azad-kube-proxy icon indicating copy to clipboard operation
azad-kube-proxy copied to clipboard

Published 20 hours ago verified publisher icon XenitAB

How to use --as=

Open nissessenap opened this issue 4 years ago • 2 comments

How to use --as= and --as-groups= when running azad-kube-proxy? Today it's not possible due to impersonation requests is not okay.

I try to run the following command:

kgp --as-group="so-much-uid" --as="edvin_domain.se#EXT#@domain.onmicrosoft.com"

And azad-proxy gives me the following:

{"level":"error","ts":1623049882.077609,"caller":"handlers/handlers.go:148","msg":"Client sending impersonation headers","error":"Client sending impersonation headers","stacktrace":"github.com/xenitab/azad-kube-proxy/pkg/handlers.(*Client).AzadKubeProxyHandler.func1\n\t/workspace/pkg/handlers/handlers.go:148\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2069\ngithub.com/rs/cors.(*Cors).Handler.func1\n\t/go/pkg/mod/github.com/rs/[email protected]/cors.go:219\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2069\ngithub.com/xenitab/azad-kube-proxy/pkg/cors.(*Client).Middleware.func1\n\t/workspace/pkg/cors/cors.go:64\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2069\ngithub.com/xenitab/azad-kube-proxy/pkg/dashboard.(*k8dashClient).preAuth.func1\n\t/workspace/pkg/dashboard/k8dash.go:125\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2069\ngithub.com/gorilla/mux.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/gorilla/[email protected]/mux.go:210\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2887\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1952"}

How should i run --as commands?

  • Should we implment some rbac logic in azad?
  • The few times I want to run --as I should exec in to the azad pod?
  • Should I just login using the standard AKS way?

Some other solution?

nissessenap avatar Jun 07 '21 07:06 nissessenap

sh: kubectl: not found in azad-kube-proxy so if we want to do it by solving exec we need to add it.

nissessenap avatar Jun 07 '21 07:06 nissessenap

An idea to support this from this post: https://www.tremolosecurity.com/post/updating-kube-oidc-proxy

Supporting kubectl --as The kubectl command has added several options to make debugging RBAC easier. One of these tools, the --as and --as-groups flags, rely on impersonation. There's a security issue here though, because the reverse proxy is entirely responsible for authenticating the user. If the proxy were not careful, it could allow users to escalate their privileges. This is why the previous version of kube-oidc-proxy would error out when you tried to use kubectl --as. We wanted to make this feature work. Now, when you use kubectl --as, we verify with the API server that the authenticated user is able to impersonate the user (and groups), that is being attempted by submitting SubjectAccessReviews. This way the API server is still the authoritative source for authorizing the impersonation request. In addition to sending the requested impersonation from the user, the proxy also sends the original user as additional attributes that are stored in the request's UserInfo object and are sent to the API server's audit logs. This way every transaction that includes an impersonation is tracked back to the original user. We also added additional logging to for SIEMs to more easily track each request, which we'll detail next.

https://github.com/TremoloSecurity/kube-oidc-proxy/issues/3

simongottschlag avatar Apr 14 '22 18:04 simongottschlag

Closing since it's not planned.

simongottschlag avatar May 19 '23 09:05 simongottschlag