search

kubeguard / guard

🔑 Kubernetes Authentication & Authorization WebHook Server
https://kubeguard.dev
Apache License 2.0
590 stars 81 forks source link

Add support for * in subject access review requests #347

Closed Anumita closed 1 year ago

Anumita commented 1 year ago

Fields Resource, Group and Verb can be in SAR requests. Currently there is no handling for such requests. We will now create a map containing list of predefined K8s types on startup and use that map to create list of data actions that need to be sent in a checkaccess request depending on the combo of 's in Resource, Group and Verb fields. Structure of Map:

type AuthorizationEntity struct { 

Id string `json:"Id"`

}

type AuthorizationActionInfo struct { 

AuthorizationEntity 

IsDataAction bool `json:"IsDataAction"`

}

type DataAction struct { ActionInfo AuthorizationActionInfo IsNamespacedResource bool // whether this is a namespace scoped resource or not }

type ResourceAndVerbMap struct { ResourceMap map[string]map[string]DataAction // “string” will be resource name whose value is a verb map whose value is DataAction struct defined above
}

type OperationsMap struct { GroupMap map[string]ResourceAndVerbMap //“string” will be apigroup name whose value is an resource map }

Snippet : image

The scenario diag is:

Scenario | Namespace is empty (Cluster scope call) | Namespace is not empty (NS scope) -- | -- | -- Verb  - * , Res - * Group - * | All cluster and ns res with all verbs at clusterscope | All ns resources at ns scope Res - *, Group  - * | All cluster and ns res with specified verb at clusterscope | All ns res with specified verb at ns scope Verb - *, Group - * | Resource under all apigroups and with all verbs at cluster scope | NS Resource under all apigroups and with all verbs at ns scope Verb - *, Resource -* | All cluster and ns res with all verbs under specified apigroup at clusterscope | All ns res with all verbs under specified apigroup at ns scope Verb - * | Resource under specifed apigroups and with all verbs at cluster scope | Resource under specifed apigroups and with all verbs at ns scope Resource - * | All CS and NS Resources under specifed apigroup with specified verb at cluster scope | All NS Resources under specifed apigroup with specified verb at ns scope Group - * | Resource under all apigroups with specified verb at cluster scope | Resource under all apigroups with specified verb at ns scope All three are not * | Normal call we make now at cluster scope | Normal call we make now at namespace scope
weinong commented 1 year ago

Generally LGTM. The only concern I have now is about latency: 1) it's currently lacking the latency measurement and 2) do we need to timeout and return a human readable error if it takes too long?