istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/pkg/server/ca/node_auth.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/pkg/server/ca/node_auth.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package ca
    16  
    17  import (
    18  	"context"
    19  	"fmt"
    20  
    21  	v1 "k8s.io/api/core/v1"
    22  	"k8s.io/apimachinery/pkg/types"
    23  
    24  	"istio.io/istio/pkg/kube"
    25  	"istio.io/istio/pkg/kube/kclient"
    26  	"istio.io/istio/pkg/kube/multicluster"
    27  	"istio.io/istio/pkg/security"
    28  	"istio.io/istio/pkg/spiffe"
    29  	"istio.io/istio/pkg/util/sets"
    30  	"istio.io/istio/security/pkg/server/ca/authenticate/kubeauth"
    31  )
    32  
    33  // MulticlusterNodeAuthorizor is is responsible for maintaining an index of ClusterNodeAuthenticators,
    34  // one per cluster (https://docs.google.com/document/d/10uf4EvUVif4xGeCYQydaKh9Yaz9wpysao7gyLewJY2Q).
    35  // Node authorizations from one cluster will be forwarded to the ClusterNodeAuthenticators for the same cluster.
    36  type MulticlusterNodeAuthorizor struct {
    37  	trustedNodeAccounts sets.Set[types.NamespacedName]
    38  	component           *multicluster.Component[*ClusterNodeAuthorizer]
    39  }
    40  
    41  func NewMulticlusterNodeAuthenticator(
    42  	trustedNodeAccounts sets.Set[types.NamespacedName],
    43  	controller multicluster.ComponentBuilder,
    44  ) *MulticlusterNodeAuthorizor {
    45  	m := &MulticlusterNodeAuthorizor{
    46  		trustedNodeAccounts: trustedNodeAccounts,
    47  		component: multicluster.BuildMultiClusterComponent(controller, func(cluster *multicluster.Cluster) *ClusterNodeAuthorizer {
    48  			return NewClusterNodeAuthorizer(cluster.Client, trustedNodeAccounts)
    49  		}),
    50  	}
    51  	return m
    52  }
    53  
    54  func (m *MulticlusterNodeAuthorizor) authenticateImpersonation(ctx context.Context, caller security.KubernetesInfo, requestedIdentityString string) error {
    55  	clusterID := kubeauth.ExtractClusterID(ctx)
    56  	na := m.component.ForCluster(clusterID)
    57  	if na == nil {
    58  		return fmt.Errorf("no node authorizer for cluster %v", clusterID)
    59  	}
    60  	return (*na).authenticateImpersonation(caller, requestedIdentityString)
    61  }
    62  
    63  // ClusterNodeAuthorizer is a component that implements a subset of Kubernetes Node Authorization
    64  // (https://kubernetes.io/docs/reference/access-authn-authz/node/) for Istio CA within one cluster.
    65  // Specifically, it validates that a node proxy which requests certificates for workloads on its
    66  // own node is requesting valid identities which run on that node (rather than arbitrary ones).
    67  
    68  type ClusterNodeAuthorizer struct {
    69  	trustedNodeAccounts sets.Set[types.NamespacedName]
    70  	pods                kclient.Client[*v1.Pod]
    71  	nodeIndex           *kclient.Index[SaNode, *v1.Pod]
    72  }
    73  
    74  func NewClusterNodeAuthorizer(client kube.Client, trustedNodeAccounts sets.Set[types.NamespacedName]) *ClusterNodeAuthorizer {
    75  	pods := kclient.NewFiltered[*v1.Pod](client, kclient.Filter{
    76  		ObjectFilter:    client.ObjectFilter(),
    77  		ObjectTransform: kube.StripPodUnusedFields,
    78  	})
    79  	// Add an Index on the pods, storing the service account and node. This allows us to later efficiently query.
    80  	index := kclient.CreateIndex[SaNode, *v1.Pod](pods, func(pod *v1.Pod) []SaNode {
    81  		if len(pod.Spec.NodeName) == 0 {
    82  			return nil
    83  		}
    84  		if len(pod.Spec.ServiceAccountName) == 0 {
    85  			return nil
    86  		}
    87  		return []SaNode{{
    88  			ServiceAccount: types.NamespacedName{
    89  				Namespace: pod.Namespace,
    90  				Name:      pod.Spec.ServiceAccountName,
    91  			},
    92  			Node: pod.Spec.NodeName,
    93  		}}
    94  	})
    95  	return &ClusterNodeAuthorizer{
    96  		pods:                pods,
    97  		nodeIndex:           index,
    98  		trustedNodeAccounts: trustedNodeAccounts,
    99  	}
   100  }
   101  
   102  func (na *ClusterNodeAuthorizer) Close() {
   103  	na.pods.ShutdownHandlers()
   104  }
   105  
   106  func (na *ClusterNodeAuthorizer) HasSynced() bool {
   107  	return na.pods.HasSynced()
   108  }
   109  
   110  func (na *ClusterNodeAuthorizer) authenticateImpersonation(caller security.KubernetesInfo, requestedIdentityString string) error {
   111  	callerSa := types.NamespacedName{
   112  		Namespace: caller.PodNamespace,
   113  		Name:      caller.PodServiceAccount,
   114  	}
   115  	// First, make sure the caller is allowed to impersonate, in general
   116  	if _, f := na.trustedNodeAccounts[callerSa]; !f {
   117  		return fmt.Errorf("caller (%v) is not allowed to impersonate", caller)
   118  	}
   119  	// Next, make sure the identity they want to impersonate is valid, in general
   120  	requestedIdentity, err := spiffe.ParseIdentity(requestedIdentityString)
   121  	if err != nil {
   122  		return fmt.Errorf("failed to validate impersonated identity %v", requestedIdentityString)
   123  	}
   124  
   125  	// Finally, we validate the requested identity is running on the same node the caller is on
   126  	callerPod := na.pods.Get(caller.PodName, caller.PodNamespace)
   127  	if callerPod == nil {
   128  		return fmt.Errorf("pod %v/%v not found", caller.PodNamespace, caller.PodName)
   129  	}
   130  	// Make sure UID is still valid for our current state
   131  	if callerPod.UID != types.UID(caller.PodUID) {
   132  		// This would only happen if a pod is re-created with the same name, and the CSR client is not in sync on which is current;
   133  		// this is fine and should be eventually consistent. Client is expected to retry in this case.
   134  		return fmt.Errorf("pod found, but UID does not match: %v vs %v", callerPod.UID, caller.PodUID)
   135  	}
   136  	if callerPod.Spec.ServiceAccountName != caller.PodServiceAccount {
   137  		// This should never happen, but just in case add an additional check
   138  		return fmt.Errorf("pod found, but ServiceAccount does not match: %v vs %v", callerPod.Spec.ServiceAccountName, caller.PodServiceAccount)
   139  	}
   140  	// We want to find out if there is any pod running with the requested identity on the callers node.
   141  	// The indexer (previously setup) creates a lookup table for a {Node, SA} pair, which we can lookup
   142  	k := SaNode{
   143  		ServiceAccount: types.NamespacedName{Name: requestedIdentity.ServiceAccount, Namespace: requestedIdentity.Namespace},
   144  		Node:           callerPod.Spec.NodeName,
   145  	}
   146  	// TODO: this is currently single cluster; we will need to take the cluster of the proxy into account
   147  	// to support multi-cluster properly.
   148  	res := na.nodeIndex.Lookup(k)
   149  	// We don't care what pods are part of the index, only that there is at least one. If there is one,
   150  	// it is appropriate for the caller to request this identity.
   151  	if len(res) == 0 {
   152  		return fmt.Errorf("no instances of %q found on node %q", k.ServiceAccount, k.Node)
   153  	}
   154  	serverCaLog.Debugf("Node caller %v impersonated %v", caller, requestedIdentityString)
   155  	return nil
   156  }