aws-iam-authenticator
aws-iam-authenticator copied to clipboard
kubernetes-sigs
[Feature request]: Ability to gracefully migrate ClusterID
What would you like to be added?
aws-iam-authenticator needs the ability to migrate a clusterID field for a cluster without breaking existing client authentication. From the project's README,
The Authenticator cluster ID is a unique-per-cluster identifier that prevents certain replay attacks. Specifically, it prevents one Authenticator server (e.g., in a dev environment) from using a client's token to authenticate to another Authenticator server in another cluster.
Why is this needed?
For cluster administrators that want to change their ID, there is no way today to do so without ensuring all clients update in coordination with a server-side change. This could result in authentication failures for any client who didn't update the provided clusterID at the same time as the server.
Anything else we need to know?
Today, we validate that the x-k8s-aws-id header key and value is included in the request signature. We cannot support multiple possible values for the same x-k8s-aws-id header, as only one would result in a valid in the signature, and the client does not transmit the value it uses in the request.
Without doing a token prefix change (ex: replacing the token prefix k8s-aws-v1 with something like k8s-aws-v2), we could support one or two alternate header names and associated values in the server. Because the header name and value are included in the signature, but only the header name (not the value) is included in the token, clients would be able to effectively tell the server which header they are using. Clients would need to know which value corresponds to which header, but that would support new clients using an alternate cluster ID.
As an illustrative example, the server could have a hypothetical updated configuration like so:
# (Existing)
# a unique-per-cluster identifier to prevent replay attacks (see above)
# Associated with the `x-k8s-aws-id` header
clusterID: my-dev-cluster.example.com
# (New)
# An alternate clusterID to support migration
# associated with a new `x-k8s-aws-id-2` header
clusterID2: 36421045-D0E8-489F-8219-AB9CA46714F7
# (New)
# Another alternate clusterID to support migration
# associated with a new `x-k8s-aws-id-3` header
clusterID3: 00703CC8-0730-46C6-98CA-6BEDFD55B6C0
And client invocation (aws-iam-authenticator token) could support setting these alternate headers.
# Existing behavior, sets the `x-k8s-aws-id` header
aws-iam-authenticator token --cluster-id my-dev-cluster.example.com
# New, would be associated with the `x-k8s-aws-id-2`header
aws-iam-authenticator token --cluster-id2 36421045-D0E8-489F-8219-AB9CA46714F7
# New, would be associated with the `x-k8s-aws-id-3`header
aws-iam-authenticator token --cluster-id3 00703CC8-0730-46C6-98CA-6BEDFD55B6C0
We'd probably allow the server to accept tokens with only one of the three clusterID headers, as we wouldn't want clients to be able to create tokens potentially scoped to multiple clusters (the whole point is to prevent replay-ability).
For EKS, I'd guess that most clients are using aws eks update-kubeconfig that configures the ~/.kube/config file to call aws eks get-token. Support could pretty trivially be added the AWS CLI to add a flag that sets an alternate header value, and it would be transparent to clients as multiple values could work.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Reopen this issue with
/reopen - Mark this issue as fresh with
/remove-lifecycle rotten - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
@k8s-triage-robot: Closing this issue, marking it as "Not Planned".
In response to this:
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied- After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied- After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closedYou can:
- Reopen this issue with
/reopen- Mark this issue as fresh with
/remove-lifecycle rotten- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/close not-planned
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
