fix: impresonation regression for service accounts (#405)

Signed-off-by: Radek Gruchalski <radek.gruchalski@klarrio.com>
projectcapsule · Mar 5, 2024 · 16deb06 · 16deb06
1 parent 0b04e1b
commit 16deb06
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/internal/request/http.go b/internal/request/http.go
@@ -12,6 +12,7 @@ import (
  authenticationv1 "k8s.io/api/authentication/v1"
  authorizationv1 "k8s.io/api/authorization/v1"
  "k8s.io/apiserver/pkg/authentication/serviceaccount"
+ "k8s.io/apiserver/pkg/authentication/user"
  "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -106,9 +107,11 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) {
  // by appending the expected service account groups:
  // - system:serviceaccounts:<namespace>
  // - system:serviceaccounts
+ // - system:authenticated
  if namespace, _, err := serviceaccount.SplitUsername(username); err == nil {
- groups = append(groups, serviceaccount.AllServiceAccountsGroup)
  groups = append(groups, fmt.Sprintf("%s%s", serviceaccount.ServiceAccountGroupPrefix, namespace))
+ groups = append(groups, serviceaccount.AllServiceAccountsGroup)
+ groups = append(groups, user.AllAuthenticated)
  }
  }()
  }

diff --git a/internal/request/http_test.go b/internal/request/http_test.go
@@ -14,6 +14,8 @@ import (
 
  authenticationv1 "k8s.io/api/authentication/v1"
  authorizationv1 "k8s.io/api/authorization/v1"
+ "k8s.io/apiserver/pkg/authentication/serviceaccount"
+ "k8s.io/apiserver/pkg/authentication/user"
  "sigs.k8s.io/controller-runtime/pkg/client"
 
  "github.com/projectcapsule/capsule-proxy/internal/request"
@@ -101,6 +103,38 @@ func Test_http_GetUserAndGroups(t *testing.T) {
  wantGroups: []string{"ImpersonatedGroup"},
  wantErr: false,
  },
+ {
+ name: "Certificate-ServiceAccount",
+ fields: fields{
+ Request: &http.Request{
+ Header: map[string][]string{
+ authenticationv1.ImpersonateUserHeader: {serviceaccount.ServiceAccountUsernamePrefix + testServiceAccountSuffix},
+ },
+ TLS: &tls.ConnectionState{
+ PeerCertificates: []*x509.Certificate{
+ {
+ Subject: pkix.Name{
+ CommonName: serviceaccount.ServiceAccountUsernamePrefix + testServiceAccountSuffix,
+ },
+ },
+ },
+ },
+ },
+ authTypes: []request.AuthType{
+ request.BearerToken,
+ request.TLSCertificate,
+ },
+ client: testClient(func(ctx context.Context, obj client.Object) error {
+ ac := obj.(*authorizationv1.SubjectAccessReview)
+ ac.Status.Allowed = true
+
+ return nil
+ }),
+ },
+ wantUsername: serviceaccount.ServiceAccountUsernamePrefix + testServiceAccountSuffix,
+ wantGroups: []string{fmt.Sprintf("%s%s", serviceaccount.ServiceAccountGroupPrefix, "ns"), serviceaccount.AllServiceAccountsGroup, user.AllAuthenticated},
+ wantErr: false,
+ },
  {
  name: "Bearer",
  fields: fields{
@@ -187,3 +221,5 @@ func Test_http_GetUserAndGroups(t *testing.T) {
  })
  }
 }
+
+const testServiceAccountSuffix = "ns:account"