serviceaccount impersonation fails #388
Comments
|
Could you share your capsuleConfiguration? |
|
Hi Oliver, me and Adrian are working on the same project. The configuration is: |
|
@maxgio92 do you have to investigate here? |
|
Hey @adabuleanu and @mtheeren-asml, thank you for reporting this. I'd like to highlight that https://GitHub.com/maxgio92/capsule-gitops-testing Is not an official repository, so I recommend to start from the official docs at capsule.clastix.io. Then, I'd like to ask you:
Finally, not to introduce too much noise, we've just released an addon for Flux: Https://GitHub.com/projectcapsule/capsule-addon-fluxcd. Take a look at it :) We're going soon to document it in the main official documentation. |
|
Hey @maxgio92 , We actually based ourselves on the official docs, but I guess @adabuleanu mentioned that repo as an example. Regarding your questions:
I will take a look at the addon. |
|
@mtheeren-asml as you can see from you logs, your serviceaccount only have the groups |
I was in vacation, so sorry for the latest response. In v0.4.7 the fix for #349 introduced the groups for serviceAccounts, but it did not add the but not in the v0.5.0 logs: What this intentional (related to CVE Authentication bypass using an empty token) or a miss when applying the fix for #349? |
|
Hey @oliverbaehler, @maxgio92. I work with Adrian and Mathieu on the same project. We wonder if commit d188f12 which fixes 1c829a4 is missing Is it possible that the commit d188f12 should also include: diff --git a/internal/request/http.go b/internal/request/http.go
index 29370b7..8a30af6 100644
--- a/internal/request/http.go
+++ b/internal/request/http.go
@@ -11,6 +11,7 @@ import (
authenticationv1 "k8s.io/api/authentication/v1"
authorizationv1 "k8s.io/api/authorization/v1"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
+ "k8s.io/apiserver/pkg/authentication/user"
"sigs.k8s.io/controller-runtime/pkg/client"
)
@@ -106,6 +107,7 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) {
if namespace, _, err := serviceaccount.SplitUsername(username); err == nil {
groups = append(groups, serviceaccount.AllServiceAccountsGroup)
groups = append(groups, fmt.Sprintf("%s%s", serviceaccount.ServiceAccountGroupPrefix, namespace))
+ groups = append(groups, user.AllAuthenticated)
}
}()
}? |
|
Hello @adabuleanu @rgruchalski-klarrio, good catch! No worries for the late reply, we're going to reopen the issue. Would you like @rgruchalski-klarrio to open a PR with that patch? We can discuss the possible fix there if it's ok for you. |
|
LGTM, that's definitely a regression. |
|
Will do shortly, thank you for acknowledging! |
|
Hey @maxgio92, @prometherion I've created a PR: #405. |
|
Hey @oliverbaehler would you mind re-opening this issue? |
Bug description
While working with flux and the multitenancy setup, flux is not able to impersonate the service account which is tenant owner. This happened after upgrade from capsule-proxy
v0.4.5tov0.5.0.How to reproduce
v0.5.0.gitops-reconcilerand a tenant namespaceMore details on https://github.com/maxgio92/capsule-gitops-testing/
Expected behavior
Service account should be impersonated and flux reconciliation should not fail.
Logs
Flux reconciliation logs:
Capsule-proxy error:
Additional context
This was initially posted in #349 and the fix was proposed for
v0.4.7release, but unfortunately I still get the issue in the latestv0.5.0release. The only workaround is to downgrade tov0.4.5. More details can be found in #349 as the issue is identical.The text was updated successfully, but these errors were encountered: