oct 16, 2024
edited
Loading

i made a few adjustments based on review:

the request mode found on the same role as the search as roles will be enforced:

  • querying for kube resources with search as roles will prune roles that doesn't match request mode with request type
  • when creating request, request modes will be enforced during:
    • pruning search as roles with only root resource request
    • pruning search as roles with leaf and root resources (pruning doesn't happen, but we will still enforce request mode without any special matchers)
    • requesting custom roles, users can manually change/request roles so this will skip pruning check altogether, but we will still enforce request mode checking without any special matchers

@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch from f987020 to 7988cc6 Compare October 16, 2024 07:52
@kimlisa kimlisa requested a review from tigrato October 16, 2024 07:55
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 2 times, most recently from 449ca3d to 415537c Compare October 16, 2024 21:47
@kimlisa kimlisa marked this pull request as draft October 17, 2024 06:04
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch from 415537c to 7f0453e Compare October 17, 2024 08:30
@kimlisa kimlisa marked this pull request as ready for review October 17, 2024 08:31
@github-actions github-actions bot added kubernetes-access size/lg tsh tsh - Teleport's command line tool for logging into nodes running Teleport. ui labels Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fheinecke fheinecke Awaiting requested review from fheinecke

@nklaassen nklaassen Awaiting requested review from nklaassen

@tigrato tigrato Awaiting requested review from tigrato

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
backport/branch/v16 kubernetes-access size/lg size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport. ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kimlisa @tigrato