[RFC] Access control for cross-namespace source refs #2092
Conversation
stefanprodan
requested review from
squaremo,
makkes,
darkowlzz,
relu,
hiddeco and
phillebaba
stefanprodan
force-pushed
the
rfc-0002
branch
7 times, most recently
from
c008ce7
to
e53dd90
Compare
stefanprodan
force-pushed
the
rfc-0002
branch
3 times, most recently
from
62ea689
to
e455cda
Compare
|
@stefanprodan I'd like to say the problem that I see in the ACL proposal and the user story 3. As a tenant somehow I need to know each Another implicit behavior for me is an implicit reference from |
stefanprodan
force-pushed
the
rfc-0002
branch
from
e455cda
to
45e8a57
Compare
rfcs/0002-source-acl/README.md
Outdated
| Yes another alternative is to introduce a new API kind `SourceReflection` as described in | ||
| [fluxcd/flux2#582-821027543](https://github.com/fluxcd/flux2/pull/582#issuecomment-821027543). | ||
|
|
||
| And finally, this is more of an improvement of the current proposal, is for source-controller to compile the ACLs |
There was a problem hiding this comment.
The current implementation of ACLs is not described in detail in this current doc, so it is a bit unclear to me what the current gap is between improving the current implementation and the implementation described in this paragraph.
I understand that the discussion might be listed elsewhere, but it would be good in one of these RFCs to explicitly lay out what the controller does and what service account and permissions it runs under when attempting to check the ACL
There was a problem hiding this comment.
The RFC-0001 may fill that gap as it defines the current authentication model.
|
I think the primary issue I see with ACLs is understanding what is available to you in terms of sources. As much as I like the idea of having some sort of CLI support for grabbing the available sources, I cannot think of a good way to show the available sources in a secure way to the tenant user |
| > As a cluster admin, I want to let tenants configure image automation in their namespaces by | ||
| > referring to a Git repository managed by the platform team. | ||
|
|
||
| If the owner of a Flux `GitRepository` wants to grant write access to `ImageUpdateAutomations` in a different namespace, |
There was a problem hiding this comment.
I think it would be good to lay out the list of possible access... If as a user I grant access to another namespace, depending on the running controllers on that NS I might re-consider.
There was a problem hiding this comment.
The level of access to the underlying Git repository depends on how you've configured the SSH key or token, if it has write access to just read. ImageUpdateAutomations need write access to patch image tags, while a HelmRelease or Kustomization needs only read access.
stefanprodan
force-pushed
the
rfc-0002
branch
2 times, most recently
from
5cbf572
to
1588bab
Compare
ACLs are very much like network polices. As far as I know, there is no way for a tenant to query Kubernetes API and get a list of endpoints that allow ingress traffic from its namespace. |
A way to achieve this could be by a platform admin leveraging the built-in RBAC, having a pre-agreed namespace (say |
There was a problem hiding this comment.
A potential alternative approach to rely solely on the built-in RBAC instead of creating a new authorisation mechanism, is to leverage the use verb. Below is a simple example that would provide a service account (to be used by Helm/Kustomization objects) the ability to use all sources from namespace flux-shared. It also gives specific-tenant-user the ability to query (list/get) all such resources:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-use-sources
rules:
- apiGroups: ['source.toolkit.fluxcd.io']
resources:
- bucket
- gitrepository
- helmchart
- helmrepository
verbs:
- use
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: flux-shared-resources
namespace: flux-shared
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flux-use-sources
subjects:
- kind: ServiceAccount
name: flux
namespace: specific-tenant
- apiGroup: rbac.authorization.k8s.io
kind: User
name: specific-tenant-userIt is not as flexible as the proposed solution, but it requires less effort to implement and delays the need to change flux's API. The main impact being that users won't be able to use selectors, but instead will have to create RoleBinding and ClusterRoleBinding objects to enable the use of flux sources.
The main benefit being that the built-in RBAC would still be the single point of truth for authorisation of flux objects.
rfcs/0002-source-acl/README.md
Outdated
| Yes another alternative is to introduce a new API kind `SourceReflection` as described in | ||
| [fluxcd/flux2#582-821027543](https://github.com/fluxcd/flux2/pull/582#issuecomment-821027543). | ||
|
|
||
| And finally, this is more of an improvement of the current proposal, is for source-controller to compile the ACLs |
There was a problem hiding this comment.
The RFC-0001 may fill that gap as it defines the current authentication model.
| accessFrom: | ||
| namespaceSelectors: | ||
| - matchLabels: | ||
| kubernetes.io/metadata.name: dev-team1 |
There was a problem hiding this comment.
This pattern is very flexible for resource discovery and I can easily understand the benefits of using it in this use case. The main challenge I can think of using this as part of flux's authorisation model in addition to the built-in RBAC is that a cluster admin who is unaware of flux's inner workings may be blindsided by this behaviour, leading to less secure flux deployments.
Given that RBAC will stop being the single source of truth from an authorisation perspective, it may be useful to also provide a sub-command on flux to allow admins to inspect effective permissions across a cluster.
stefanprodan
force-pushed
the
rfc-0002
branch
from
c08ef5c
to
e41ee91
Compare
Signed-off-by: Stefan Prodan <[email protected]>
Signed-off-by: Stefan Prodan <[email protected]>
Signed-off-by: Stefan Prodan <[email protected]>
stefanprodan
force-pushed
the
rfc-0002
branch
from
e41ee91
to
e5635d0
Compare
Signed-off-by: Stefan Prodan <[email protected]>
stefanprodan
force-pushed
the
rfc-0002
branch
from
efa29ce
to
c312816
Compare
stefanprodan
changed the title
Should we move forward with ACL's, implementing the ACL's via intermediary RoleBindings and relying on User Impersonation to enforce the policy will have the benefit of making the list of allowed Sources available via the kubectl/flux CLI as long as the CLI user also has access to impersonate the reconcile User. This is another great reason to not build our own authorization mechanism. example: The apiserver is happy to tell you via RBAC whether or not a particular User can access resources, either generally or by name in whichever namespace. |
|
@stealthybox we currently offer a way to disable cross-ns refs and enforce a default SA on multi-tenant environments https://fluxcd.io/docs/installation/#multi-tenancy-lockdown We’ve reached out to TAG Security for guidance on ACLs. IMO ACLs made like network polices are way easier to setup than RBAC. |
|
@stefanprodan I think that an important feature for this should be an additional CLI command to to make it clear which namespaces can access what resources. Generally the most difficult part of network policies is debugging. Other than that I think this looks good. |
|
We should investigate if ReferenceGrant is a better alternative to the ACL. |
|
Closing this with the resolution: Adopt ReferenceGrant once SIG Auth API Group promotes the API to GA. |
|
@stefanprodan, sorry to write in this closed PR, but, I'm understanding that until ReferenceGrant doesn't go GA by the SIG Auth API Group, FluxCD community won't do any movement in order to support cross-namespace support? I'm asking because there is very little movement in the KEP, and seems this could go for long. I do not know if FluxCD community could provide at least some sort of feature to allow people to get the cross-namespace functionality (and its huge value) right now, with a big disclaimer that once it is supported by K8s core, it will be migrated to it. From what I see, the API the SIG will implement seems pretty clear and in use in the gateway-api SIG, from where they want to export it from, so even Flux could already work knowing which will how the final implementation might look like. Of course I understand that making work to have it deprecated soon(ish) has little value, but seeing how things are moving might make sense to invest the time, specially when there are some PRs around already with lots of dicussion or close to have the feature/value implemented. |
This RFC proposes a way to share sources between namespaces when running Flux on multi-tenant clusters.
Supersedes #582