Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhancement: proxy request with bearer token in header without client certificate #437

Merged
merged 1 commit into from
Aug 31, 2021
Merged

enhancement: proxy request with bearer token in header without client certificate #437

merged 1 commit into from
Aug 31, 2021

Conversation

rambohe-ch
Copy link
Member

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:
/kind bug
/kind documentation
/kind enhancement
/kind good-first-issue
/kind feature
/kind question
/kind design
/sig ai
/sig iot
/sig network
/sig storage
/sig storage

/kind enhancement

What this PR does / why we need it:

  • background:
    when pods on edge nodes access kube-apiserver through yurthub, yurthub will use client certificate to proxy requests to kube-apiserver. so in order to get authorization by kube-apiserver, we need to add rbac setting of pods to client certificate of yurthub(system:nodes group).

  • enhancement:
    In order to prevent add additional rbac setting to system:nodes group, we use the original bearer token to proxy request to kube-apiserver instead of using client certificate to proxy requests, so kube-apiserver can get authorization for pods based on the bearer token of pods instead of client certificate of yurthub.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

other Note

@openyurt-bot
Copy link
Collaborator

@rambohe-ch: GitHub didn't allow me to assign the following users: your_reviewer.

Note that only openyurtio members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:
/kind bug
/kind documentation
/kind enhancement
/kind good-first-issue
/kind feature
/kind question
/kind design
/sig ai
/sig iot
/sig network
/sig storage
/sig storage

/kind enhancement

What this PR does / why we need it:

  • background:
    when pods on edge nodes access kube-apiserver through yurthub, yurthub will use client certificate to proxy requests to kube-apiserver. so in order to get authorization by kube-apiserver, we need to add rbac setting of pods to client certificate of yurthub(system:nodes group).

  • enhancement:
    In order to prevent add additional rbac setting to system:nodes group, we use the original bearer token to proxy request to kube-apiserver instead of using client certificate to proxy requests, so kube-apiserver can get authorization for pods based on the bearer token of pods instead of client certificate of yurthub.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

other Note

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openyurt-bot openyurt-bot added the kind/enhancement kind/enhancement label Aug 29, 2021
@rambohe-ch
Copy link
Member Author

/assign @Fei-Guo

@openyurt-bot openyurt-bot added the size/M size/M: 30-99 label Aug 29, 2021
@openyurt-bot openyurt-bot added the approved approved label Aug 29, 2021
Fei-Guo
Fei-Guo reviewed Aug 30, 2021
View reviewed changes
pkg/yurthub/proxy/remote/remote.go
@@ -80,6 +89,15 @@ func (rp *RemoteProxy) Name() string {
}

func (rp *RemoteProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
rp.reverseProxy.Transport = rp.currentTransport
auth := strings.TrimSpace(req.Header.Get("Authorization"))
if auth != "" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment here to explain when the auth is nil and when it is not nil?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comments were added.

@Fei-Guo
Copy link
Member

Fei-Guo commented Aug 31, 2021

/lgtm
/approve

@openyurt-bot openyurt-bot added the lgtm lgtm label Aug 31, 2021
@openyurt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Fei-Guo, rambohe-ch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openyurt-bot openyurt-bot merged commit 2267806 into openyurtio:master Aug 31, 2021
MrGirl pushed a commit to MrGirl/openyurt that referenced this pull request Mar 29, 2022
@rambohe-ch
enhancement: proxy request with bearer token in header without client…
001e052 
… certificate (openyurtio#437)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fei-Guo Fei-Guo Fei-Guo left review comments

@kadisi kadisi Awaiting requested review from kadisi

@Peeknut Peeknut Awaiting requested review from Peeknut

Assignees

@Fei-Guo Fei-Guo

Labels
approved approved kind/enhancement kind/enhancement lgtm lgtm size/M size/M: 30-99
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rambohe-ch @openyurt-bot @Fei-Guo