Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a new role.allow.request field called kubernetes_resources #47173

Merged
merged 2 commits into from
Nov 1, 2024

Conversation

kimlisa
Copy link
Contributor

@kimlisa kimlisa commented Oct 3, 2024

part of #46742
rfd: #46691

Defines a new role.allow.request field called kubernetes_resources.

For now it holds a field kubernetes_resources that follows same format as existing allow.kubernetes_resources, except the only field we support in the options field is Kind (defining other fields will reject the role upserting actions).

The Kind allows admins to define what kube subresources a user can request during request creation and disallow requesting request for kube_cluster. It allows the wildcard to mean allow request to any kube subresources.

If role.allow.request.kubernetes_resources is not defined, or length 0, it means a user can request for kube_cluster or any of its subresources.

example, if requester role says:

kind: role
metadata:
  name: requester
spec:
  allow:
    request:
      search_as_roles:
      - kube-access
  options:
    request_mode:
      kubernetes_resources:
      - kind: namespace

requesting kind kube_cluster is denied:

tsh request create --resource /kimlisa22.cloud.gravitational.io/kube_cluster/coffee-kube-cluster 

Creating request...
ERROR: your Teleport role's "request.kubernetes_resources" field did not allow requesting to some or all of the requested Kubernetes resources. allowed kinds for each requestable roles: access-kube-pumpkin: [pod], access: [pod], access-kube-coffee: [namespace]
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

requesting kind pod is denied:

tsh request create --resource /kimlisa22.cloud.gravitational.io/pod/coffee-kube-cluster/kube-system/coredns-7db6d8ff4d-mhjlv

Creating request...
ERROR: your Teleport role's "request.kubernetes_resources" field did not allow requesting to some or all of the requested Kubernetes resources. allowed kinds for each requestable roles: access-kube-coffee: [namespace]
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

requesting kind namespace is allowed:

Creating request...
Request ID:     0192bc03-0421-765b-9f5d-db01d9f7f647                                                    
Username:       lisa+1@goteleport.com                                                                   
Roles:          access-kube-coffee                                                                      
Resources:      ["/kimlisa22.cloud.gravitational.io/namespace/coffee-kube-cluster/coffee-kube-cluster"] 
Reason:         [none]                                                                                  
Reviewers:      [none] (suggested)                                                                      
Access Expires: 2024-10-24 01:51:54                                                                     
Status:         PENDING                                                                                 

hint: use 'tsh login --request-id=<request-id>' to login with an approved request

Waiting for request approval...

wildcard example output:

tsh request create --resource /kimlisa22.cloud.gravitational.io/kube_cluster/coffee-kube-cluster 

Creating request...
ERROR: your Teleport role's "request.kubernetes_resources" field did not allow requesting to some or all of the requested Kubernetes resources. allowed kinds for each requestable roles: access-kube-coffee: [pod secret configmap namespace service serviceaccount kube_node persistentvolume persistentvolumeclaim deployment replicaset statefulset daemonset clusterrole kube_role clusterrolebinding rolebinding cronjob job certificatesigningrequest ingress]
Try searching for specific kinds with:
> tsh request search --kube-cluster=KUBE_CLUSTER_NAME --kind=KIND

changelog: Define a new role.allow.request field called kubernetes_resources that allows admins to define what kinds of Kubernetes resources a requester can make.

@kimlisa kimlisa requested a review from tigrato October 3, 2024 22:43
Copy link

github-actions bot commented Oct 3, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@kimlisa kimlisa changed the title Lisa/add request mode role option Add a new role.options field called request_mode.kubernetes_resources Oct 3, 2024
@@ -2664,6 +2666,13 @@ message AccessCapabilitiesRequest {
bool FilterRequestableRolesByResource = 6 [(gogoproto.jsontag) = "filter_requestable_roles_by_resource,omitempty"];
}

message AccessRequestMode {
repeated KubernetesResource KubernetesResources = 1 [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use a dedicated type for this setting?
Reusing the KubernetesResource gives confusion because you can set a lot of data that isn't allowed

@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 3 times, most recently from ae41067 to b03a2f3 Compare October 4, 2024 21:58
@kimlisa kimlisa requested a review from tigrato October 4, 2024 21:59
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 2 times, most recently from 945322f to 70ecfbb Compare October 7, 2024 03:18
@kimlisa
Copy link
Contributor Author

kimlisa commented Oct 8, 2024

friendly ping @tigrato @nklaassen

Copy link
Contributor

@tigrato tigrato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add unmarshal from/to yaml of roles with this section defined?

api/proto/teleport/legacy/types/types.proto Outdated Show resolved Hide resolved
api/proto/teleport/legacy/types/types.proto Outdated Show resolved Hide resolved
api/proto/teleport/legacy/types/types.proto Outdated Show resolved Hide resolved
lib/services/access_request.go Outdated Show resolved Hide resolved
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 2 times, most recently from 4892231 to f987020 Compare October 16, 2024 07:26
@kimlisa
Copy link
Contributor Author

kimlisa commented Oct 16, 2024

i made a few adjustments based on review:

the request mode found on the same role as the search as roles will be enforced:

  • querying for kube resources with search as roles will prune roles that doesn't match request mode with request type
  • when creating request, request modes will be enforced during:
    • pruning search as roles with only root resource request
    • pruning search as roles with leaf and root resources (pruning doesn't happen, but we will still enforce request mode without any special matchers)
    • requesting custom roles, users can manually change/request roles so this will skip pruning check altogether, but we will still enforce request mode checking without any special matchers

@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch from f987020 to 7988cc6 Compare October 16, 2024 07:52
@kimlisa kimlisa requested a review from tigrato October 16, 2024 07:55
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch 2 times, most recently from 449ca3d to 415537c Compare October 16, 2024 21:47
@kimlisa kimlisa marked this pull request as draft October 17, 2024 06:04
@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch from 415537c to 7f0453e Compare October 17, 2024 08:30
@kimlisa kimlisa marked this pull request as ready for review October 17, 2024 08:31
Copy link

github-actions bot commented Nov 1, 2024

🤖 Vercel preview here: https://docs-6onolp5ve-goteleport.vercel.app/docs/ver/preview

@kimlisa kimlisa force-pushed the lisa/add-request-mode-role-option branch from d69b2f5 to f8dc68e Compare November 1, 2024 00:07
Copy link

github-actions bot commented Nov 1, 2024

🤖 Vercel preview here: https://docs-dnfaf44ij-goteleport.vercel.app/docs/ver/preview

@public-teleport-github-review-bot

@kimlisa - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

Copy link

github-actions bot commented Nov 1, 2024

🤖 Vercel preview here: https://docs-5jy8ahdem-goteleport.vercel.app/docs/ver/preview

@kimlisa kimlisa added this pull request to the merge queue Nov 1, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 1, 2024
@kimlisa kimlisa added this pull request to the merge queue Nov 1, 2024
Merged via the queue into master with commit a132be0 Nov 1, 2024
45 checks passed
@kimlisa kimlisa deleted the lisa/add-request-mode-role-option branch November 1, 2024 04:05
@public-teleport-github-review-bot

@kimlisa See the table below for backport results.

Branch Result
branch/v16 Failed
branch/v17 Failed

kimlisa added a commit that referenced this pull request Nov 1, 2024
…47173)

* Add a new role.allow.request field called kubernetes_resources

* Fix lint: update terraform docs
github-merge-queue bot pushed a commit that referenced this pull request Nov 1, 2024
…47173) (#48258)

* Add a new role.allow.request field called kubernetes_resources

* Fix lint: update terraform docs
kimlisa added a commit that referenced this pull request Nov 4, 2024
…47173)

* Add a new role.allow.request field called kubernetes_resources

* Fix lint: update terraform docs
kimlisa added a commit that referenced this pull request Nov 5, 2024
…47173)

* Add a new role.allow.request field called kubernetes_resources

* Fix lint: update terraform docs
github-merge-queue bot pushed a commit that referenced this pull request Nov 6, 2024
#48387)

* Add a new `role.allow.request` field called `kubernetes_resources` (#47173)

* Add a new role.allow.request field called kubernetes_resources

* Fix lint: update terraform docs

* Apply request.kubernetes_resources allow/deny settings when querying for kube resources (#48196)

* Apply request.kubernetes_resources allow/deny when querying for kube resources

* Address CR

* Replace unsupported library funcs

* Add missing role conditions getter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/branch/v16 backport/branch/v17 kubernetes-access size/lg size/md tsh tsh - Teleport's command line tool for logging into nodes running Teleport. ui
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants