kubeless
kubeless copied to clipboard
Authentication and authorization for kubeless function
What you expect to happen: Is there any way in which we can restrict the event data to come to the function only through kubeless controller and not through any curl or any other controller?
Environment:
- Kubernetes version (use
kubectl version
): v1.13 - Kubeless version (use
kubeless version
): v1.0.3 - Cloud provider or physical cluster: physical cluster
Hi,
You can use different authentiecation methods, see: https://kubeless.io/docs/http-triggers/#enable-basic-authentication
If you don't need authentication but just check the emitter of the event, you can check the property event-namespace
of the event
parameter, this will include the ID of the caller.
My use case is Kafka trigger and not http trigger. My intent is to prevent abuse of the function Pod - the function pod should execute only when the event or data arrives from the Kubeless kafka-trigger-controller, not through other means like using curl to send the event to the function pod The event-namespace which comes with the data can be easily impersonated while curling to the service of the function and thus can be invoked by anyone.
Can there be any way in which we can add a token to the event data which will be there only with the kubeless-trigger-controller and can authenticate the controller before actually running the function?
URL Link: https://github.com/kubeless/kafka-trigger/blob/master/pkg/utils/event_sender.go#L49-L76
There is nothing reliable here on the basis of which I can authenticate the kafka-trigger-controller
That's correct, currently that's not supported at Kubeless level.
What I can suggest you is to use Network Policies so for your functions you only allow traffic coming from the controller. Note that for that you need to enable network policies in your cluster.
Thanks, I tried working on the network policies for kubeless functions. But unfortunately its working on all the pods except the pods which has come up by the kubeless function CRD. Can you give me some clue if I am missing out on something? Even after applying the default-deny policy which restricts communication from any pod to every pod , I am able to curl the pod of the kubeless function CRD. If you have already done it so please share with me the reference...
The network policies work with labels so only the pods with certain labels should be able to access the function. AFAIK this only works if the service is not exported as a LoadBalancer or something like that.
How are you accessing the function with curl?
We are not having any Load Balancer,we are using ClusterIP service only. To access the function, I am curling to the service IP of the service made by kubeless function CRD. This service IP resolves to the pod IP of the function pod :
# kubectl get svc -n kubeless calldisplay
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
calldisplay ClusterIP 10.233.13.75 <none> 80/TCP 19h
# kubectl get ep -n kubeless calldisplay
NAME ENDPOINTS AGE
calldisplay 10.233.105.143:80 19h
# kubectl get pods -n kubeless calldisplay-c5bf5d5f6-l8xqp -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
calldisplay-c5bf5d5f6-l8xqp 1/1 Running 0 19h 10.233.105.143 ukmas11 <none> <none>
so the curl command is " curl 10.233.13.75:80 " (i.e service IP of the function pod)
10.233.13.75
is an internal IP, where are you making the request from?