search

shaj13 / go-guardian

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.
MIT License
559 stars 56 forks source link

kubernetes token review strategy #49

Closed shaj13 closed 4 years ago

shaj13 commented 4 years ago

Context: The Kubernetes auth strategy can be used to authenticate incoming HTTP requests using a Kubernetes Service Account Token. This method of authentication makes it easy to introduce apps into a Kubernetes Pod.

Use Case: the go-guardian user creates Kubernetes service account for review the token, the Kubernetes auth strategy uses the token review service account to query Kubernetes token review API to validate the incoming HTTP request token. This allows apps to authenticate other pods in same cluster (M2M) and users in the Kubernetes cluster.

Example: 

$ cat << EOF > token.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: token-reviewer
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: role-tokenreview-binding
  namespace: token-demo
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: token-reviewer
  namespace: default 
EOF

$ kubectl apply -f token.yaml
$ kubectl describe secret  tokenreview-token-k46tm
$ curl -k -X "POST" "https://127.0.0.1:8443/apis/authentication.k8s.io/v1/tokenreviews" \
     -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkJmV2s3QjYzeTZkeWROYmhuZDVSdWx6bkVEekZOMFpfUDJyQ3hldElGdUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRva2VuLXJldmlld2VyLXRva2VuLWxoa21wIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InRva2VuLXJldmlld2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODQ2ODM3YTEtYjcyZC00YTFkLWJhM2ItOTJmM2Y5OTUxYTM4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dG9rZW4tcmV2aWV3ZXIifQ.WvfQwfviCZ3wDQalZlJliFfvsrkcUcdn5U93tp9NsjnQWJ0ZsYuafoSmsKhI6qPqKWo_gw4_a9yYm3saYnfdIAmhwA_m37OJ0w6KDyanvY51vB6tvEVEYn6Ee4XWbql1dom2W_QZOvYqVYyn0_v1ophpFBDifffrCFnS6bVihQX3YJJwBHjkDHYyKK7_tcdcoQeNfXemHeqA9Ss6TQaOcUDJS2S311Z8en9uwDuxviTcBVZyTTvAsL2UNG3x2HCVW5yR0yIgvJoRduaMvdFlPYXed06xu40aVifgXGwR50T1cBs6P0Dzqm2C4ousSukng4mplz4qSd7_xpYXyV-dBA' \
     -H 'Content-Type: application/json; charset=utf-8' \
     -d $'{
  "kind": "TokenReview",
  "apiVersion": "authentication.k8s.io/v1",
  "spec": {
    "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJmV2s3QjYzeTZkeWROYmhuZDVSdWx6bkVEekZOMFpfUDJyQ3hldElGdUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRva2VucmV2aWV3LXRva2VuLWs0NnRtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InRva2VucmV2aWV3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNzQ3ZGY1NWYtYmU3Mi00OGU3LWJkYTItMzhjZTY4YWQ4NDE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dG9rZW5yZXZpZXcifQ.Ta8L251BD2zajjYlc77NoacJrPo4yrdTHp_50ncbtNHAfk72DFaOIGJ2c6BD1DXkv_akLQJgD95x57N5uZlls3gXmOAjwfQkby2WjKzsJPMJyvTIPZuvduWDc9WGvin82uKIdlY8F-598uGGnykTG0t2xy6fb6WHnqafWPJqhoqIWh7qafPGnT29lMqrHZxIM4hXOFMTjM1wzWPcu2J4olM2e4W3zFgrbFyqYLBiC95nnYuTU8gIgpQnf038uP1Pbl_VGeWJypFZ0wa98bc5kNGOsOnKIyK6X1vQ8taT2h_5VFbHKPGrgTmoICwd_MPkps8vs7e-h065LhjcGb8ZZg" 
    }
}'

{
  "kind": "TokenReview",
  "apiVersion": "authentication.k8s.io/v1",
  "metadata": {
    "creationTimestamp": null,
    "managedFields": [
      {
        "manager": "curl",
        "operation": "Update",
        "apiVersion": "authentication.k8s.io/v1",
        "time": "2020-08-14T17:51:48Z",
        "fieldsType": "FieldsV1",
        "fieldsV1": {"f:spec":{"f:token":{}}}
      }
    ]
  },
  "spec": {
    "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJmV2s3QjYzeTZkeWROYmhuZDVSdWx6bkVEekZOMFpfUDJyQ3hldElGdUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRva2VucmV2aWV3LXRva2VuLWs0NnRtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InRva2VucmV2aWV3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNzQ3ZGY1NWYtYmU3Mi00OGU3LWJkYTItMzhjZTY4YWQ4NDE0Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6dG9rZW5yZXZpZXcifQ.Ta8L251BD2zajjYlc77NoacJrPo4yrdTHp_50ncbtNHAfk72DFaOIGJ2c6BD1DXkv_akLQJgD95x57N5uZlls3gXmOAjwfQkby2WjKzsJPMJyvTIPZuvduWDc9WGvin82uKIdlY8F-598uGGnykTG0t2xy6fb6WHnqafWPJqhoqIWh7qafPGnT29lMqrHZxIM4hXOFMTjM1wzWPcu2J4olM2e4W3zFgrbFyqYLBiC95nnYuTU8gIgpQnf038uP1Pbl_VGeWJypFZ0wa98bc5kNGOsOnKIyK6X1vQ8taT2h_5VFbHKPGrgTmoICwd_MPkps8vs7e-h065LhjcGb8ZZg"
  },
  "status": {
    "authenticated": true,
    "user": {
      "username": "system:serviceaccount:default:tokenreview",
      "uid": "747df55f-be72-48e7-bda2-38ce68ad8414",
      "groups": [
        "system:serviceaccounts",
        "system:serviceaccounts:default",
        "system:authenticated"
      ]
    }
  }
}

API: https://docs.openshift.com/online/pro/rest_api/apis-authentication.k8s.io/v1.TokenReview.html