cluster-api-provider-azure icon indicating copy to clipboard operation
cluster-api-provider-azure copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Add principal type to role assignment create parameters

Open whites11 opened this issue 1 year ago • 5 comments

What type of PR is this?

/kind feature

What this PR does / why we need it:

Context: when using identity: SystemAssigned in an AzureMachineTemplate with role definition ID myrole.

Accordingly to the CAPZ documentation: https://capz.sigs.k8s.io/topics/vm-identity#system-assigned-managed-identity the service principal used to run CAPZ controller manager requires User Access Administrator on the Subscription of Workload cluster.

Based on customer feedback, we agree that this is a very wide permissions set assigned to the service principal at hand. The only restriction that can be achieved right now is to limit this access to Role Based Access Control Administrator with a condition on a role to be assigned, for example:

(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
 )
 OR 
 (
  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
 )
 OR 
 (
  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>
 )
)

This however creates a security flaw, where, if the CAPZ service principal is leaked, the myrole role can be assigned to any resource type, including users.

Desired behaviour: I would like to restrict the role assignment using a constraint like this one:

(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
 )
 OR 
 (
  @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>  AND
  @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
 )
)
AND
(
 (
  !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
 )
 OR 
 (
  @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals <myrole guid>
  AND
  @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'ServicePrincipal'}
 )
)

This would prevent assigning the myrole role to a User or Group while still allowing assignment to Service Principals.

Problem: doing so without the changes introduced in this PR leads to a permission error:

E0305 14:05:39.993346      14 controller.go:329] "Reconciler error" err=<
	failed to reconcile AzureMachine: failed to reconcile AzureMachine service roleassignments: cannot assign role to VirtualMachine system assigned identity: failed to create or update resource systemassignedidentity-4639/244a1de6-b46f-4fe4-b9cf-58f9b57643fe (service: roleassignments): PUT https://management.azure.com/subscriptions/6b1f6e4a-6d0e-4aa4-9a5a-fbaca65a23b3/resourceGroups/systemassignedidentity-4639/providers/Microsoft.Authorization/roleAssignments/244a1de6-b46f-4fe4-b9cf-58f9b57643fe
	--------------------------------------------------------------------------------
	RESPONSE 403: 403 Forbidden
	ERROR CODE: AuthorizationFailed
	--------------------------------------------------------------------------------
	{
	  "error": {
	    "code": "AuthorizationFailed",
	    "message": "The client 'cab64998-4bbb-447d-a0f5-0f6590b46db7' with object id 'cab64998-4bbb-447d-a0f5-0f6590b46db7' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/6b1f6e4a-6d0e-4aa4-9a5a-fbaca65a23b3/resourceGroups/systemassignedidentity-4639/providers/Microsoft.Authorization/roleAssignments/244a1de6-b46f-4fe4-b9cf-58f9b57643fe' or the scope is invalid. If access was recently granted, please refresh your credentials."
	  }
	}
	--------------------------------------------------------------------------------

This is because in the RoleAssignmentCreate API call, the principalType field is not assigned.

This PR addresses that problem by setting the PrincipalType to ServicePrincipal in the role assignment creation API call.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

None that I'm aware of.

Special notes for your reviewer:

  • [x] cherry-pick candidate

TODOs:

  • [x] squashed commits
  • [ ] includes documentation
  • [ ] adds unit tests

Release note:

Set `PrincipalType` in RoleAssignment creation API call when using `SystemAssigned` identity.

whites11 avatar Mar 05 '24 14:03 whites11

Hi @whites11. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Mar 05 '24 14:03 k8s-ci-robot

/ok-to-test

willie-yao avatar Mar 05 '24 23:03 willie-yao

LGTM label has been added.

Git tree hash: a5dc9adac08d18af234188d9019f38806d8058ed

k8s-ci-robot avatar Mar 15 '24 16:03 k8s-ci-robot

LGTM label has been added.

Git tree hash: a5dc9adac08d18af234188d9019f38806d8058ed

k8s-ci-robot avatar Mar 20 '24 14:03 k8s-ci-robot

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mboersma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Mar 20 '24 21:03 k8s-ci-robot

/cherrypick release-1.14

mboersma avatar Mar 20 '24 21:03 mboersma

@mboersma: once the present PR merges, I will cherry-pick it on top of release-1.14 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-infra-cherrypick-robot avatar Mar 20 '24 21:03 k8s-infra-cherrypick-robot

/cherrypick release-1.13

mboersma avatar Mar 20 '24 21:03 mboersma

@mboersma: once the present PR merges, I will cherry-pick it on top of release-1.13 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-infra-cherrypick-robot avatar Mar 20 '24 21:03 k8s-infra-cherrypick-robot

@mboersma: new pull request created: #4663

In response to this:

/cherrypick release-1.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-infra-cherrypick-robot avatar Mar 20 '24 22:03 k8s-infra-cherrypick-robot

@mboersma: new pull request created: #4664

In response to this:

/cherrypick release-1.13

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-infra-cherrypick-robot avatar Mar 20 '24 22:03 k8s-infra-cherrypick-robot