KEP-5284: Constrained Impersonation #5285
Conversation
qiujian16
commented
May 7, 2025
qiujian16
commented
- One-line PR description: Introduce authorization rules to restrict impersonating on specified resource with specified actions.
- Issue link: Constrained Impersonation #5284
- Other comments:
Signed-off-by: Jian Qiu <[email protected]>
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @qiujian16. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/assign enj |
| should be approved by the remaining approvers and/or the owning SIG (or | ||
| SIG Architecture for cross-cutting KEPs). | ||
| --> | ||
| # KEP-NNNN: Limit Impersonate Permission |
|
|
||
| ## Summary | ||
|
|
||
| This is to add additional access control over the existing impersonation action. An impersonator |
There was a problem hiding this comment.
Is this a change to RBAC? If so, the summary should mention RBAC.
There was a problem hiding this comment.
This does not change RBAC in any way.
| --> | ||
|
|
||
| ## Alternatives | ||
|
|
There was a problem hiding this comment.
A couple of alternative ideas come to mind:
• permission boundaries, AWS style
In that story, a principal is constrained and cannot perform some actions. Done right - which isn't trivial - the principal can create new principals, grant permission to those principals, and impersonate (act as) those principals, but only within a bounding set of allowed actions.
CEL. The constraint on impersonation could be done through an access-granting mechanism that evaluates an expression before permitting it. Clients would explicitly declare which access rule they intend to rely on.
For example, the SubjectAccessReview might look like:
{
"apiVersion": "authorization.k8s.io/v1beta1",
"kind": "SubjectAccessReview",
"spec": {
"resourceAttributes": {
"namespace": "default",
"verb": "get",
"group": "example.org",
"resource": "something"
},
"accessRule": {
"kind": "ClusterAccessRule",
"group version": "example.org/v1",
"name": "elevation-of-privilege"
},
"user": "lmktfy",
"group": []
]
}
}In this story, the ClusterRoleBinding allows impersonate only with a particular Access Rule name (similar, or identical to, the existing resourceNames mechanism).
However an access rule might day you can impersonate that principal but only to perform deletes.
There was a problem hiding this comment.
We file alternatives we think of, so long as they are reasonable, even when we plan to pick the original proposal.
There was a problem hiding this comment.
I do not see us expanding SAR / authz for this KEP. The approach described in the KEP is far simpler.
There was a problem hiding this comment.
added this as an alternative.
| # The following PRR answers are required at alpha release | ||
| # List the feature gate name and the components for which it must be enabled | ||
| feature-gates: | ||
| - name: ImpersonateAccessControl |
There was a problem hiding this comment.
This feature gate name feels too vague. Some ideas:
ScopedImpersonationConstrainedImpersonationLimitedImpersonationConditionalImpersonation
There was a problem hiding this comment.
I prefer ConstrainedImpersonation :)
There was a problem hiding this comment.
Please update all examples to include binding(s) in addition to the role.
| - `impersonate:scheduled-node` that limits the impersonator to impersonate the node the | ||
| impersonator is running on. The resource must be `nodes`. | ||
|
|
||
| For the imperonsonator, two permissions will be required: |
There was a problem hiding this comment.
Include the exact YAML of the subject access review that will be sent to the authorizer chain.
| This proposal is to introduce additional permissions for impersonation, so that any | ||
| impersonator can impersonate in a more restricted way. |
There was a problem hiding this comment.
I assume this would be an opt-in feature such that existing impersonation flows keep working as-is. If so, highlight that in the Goals section.
| Some concerns on using this approch: | ||
| - impersonating on any APIGroup is hard to describe. | ||
| - core APIGroup has to be specially treated. | ||
| - the APIGroup might be too long for a CRD, e.g. cluster.x-k8s.io.imperonsation.k8s.io |
There was a problem hiding this comment.
While I am fine with the verb based approach described in this KEP, I don't really find any of these concerns to be compelling. At the end of the day we are just talking about different string based options here.
I would say the most compelling reason is that the existing impersonation flows are verb based, so making the new flow verb based as well feels more consistent.
There was a problem hiding this comment.
makes sense, updated
| - `impersonate:user` limits the impersonator to impersonate users with | ||
| certain names/groups/userextras. The resources must be `users`/`groups`/`userextras`. | ||
| The resource names must be user names, group names or values in the user extras accoringly. | ||
| - `impersonate:scheduled-node` that limits the impersonator to impersonate the node the |
There was a problem hiding this comment.
Would be good to describe how the workload learns the node that it is scheduled on.
There was a problem hiding this comment.
added more details in Design Details section
| - `impersonate:user` limits the impersonator to impersonate users with | ||
| certain names/groups/userextras. The resources must be `users`/`groups`/`userextras`. | ||
| The resource names must be user names, group names or values in the user extras accoringly. | ||
| - `impersonate:scheduled-node` that limits the impersonator to impersonate the node the |
There was a problem hiding this comment.
Include the exact set of impersonation headers the workload must set for the node case.
There was a problem hiding this comment.
added more details in Design Details section
|
|
||
| ## Summary | ||
|
|
||
| This is to add additional access control over the existing impersonation action. An impersonator |
There was a problem hiding this comment.
This does not change RBAC in any way.
| --> | ||
|
|
||
| ## Alternatives | ||
|
|
There was a problem hiding this comment.
I do not see us expanding SAR / authz for this KEP. The approach described in the KEP is far simpler.
github-project-automation
bot
moved this from In Review
to Changes Requested
in SIG Auth
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: qiujian16 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
|
||
| ## Proposal | ||
|
|
||
| Introduce a set of verbs with prefix of `impersonate-on:`, e.g. `impersonate-on:create` and |
There was a problem hiding this comment.
Overall, I am wary of making verbs that you have to parse.
For example, the impersonate:user verb sets the scene for other verbs, such as list:metadata-only or proxy:port:443.
We should we sure what direction of travel we want if we are to establish this kind of precedent, and clearly indicate why the alternatives are overall less viable.
Signed-off-by: Jian Qiu <[email protected]>
qiujian16
changed the title
| - `impersonate:scheduled-node` that limits the impersonator to impersonate the node the | ||
| impersonator is running on. The resources must be `nodes`. | ||
|
|
||
| For the imperonsonator, two permissions will be required: |
There was a problem hiding this comment.
| For the imperonsonator, two permissions will be required: | |
| For clusters that use RBAC authz mode, two permissions will be required for impersonation. For example: |
| - a search in the Kubernetes bug triage tool (https://storage.googleapis.com/k8s-triage/index.html) | ||
| --> | ||
|
|
||
| - SAR check on impersonate user with permission: |
There was a problem hiding this comment.
| - SAR check on impersonate user with permission: | |
| - SubjectAccessReview check on impersonating user. For RBAC authz mode, this might look like: | |
| name: impersonate-user | ||
| rules: | ||
| - apiGroups: | ||
| - auhtentications.k8s.io |
| - The impersonator cannot impersonate on updating nodes | ||
|
|
||
| - SAR check on impersonate scheduled node with permissions. The impersonator has the | ||
| user extra info of `"authentication.kubernetes.io/node-name": "node1"` |
There was a problem hiding this comment.
Can any client provide this? What protects against abuse?
The important examples here are actually:
• a compromised node
• an attacker aiming to elevate privileges by impersonating a node
There was a problem hiding this comment.
If an attacker intends to elevate privileges by impersonating a node, it needs to have an user extra "authentication.kubernetes.io/node-name": "someNode" in the userInfo, and it needs to have both permissions with verbs "impersonated:scheduled-nodes" and "impersonated:someVerb".
| --> | ||
|
|
||
| On upgrade to a version that enables the feature | ||
| * the previous inpersonator with impersonate permission will still work, but it is highly |
| It is almost the same as the verb based approach in the proposal. However, since existing impersonation flows are | ||
| verb based, so making the new flow verb based as well feels more consistent. | ||
|
|
||
| ### Check permission intersaction of impersonator and target user |
| in the proposed apporch, the impersonator's permission is clearer that it can only perform | ||
| the action when impersonating. | ||
|
|
||
| ### Expand RBAC/SAR |
There was a problem hiding this comment.
If the cluster does not use RBAC, is this alternative still feasible?
| "name": "elevation-of-privilege" | ||
| }, | ||
| "user": "lmktfy", | ||
| "group": [] |
There was a problem hiding this comment.
Try not to use real usernames in examples (people sometimes copy them verbatim!)
|
|
||
| # The following PRR answers are required at beta release | ||
| metrics: | ||
| - my_feature_metric |
| of impersonated user and the requester. | ||
|
|
||
| ## Proposal | ||
|
|
There was a problem hiding this comment.
If a cluster had its own authn and splits principals into ServiceAccounts, ProjectRoles (not K8s RBAC) and ProjectUsers: does this mechanism prevent things working for that design?
We should not (almost must not) assume that clusters rely on K8s RBAC.
There was a problem hiding this comment.
I do not think it prevent things working. This still work if it is not k8s RBAC, the external authorizer will receive subject access review call with the specified verb.
Signed-off-by: Jian Qiu <[email protected]>
| - `impersonate:user-info` limits the impersonator to impersonate users with | ||
| certain names/groups/userextras. The resources must be `users`/`groups`/`userextras`/`uids`. | ||
| The resource names must be user names, group names or values in the user extras accoringly. | ||
| - `impersonate:serviceaccount` that limits the impersonator to impersonate the serviceaccount with | ||
| the certain name/namespace. The resources must be `serviceaccounts`. |
There was a problem hiding this comment.
Does impersonate:serviceaccount for some resourceName imply access to the the system:serviceaccounts: groups associated with those serviceaccounts as well?
Does this verb behave differently than the current impersonate verb when serviceaccounts is supplied as the resource?
There was a problem hiding this comment.
It is the same as impersonate verb with serviceaccount as the resource, but it will require additional impersonate-on:{action} verb. The reason that not to reuse the original impersonate verb is to make it unchanged for backward compatible.
