banzaicloud / jwt-to-rbac Goto Github PK
View Code? Open in Web Editor NEWJWT-to-RBAC lets you automatically generate RBAC resources based on JWT tokens
License: Apache License 2.0
JWT-to-RBAC lets you automatically generate RBAC resources based on JWT tokens
License: Apache License 2.0
Is your feature request related to a problem? Please describe.
Describe the solution you'd like to see
Build chart triggered by tagging similarly to #24
Is your feature request related to a problem? Please describe.
Currently, there is no identity validation on GET /tokens/{saNme} request
It means that any malicious actor can request SA token, if SA has been already created.
Describe the solution you'd like to see
Authorization
header that contains ID token for GET /tokens/<sa-name>
request,Authorization
header content by validating ID token signature.Is your feature request related to a problem? Please describe.
From documentation, it seems that this solution works only with Dex.
Describe the solution you'd like to see
I would go for more generic approach as verifying JWT is quite straight forward.
Is your feature request related to a problem? Please describe.
Using GitHub actions for build and test.
Describe the solution you'd like to see
Implement similar automation used in the case of Circleci.
It seems that banzaicloud/jwt-to-rbac
does not depend on github.com/belogik/goes
any more, both directly and indirectly.
So, replace usage left in go.mod makes no sense. Should it be dropped?
$ go mod why -m github.com/OwnLocal/goes
# github.com/OwnLocal/goes
(main module does not need module github.com/OwnLocal/goes)
https://github.com/banzaicloud/jwt-to-rbac/blob/master/go.mod#L55
replace github.com/belogik/goes => github.com/OwnLocal/goes v1.0.0
I posted my valid JWT to the jwt-to-rbac
service and got this error back:
create serviceaccount failed: ServiceAccount "" is invalid: metadata.name: Required value: name or generateName is required
Tracked down to here:
jwt-to-rbac/pkg/rbachandler/rbac_handler.go
Line 230 in 195607a
And relevant line here:
jwt-to-rbac/pkg/rbachandler/rbac_handler.go
Line 342 in 195607a
My JWT structure issued from dex using the github connector:
{
"groups": [
"org:group1",
"org:group2"
],
"sub": "sub",
"iss": "https://dex.example.com",
"email_verified": true,
"name": "Daniel Whatmuff",
"at_hash": "hash",
"exp": 1550770904,
"iat": 1550767304,
"email": "myemail",
"aud": "kubernetes"
}
If its trying to use name
obviously the creation will fail with something like:
The ServiceAccount "Daniel Whatmuff" is invalid: metadata.name: Invalid value: "Daniel Whatmuff": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
But looks like its trying to use FederatedClaimas.UserID
...?
Also, I noticed a few FederatedClaimas - are they typos of FederatedClaims?
Whenever the config it's edited "jwt-to-rbac" should know and update the config in the running process. So when a new RBAC it's create the rules should reflect the changes in the config
Impement jwt handling that issued with github connetcor. Create clusterroles based on github groups.
Describe the bug
If you request a rbac token on a second time after a first success, the system cant generate it, because it cant overwrite the previews clusterrolebinding that was generated on the first request.
This is the error thrown on the logs:
{"level":"error","msg":"create clusterrolebinding failed: clusterrolebindings.rbac.authorization.k8s.io "xxxxxxx-from-jwt-binding" already exists","package":"rbachandler","service":"jwt-to-rbac","time":"2021-12-02T19:51:59Z"}
Steps to reproduce the issue:
Request a first rbac token with a proper jwt-token.
Get it, and request another token again.
The error is thrown.
Expected behavior
Get a new rbac token at a second time, without having errors.
Describe the bug
When you change the ConfigMap jwt-to-rbac
at the level of customGroups
at runtime, this changes doesn't applied.
This is because this conditions will be always nil
because ClusterRole
or ClusterRoleBinding
already exists.
jwt-to-rbac/pkg/rbachandler/rbac_handler.go
Lines 248 to 250 in bb2185d
jwt-to-rbac/pkg/rbachandler/rbac_handler.go
Lines 331 to 333 in bb2185d
Steps to reproduce the issue:
Change something at customGroups
level
Expected behavior
When someone change something at customGroups
the ClusterRole & ClusterRoleBinding changes should be reflected
Hi there,
I'm hitting this when hooking up jwt-to-rbac to my dex test instance:
provider init failed: Get https://dex.example.com:5556/.well-known/openid-configuration: x509: certificate signed by unknown authority.
Is there a current way to allow insecure SSL or to provide a CA cert to use when connecting to dex?
Describe the bug
Changing log level and applying it with helm does not take an effect.
Steps to reproduce the issue:
Expected behaviour
Application changes it log level
Is your feature request related to a problem? Please describe.
Automate docker image build.
Describe the solution you'd like to see
Trigger a docker image building and pushing if a tag is created.
Describe alternatives you've considered
Manually build and push the docker image
Describe the bug
github.com/belogik/goes package path was changed, so the build failed.
Solution
Replace the package path with the proper one.
Is your feature request related to a problem? Please describe.
Required user claims are not documented.
E.g.: What are FederatedClaims
and how they are used by jwt-to-rbac?
Describe the solution you'd like to see
All requirements that OIDC provider needs to meet in order to be compatible with jwt-to-rbac
This issue was automatically created by Allstar.
Security Policy Violation
Dismiss stale reviews not configured for branch master
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
make docker
returns the below error.
go: github.com/belogik/[email protected]: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /go/pkg/mod/cache/vcs/5b0453a6aac74c86b31f0a771f02325d031eaf6ec0f0503f1cc20852de3abb0a: exit status 128:
fatal: could not read Username for 'https://github.com': terminal prompts disabled
Is your feature request related to a problem? Please describe.
Create documentation and examples for deploying and using Dex.
Describe the solution you'd like to see
Make an example authentication app and documentation to deploy Dex.
Is your feature request related to a problem? Please describe.
Having just SA token is not sufficient to access EKS cluster.
Describe the solution you'd like to see
Since this solution aims to solve managed oidc authentication issue for managed clusters, It would be great to show how to do it for the biggest cloud providers: AKS, EKS, GKS
Describe alternatives you've considered
n/a
Additional context
For EKS clusters
performing just:
k --token $token --certificate-authority ca.crt --server $APISERVER get po
error: You must be logged in to the server (Unauthorized)
after annotating service account with AWS role:
k --token $token --certificate-authority ca.crt --server $APISERVER get po
error: the server doesn't have a resource type "po"
Hi, first of all thanks for documentation update.
I see a big potential in this project, so I would to contribute more ;).
Is your feature request related to a problem? Please describe.
After sending ID_TOKEN to /rbac/ endpoint, a new Service Account (SA) is created.
We need to know its name in order to ask request SA token. Unfortunately, the response does not contain SA name, thus a user needs to figure it out.
Describe the solution you'd like to see
I propose to add a new property: ServiceAccount
to POST /rbac/ response:
{
"Email": "[email protected]",
"Groups": [
"admins",
"developers"
],
"FederatedClaims": {
"connector_id": "ldap",
"user_id": "cn=jane,ou=People,dc=example,dc=org"
}
// New property
"ServiceAccount": "janedoe-example-com"
}
Describe alternatives you've considered
n/a
Additional context
n/a
Is your feature request related to a problem? Please describe.
Describe the solution you'd like to see
The openapi v3 is the standard for defining API in structured and sharing it with the others.
Users can explore REST API in web browser, e.g: https://petstore.swagger.io
There are many tools that supports client generation from the openapi spec, e.g.: https://github.com/OpenAPITools/openapi-generator.
Describe alternatives you've considered
n/a
P.S.
If this feature is welcome, then I am eager to help you with this.
Is your feature request related to a problem? Please describe.
The SA token TTL is a policy that cluster administrator should enforce, not a user that is requesting SA token.
Describe the solution you'd like to see
I propose to
rbachandler. tokenTTL
property in helm chartDescribe alternatives you've considered
n/a
Now the rules you add are global ("ClusterRoleBinding"), there are certain requirements where you want to only add the rules to certain namespaces.
To do this jwt-to-rbac should support "RoleBinding".
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.