banzaicloud / jwt-to-rbac Goto Github PK

Is your feature request related to a problem? Please describe.

• Move jwt-to-rbac chart into the project.
• Update the chart in order to use new features

Describe the solution you'd like to see
Build chart triggered by tagging similarly to #24

Is your feature request related to a problem? Please describe.
Currently, there is no identity validation on GET /tokens/{saNme} request
It means that any malicious actor can request SA token, if SA has been already created.

Describe the solution you'd like to see

• add Authorization header that contains ID token for GET /tokens/<sa-name> request,
• validate Authorization header content by validating ID token signature.

Is your feature request related to a problem? Please describe.
From documentation, it seems that this solution works only with Dex.

Describe the solution you'd like to see
I would go for more generic approach as verifying JWT is quite straight forward.

Is your feature request related to a problem? Please describe.
Using GitHub actions for build and test.

Describe the solution you'd like to see
Implement similar automation used in the case of Circleci.

It seems that banzaicloud/jwt-to-rbac does not depend on github.com/belogik/goes any more, both directly and indirectly.
So, replace usage left in go.mod makes no sense. Should it be dropped?

$ go mod why -m github.com/OwnLocal/goes
# github.com/OwnLocal/goes
(main module does not need module github.com/OwnLocal/goes)

https://github.com/banzaicloud/jwt-to-rbac/blob/master/go.mod#L55

replace github.com/belogik/goes => github.com/OwnLocal/goes v1.0.0

I posted my valid JWT to the jwt-to-rbac service and got this error back:

create serviceaccount failed: ServiceAccount "" is invalid: metadata.name: Required value: name or generateName is required

Tracked down to here:

And relevant line here:

My JWT structure issued from dex using the github connector:

{
  "groups": [
    "org:group1",
    "org:group2"
  ],
  "sub": "sub",
  "iss": "https://dex.example.com",
  "email_verified": true,
  "name": "Daniel Whatmuff",
  "at_hash": "hash",
  "exp": 1550770904,
  "iat": 1550767304,
  "email": "myemail",
  "aud": "kubernetes"
}

If its trying to use name obviously the creation will fail with something like:

The ServiceAccount "Daniel Whatmuff" is invalid: metadata.name: Invalid value: "Daniel Whatmuff": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

But looks like its trying to use FederatedClaimas.UserID...?

Also, I noticed a few FederatedClaimas - are they typos of FederatedClaims?

Whenever the config it's edited "jwt-to-rbac" should know and update the config in the running process. So when a new RBAC it's create the rules should reflect the changes in the config

• generate proper kubeconfig using created service account token

Impement jwt handling that issued with github connetcor. Create clusterroles based on github groups.

Describe the bug

If you request a rbac token on a second time after a first success, the system cant generate it, because it cant overwrite the previews clusterrolebinding that was generated on the first request.

This is the error thrown on the logs:
{"level":"error","msg":"create clusterrolebinding failed: clusterrolebindings.rbac.authorization.k8s.io "xxxxxxx-from-jwt-binding" already exists","package":"rbachandler","service":"jwt-to-rbac","time":"2021-12-02T19:51:59Z"}

Steps to reproduce the issue:

Request a first rbac token with a proper jwt-token.

Get it, and request another token again.

The error is thrown.

Expected behavior

Get a new rbac token at a second time, without having errors.

Describe the bug

When you change the ConfigMap jwt-to-rbac at the level of customGroups at runtime, this changes doesn't applied.

This is because this conditions will be always nil because ClusterRole or ClusterRoleBinding already exists.

Steps to reproduce the issue:
Change something at customGroups level

Expected behavior

When someone change something at customGroups the ClusterRole & ClusterRoleBinding changes should be reflected

Hi there,

I'm hitting this when hooking up jwt-to-rbac to my dex test instance:

provider init failed: Get https://dex.example.com:5556/.well-known/openid-configuration: x509: certificate signed by unknown authority.

Is there a current way to allow insecure SSL or to provide a CA cert to use when connecting to dex?

Describe the bug
Changing log level and applying it with helm does not take an effect.

Steps to reproduce the issue:

1. In values.yaml change log.level to debug
2. helm upgrade --install
3. observe that ConfigMap has changed but application still does not print debug level messages.

Expected behaviour
Application changes it log level

Is your feature request related to a problem? Please describe.
Automate docker image build.

Describe the solution you'd like to see
Trigger a docker image building and pushing if a tag is created.

Describe alternatives you've considered
Manually build and push the docker image

Describe the bug
github.com/belogik/goes package path was changed, so the build failed.

Solution
Replace the package path with the proper one.

Is your feature request related to a problem? Please describe.
Required user claims are not documented.
E.g.: What are FederatedClaims and how they are used by jwt-to-rbac?

Describe the solution you'd like to see
All requirements that OIDC provider needs to meet in order to be compatible with jwt-to-rbac

This issue was automatically created by Allstar.

Security Policy Violation
Dismiss stale reviews not configured for branch master

This issue will auto resolve when the policy is in compliance.

Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

make docker returns the below error.

go: github.com/belogik/[email protected]: git fetch -f origin refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /go/pkg/mod/cache/vcs/5b0453a6aac74c86b31f0a771f02325d031eaf6ec0f0503f1cc20852de3abb0a: exit status 128:
	fatal: could not read Username for 'https://github.com': terminal prompts disabled

Is your feature request related to a problem? Please describe.
Create documentation and examples for deploying and using Dex.

Describe the solution you'd like to see
Make an example authentication app and documentation to deploy Dex.

Is your feature request related to a problem? Please describe.

Having just SA token is not sufficient to access EKS cluster.

Describe the solution you'd like to see
Since this solution aims to solve managed oidc authentication issue for managed clusters, It would be great to show how to do it for the biggest cloud providers: AKS, EKS, GKS

Describe alternatives you've considered
n/a

Additional context
For EKS clusters

performing just:

k --token $token --certificate-authority ca.crt --server $APISERVER get po 
error: You must be logged in to the server (Unauthorized)

after annotating service account with AWS role:

k --token $token --certificate-authority ca.crt --server $APISERVER get po 
error: the server doesn't have a resource type "po"

Hi, first of all thanks for documentation update.
I see a big potential in this project, so I would to contribute more ;).

Is your feature request related to a problem? Please describe.
After sending ID_TOKEN to /rbac/ endpoint, a new Service Account (SA) is created.
We need to know its name in order to ask request SA token. Unfortunately, the response does not contain SA name, thus a user needs to figure it out.

Describe the solution you'd like to see
I propose to add a new property: ServiceAccount to POST /rbac/ response:

{
    "Email": "[email protected]",
    "Groups": [
        "admins",
        "developers"
    ],
    "FederatedClaims": {
        "connector_id": "ldap",
        "user_id": "cn=jane,ou=People,dc=example,dc=org"
    }
    // New property
    "ServiceAccount": "janedoe-example-com"
}

Describe alternatives you've considered
n/a
Additional context
n/a

Is your feature request related to a problem? Please describe.

• Learning about api endpoints, models, responses.
• Automating API client generation

Describe the solution you'd like to see
The openapi v3 is the standard for defining API in structured and sharing it with the others.
Users can explore REST API in web browser, e.g: https://petstore.swagger.io
There are many tools that supports client generation from the openapi spec, e.g.: https://github.com/OpenAPITools/openapi-generator.

Describe alternatives you've considered
n/a

P.S.
If this feature is welcome, then I am eager to help you with this.

Is your feature request related to a problem? Please describe.
The SA token TTL is a policy that cluster administrator should enforce, not a user that is requesting SA token.

Describe the solution you'd like to see
I propose to

• expose rbachandler. tokenTTL property in helm chart
• remove POST http://localhost:5555/tokens/ endpoint from the app

Describe alternatives you've considered
n/a

Now the rules you add are global ("ClusterRoleBinding"), there are certain requirements where you want to only add the rules to certain namespaces.

To do this jwt-to-rbac should support "RoleBinding".