Merge pull request #5332 from sleshchenko/apiTerminal

Bug 1839621: Add an ability to proxy requests to Che Workspace

cmd/bridge/main.go

@@ -305,7 +305,7 @@ func main() {
 
  k8sAuthServiceAccountBearerToken = string(bearerToken)
 
- // If running in an OpenShift cluster, set up a proxy to the prometheus-k8s serivce running in the openshift-monitoring namespace.
+ // If running in an OpenShift cluster, set up a proxy to the prometheus-k8s service running in the openshift-monitoring namespace.
  if *fServiceCAFile != "" {
  serviceCertPEM, err := ioutil.ReadFile(*fServiceCAFile)
  if err != nil {
@@ -344,6 +344,7 @@ func main() {
  HeaderBlacklist: []string{"Cookie", "X-CSRFToken"},
  Endpoint: &url.URL{Scheme: "https", Host: openshiftMeteringHost, Path: "/api"},
  }
+ srv.TerminalProxyTLSConfig = serviceProxyTLSConfig
  }
 
  case "off-cluster":
@@ -401,6 +402,8 @@ func main() {
  }
  }
 
+ srv.TerminalProxyTLSConfig = serviceProxyTLSConfig
+
  default:
  bridge.FlagFatalf("k8s-mode", "must be one of: in-cluster, off-cluster")
  }

go.mod

@@ -8,12 +8,14 @@ require (
  github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea
  github.com/gorilla/websocket v1.4.0
  github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
- github.com/stretchr/testify v1.4.0
  golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
  google.golang.org/grpc v1.24.0
  gopkg.in/square/go-jose.v2 v2.4.1 // indirect
  gopkg.in/yaml.v2 v2.2.4
  helm.sh/helm/v3 v3.0.1
+ k8s.io/api v0.0.0-20191016110408-35e52d86657a
+ k8s.io/apiextensions-apiserver v0.0.0-20191016113550-5357c4baaf65
+ k8s.io/apimachinery v0.0.0-20191004115801-a2eda9f80ab8
  k8s.io/cli-runtime v0.0.0-20191016114015-74ad18325ed5
  k8s.io/client-go v0.0.0-20191016111102-bec269661e48
  k8s.io/klog v1.0.0

pkg/server/server.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+ "crypto/tls"
  "fmt"
  "html/template"
  "io"
@@ -17,6 +18,7 @@ import (
  helmhandlerspkg "github.com/openshift/console/pkg/helm/handlers"
  "github.com/openshift/console/pkg/proxy"
  "github.com/openshift/console/pkg/serverutils"
+ "github.com/openshift/console/pkg/terminal"
  "github.com/openshift/console/pkg/version"
 )
 
@@ -97,6 +99,7 @@ type Server struct {
  ThanosTenancyProxyConfig *proxy.Config
  AlertManagerProxyConfig *proxy.Config
  MeteringProxyConfig *proxy.Config
+ TerminalProxyTLSConfig *tls.Config
  // A lister for resource listing of a particular kind
  MonitoringDashboardConfigMapLister ResourceLister
  KnativeEventSourceCRDLister ResourceLister
@@ -220,6 +223,14 @@ func (s *Server) HTTPHandler() http.Handler {
  })),
  )
 
+ terminalProxy := terminal.NewProxy(
+ s.TerminalProxyTLSConfig,
+ s.K8sProxyConfig.TLSClientConfig,
+ s.K8sProxyConfig.Endpoint)
+
+ handle(terminal.ProxyEndpoint, authHandlerWithUser(terminalProxy.HandleProxy))
+ handleFunc(terminal.AvailableEndpoint, terminalProxy.HandleProxyEnabled)
+
  if s.prometheusProxyEnabled() {
  // Only proxy requests to the Prometheus API, not the UI.
  var (

pkg/terminal/auth.go

@@ -0,0 +1,30 @@
+package terminal
+
+import (
+ authv1 "k8s.io/api/authorization/v1"
+)
+
+// checkUserPermissions checks if the terminal proxy is supported for a given user.
+// Returns true if we're willing to proxy the user's token, false otherwise. We don't
+// want to proxy highly privileged tokens to avoid privilege escalation issues.
+func (p *Proxy) checkUserPermissions(token string) (bool, error) {
+ client, err := p.createTypedClient(token)
+ if err != nil {
+ return false, err
+ }
+
+ sar := &authv1.SelfSubjectAccessReview{
+ Spec: authv1.SelfSubjectAccessReviewSpec{
+ ResourceAttributes: &authv1.ResourceAttributes{
+ Namespace: "openshift-operators",
+ Verb: "create",
+ Resource: "pods",
+ },
+ },
+ }
+ res, err := client.AuthorizationV1().SelfSubjectAccessReviews().Create(sar)
+ if err != nil || res == nil {
+ return false, err
+ }
+ return !res.Status.Allowed, nil
+}

pkg/terminal/client.go

@@ -0,0 +1,50 @@
+package terminal
+
+import (
+ "k8s.io/client-go/dynamic"
+ "k8s.io/client-go/kubernetes"
+ "k8s.io/client-go/rest"
+)
+
+// createDynamicClient create dynamic client with the configured token to be used
+func (p *Proxy) createDynamicClient(token string) (dynamic.Interface, error) {
+ config, err := p.getConfig(token)
+ if err != nil {
+ return nil, err
+ }
+
+ client, err := dynamic.NewForConfig(dynamic.ConfigFor(config))
+ if err != nil {
+ return nil, err
+ }
+ return client, nil
+}
+
+func (p *Proxy) createTypedClient(token string) (*kubernetes.Clientset, error) {
+ config, err := p.getConfig(token)
+ if err != nil {
+ return nil, err
+ }
+
+ return kubernetes.NewForConfig(config)
+}
+
+func (p *Proxy) getConfig(token string) (*rest.Config, error) {
+ var tlsClientConfig rest.TLSClientConfig
+ if p.TLSClientConfig.InsecureSkipVerify {
+ // off-cluster mode
+ tlsClientConfig.Insecure = true
+ } else {
+ inCluster, err := rest.InClusterConfig()
+ if err != nil {
+ return nil, err
+ }
+ tlsClientConfig = inCluster.TLSClientConfig
+ }
+
+ return &rest.Config{
+ Host: p.ClusterEndpoint.Host,
+ TLSClientConfig: tlsClientConfig,
+ BearerToken: token,
+ }, nil
+}

pkg/terminal/operator.go

@@ -0,0 +1,42 @@
+package terminal
+
+import (
+ "k8s.io/apimachinery/pkg/api/errors"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/client-go/kubernetes"
+ "k8s.io/client-go/rest"
+)
+
+const (
+ webhookName = "workspace.che.eclipse.org"
+)
+
+// workspaceOperatorIsRunning checks if the workspace operator is running and webhooks are enabled,
+// which is a prerequisite for sending a user's token to a workspace.
+func workspaceOperatorIsRunning() (bool, error) {
+ config, err := rest.InClusterConfig()
+ if err != nil {
+ return false, err
+ }
+ client, err := kubernetes.NewForConfig(config)
+ if err != nil {
+ return false, err
+ }
+
+ _, err = client.AdmissionregistrationV1().MutatingWebhookConfigurations().Get(webhookName, metav1.GetOptions{})
+ if err != nil {
+ if errors.IsNotFound(err) {
+ return false, nil
+ }
+ return false, err
+ }
+
+ _, err = client.AdmissionregistrationV1().ValidatingWebhookConfigurations().Get(webhookName, metav1.GetOptions{})
+ if err != nil {
+ if errors.IsNotFound(err) {
+ return false, nil
+ }
+ return false, err
+ }
+ return true, nil
+}