Fix extensions apiserver to authenticate requests via RequestHeader CA#4557
Open
anandppatil wants to merge 1 commit intoagones-dev:mainfrom
Open
Fix extensions apiserver to authenticate requests via RequestHeader CA#4557anandppatil wants to merge 1 commit intoagones-dev:mainfrom
anandppatil wants to merge 1 commit intoagones-dev:mainfrom
Conversation
|
This PR exceeds the recommended size of 1000 lines. Please make sure you are NOT addressing multiple issues with one PR. Note this PR might be rejected due to its size. |
The agones-extensions apiserver serves the allocation.agones.dev/v1 aggregated APIService but did not verify that incoming requests came from the kube-apiserver aggregator. Any workload with network reach to agones-controller-service:443 could bypass Kubernetes RBAC and allocate GameServers in arbitrary namespaces. This change: - Loads the extension-apiserver-authentication ConfigMap at startup to obtain the RequestHeader CA and allowed proxy client CNs. - Configures the TLS server to verify client certificates against the RequestHeader CA (VerifyClientCertIfGiven). - Authenticates API requests by verifying the proxy client cert CN and extracting X-Remote-User/X-Remote-Group headers. - Authorizes allocation requests via SubjectAccessReview before processing them. The system:auth-delegator ClusterRoleBinding (already present in the Helm chart) grants the agones-controller ServiceAccount the necessary permission to create SubjectAccessReviews. Ref: https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/ Signed-off-by: anandppatil <anandppatil4383@gmail.com>
anandppatil
force-pushed
the
fix/extensions-apiserver-auth
branch
from
e4e6c38 to
4ae6955
Compare
|
This PR exceeds the recommended size of 1000 lines. Please make sure you are NOT addressing multiple issues with one PR. Note this PR might be rejected due to its size. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes an authentication bypass in the agones-extensions apiserver where
any in-cluster workload could directly call the aggregated APIService
endpoint and allocate GameServers in any namespace, bypassing Kubernetes RBAC.
Why
The extensions apiserver serves
/apis/allocation.agones.dev/v1/...as aKubernetes aggregated APIService but did not implement the client-side
authentication required by the Kubernetes aggregation layer specification.
How
extension-apiserver-authenticationConfigMap from kube-systemClientAuth: VerifyClientCertIfGivenwith the RequestHeader CArequestheader-allowed-namesX-Remote-User/X-Remote-GroupheadersSubjectAccessReviewforcreate gameserverallocationsTesting
LoadRequestHeaderConfig,AuthenticateRequest, andparseJSONStringArrayadded inpkg/util/apiserver/auth_test.gocurlto the service without a valid proxy client cert returns 401.Fixes: https://issuetracker.google.com/issues/505221322