Include extra attributes in SubjectAccessReview #14768
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Problem Kubernetes authorization plugins can rely on extra attributes on a user, provided via X-Remote-Extra- headers, e.g. AWS EKS with AccessEntry authentication. Currently, the Linkerd Viz tap API doesn't include these attributes when making SubjectAccessReview requests, preventing tap from working in clusters that use authorization plugins relying on these extra attributes. Solution Updated the tap API to extract X-Remote-Extra- headers from incoming requests and include them in SubjectAccessReview calls. The header prefix is read from the extension-apiserver-authentication ConfigMap to support custom configurations. This implementation is based on the original work by David Symons in PR linkerd#13170. Changes: - Modified ResourceAuthzForUser in pkg/k8s/authz.go to accept extra attributes as map[string]authV1.ExtraValue - Updated viz/tap/api/handlers.go to extract and URL-decode extra headers - Modified viz/tap/api/server.go to read the configurable header prefix from the Kubernetes ConfigMap - Added tests to verify extra attributes are correctly passed through Validation Ran go test ./viz/tap/api/... ./pkg/k8s/... and all tests pass. Added TestHandleTap_ExtraHeaders to verify extra attributes are correctly extracted and passed to the Kubernetes client. Tested with an actual EKS cluster with AccessEntry authentication. Fixes linkerd#13169 Signed-off-by: Nils Mueller <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Kubernetes authorization plugins can rely on extra attributes on a user, provided via X-Remote-Extra- headers, e.g. AWS EKS with AccessEntry authentication. Currently, the Linkerd Viz tap API doesn't include these attributes when making SubjectAccessReview requests, preventing tap from working in clusters that use authorization plugins relying on these extra attributes.
Solution
Updated the tap API to extract X-Remote-Extra- headers from incoming requests and include them in SubjectAccessReview calls. The header prefix is read from the extension-apiserver-authentication ConfigMap to support custom configurations.
This implementation is based on the original work by David Symons in PR #13170.
Changes:
Validation
Ran go test ./viz/tap/api/... ./pkg/k8s/... and all tests pass. Added TestHandleTap_ExtraHeaders to verify extra attributes are correctly extracted and passed to the Kubernetes client.
Tested with an actual EKS cluster with AccessEntry authentication.
Fixes #13169