feat: secure workspace services

[sparkoo]

What does this PR do?

Secures workspace services with devworkspace engine on OpenShift.

There is a slight change in exposing logic. The ingresses/routes are not merged into one when exposing same port.

Beside that, it also always deploys with gateway on kubernetes when devworkspaces are enabled.

How it works?

Nowdays, workspace service is open to the cluster. It exposes all workspace ports and communication goes directly to target container, so anyone in the cluster can access it.

This patch adds traefik container into workspace pod and narrows the service to only single port (targeting to the traefik) for all endpoints that exposes on subpath. That means that all communication that is coming to the workspace service, must go through the traefik. The traefik is configured so it checks the requests with kube-rbac-proxy (in main che-gateway) using forwardAuth middleware (https://doc.traefik.io/traefik/middlewares/http/forwardauth/). Kube-rbac-proxy is checking whether token in authorization header can access the service in workspace's namespace. If this check is OK, traefik route the request to correct port inside the workspace pod.

Screenshot/screencast of this PR

What issues does this PR fix or reference?

eclipse-che/che#20190

How to test this PR?

1. deploy with che-operator image quay.io/mvala/che-operator:gh20190-secureWsServicesTraefik
2. start a workspace with user1 and get the service name
3. start a workspace with user2 and try curl to the service of user1's workspace. It is now not possible without user1's token in authorization header

PR Checklist

As the author of this Pull Request I made sure that:

• The Eclipse Contributor Agreement is valid
• Code produced is complete
• Code builds without errors
• Tests are covering the bugfix
• Custom resource definition file is up to date
• OLM bundles are up to date
• The repository devfile is up to date and works
• Sections What issues does this PR fix or reference and How to test this PR completed
• Relevant user documentation updated
• Relevant contributing documentation updated
• CI/CD changes implemented, documented and communicated

Reviewers

Reviewers, please comment how you tested the PR when approving it.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[sparkoo]

/retest

[metlos]

I've not tested it in a running cluster yet, but here's a couple of small comments...

[tolusha]

Why do we need this changes?
So, it means that gateway will be default for k8s when devworkspace is enabled.

[metlos]

Exactly. There was the agreement on the last cabal that we're doing that, if I remember correctly.

[tolusha]

Then DefaultOpenShiftSingleHostExposureType const has no sense anymore.
Let's remove it and just return gateway

[sparkoo]

there will be only gateway with devworkspaces. native does not really work with native auth. Everything we want to protect with oauth-proxy and kube-rbac-proxy has to go through the gateway.

[skabashnyuk]

@sparkoo can you describe in the description how in general protection has been made.

[sparkoo]

@sparkoo can you describe in the description how in general protection has been made.

added "How it works" paragraph

[sparkoo]

/retest

[metlos]

Btw I've read the description again and am I correct in saying that the request is checked using kube-rbac-proxy also in the workspace pod (essentially again?). This is important so that we guard against in-cluster access by other users. I thought I saw it in the code but I understood your description otherwise. Could you please clarify?

[sparkoo]

Btw I've read the description again and am I correct in saying that the request is checked using kube-rbac-proxy also in the workspace pod (essentially again?). This is important so that we guard against in-cluster access by other users. I thought I saw it in the code but I understood your description otherwise. Could you please clarify?

Yes, it's now checked twice. First in main che-gateway https://github.com/eclipse-che/che-operator/pull/1045/files#diff-ebca2eefe12f7ba4a722c53d574ba1b2adee412909da8cdbc974c8f7fcbfb02fR468 then second time in workspace gateway https://github.com/eclipse-che/che-operator/pull/1045/files#diff-ebca2eefe12f7ba4a722c53d574ba1b2adee412909da8cdbc974c8f7fcbfb02fR554

[sleshchenko]

Nothing really meaningful I can bring after reviewing changes.
Works fine for user1/user2 scenario

but seems cluster admin is able to open any workspace, I assume it's expected but it should be made clear in the documentation, because it's a change from the previous auth model

[sleshchenko]

that's such a huge file... Not really related to the PR but it deserves refactoring.

[sleshchenko]

maybe it makes sense to move this method and its dependency to a separate file. But makes sense to move it out of the PR, since it would not make this PR reviewing easier

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: metlos, sleshchenko, sparkoo, tolusha

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment