microshift
microshift copied to clipboard
openshift
[BUG] clusterrolebinding is not working when allowing system:unauthenticated
What happened:
The goal is to allow unauthorized access to JWKS URI from openid-configuration by creating a clusterrolebinding
kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated
Ref:
- https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery
- https://techblog.cisco.com/blog/kubernetes-oidc/
- https://www.vaultproject.io/docs/auth/jwt/oidc_providers
What you expected to happen:
curl -k $(kubectl get --raw /.well-known/openid-configuration | jq -r .jwks_uri) will return JWKS from openshift.
expected result:
{
"keys": [
{
"use": "sig",
"kty": "RSA",
"kid": "...",
"alg": "RS256",
"n": "...",
"e": "AQAB"
}
]
}
How to reproduce it (as minimally and precisely as possible):
- create a clusterrolebinding to allow unauthenticated access
kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated - Query JWKS URL
curl -k $(kubectl get --raw /.well-known/openid-configuration | jq -r .jwks_uri) - Result in unauthorized access
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
Anything else we need to know?:
Checked using oc describe clusterrole.rbac system:service-account-issuer-discovery and system:service-account-issuer-discovery exists
result:
Name: system:service-account-issuer-discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/.well-known/openid-configuration] [] [get]
[/openid/v1/jwks] [] [get]
Environment:
- Microshift version (use
microshift version):
MicroShift Version: 4.8.0-0.microshift-2022-01-06-210147
Base OKD Version: 4.8.0-0.okd-2021-10-10-030117
- Hardware configuration: 2 vCPU, 2G memory
- OS (e.g:
cat /etc/os-release): Fedora 34 (Cloud Edition) - Kernel (e.g.
uname -a): Linux 5.11.12-300.fc34.x86_64 - Others:
Relevant Logs
from audit log:
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "9ca642ff-b28a-41ea-bc2e-3810cec074fd",
"stage": "ResponseStarted",
"requestURI": "/openid/v1/jwks",
"verb": "get",
"user": {},
"sourceIPs": [
"172.31.11.234"
],
"userAgent": "curl/7.76.0",
"responseStatus": {
"metadata": {},
"status": "Failure",
"reason": "Unauthorized",
"code": 401
},
"requestReceivedTimestamp": "2022-01-27T01:47:32.835918Z",
"stageTimestamp": "2022-01-27T01:47:32.836388Z"
}
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
This has been fixed in main branch:
[root@maxwell ~]# oc create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated
clusterrolebinding.rbac.authorization.k8s.io/oidc-reviewer created
[root@maxwell ~]# curl -k $(oc get --raw /.well-known/openid-configuration | jq -r .jwks_uri)
{"keys":[{"use":"sig","kty":"RSA","kid":"g8rWjY-60zgmZlWYENTBZw3XgGV5v-60McTSKOobF5w","alg":"RS256","n":"xOMScqAXXRdvNsF5tqgXnsEZKMLad8IRJ5sOlVH96tUKr3i-UO7KQ714--cPb9ysGUWmDWlA8rwnlBbjp16mnirMQbvJSsrv_c2HZEsMXoBoK8HLg9P5P30ZrjHf9M27h150h9dM42tPxc993m92ToVA8LmP9pZfmKy5_okg7ct6Yat4aRWH_Jeqft9xVTC6sUh-49evEFvMYqZaRLTGxgGBuPBR9_LWoSRpdEr5xYY2guFyl5op3YNvIsgy_ifjORSnLcCWj2MFrx0Tbvv3L5Z0P7K3AxdKzoAu1SGRek6L6S2s233tZmcNDnmk4mdFtJpNPpVV9ulnFfh2kC7GNQ","e":"AQAB"}]}[root@maxwell ~]#
Closing this bug.
