-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathREADME
More file actions
128 lines (90 loc) · 5.64 KB
/
README
File metadata and controls
128 lines (90 loc) · 5.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
.. WARNING: AUTO-GENERATED FILE. DO NOT EDIT.
OpenShift and Container plugins for Custodia
============================================
**WARNING: proof of concept**
The code is a simple proof of concept. In the future the plugin will be
able to get the hostname from the router/service definition.
ContainerAuth
-------------
Map PID to container engine and container id
OpenShiftHostnameAuthz
----------------------
Authorize hostname against OpenShift API for IPACertRequest
Configuration
-------------
Set up a local system according to
https://github.com/openshift/origin/blob/master/docs/cluster\_up\_down.md
1. Create OC project *test*
2. Create custodia service account and grant *view* permission
::
$ oc project
test
$ oc create serviceaccount custodia
$ oc policy add-role-to-user view system:serviceaccount:test:custodia
3. Get authentication token for service account
::
$ oc describe serviceaccount custodia
Name: custodia
Namespace: test
Labels: <none>
Image pull secrets: custodia-dockercfg-9w57j
Mountable secrets: custodia-token-zrz9g
custodia-dockercfg-9w57j
Tokens: custodia-token-z6j23
custodia-token-zrz9g
$ oc describe secret custodia-token-zrz9g
Name: custodia-token-zrz9g
Namespace: test
Labels: <none>
Annotations: kubernetes.io/service-account.name=custodia
kubernetes.io/service-account.uid=dccff988-36ff-11e7-8735-54ee7547ca7b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1070 bytes
namespace: 4 bytes
service-ca.crt: 2186 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
4. Configure plugins
::
[auth:container]
handler = ContainerAuth
[authz:openshift]
handler = OpenShiftHostnameAuthz
oc_uri = https://localhost:8443
token = eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
project = test
tls_verify = false
5. Bind-mount socket into container
6. Start an OpenShift app
7. Edit YAML and add annotation
::
apiVersion: v1
kind: Pod
metadata:
annotations:
latchset.github.io/custodia.hostname: client1.ipa.example
Example:
~~~~~~~~
Invalid request ``custodia-cli get /certs/HTTP/client2.ipa.example``
::
2017-05-12 16:44:54 - server - REQUEST: GET ('', 'secrets', 'certs', 'HTTP', 'client2.ipa.example'), query: {}, cred: {'gid': 1000, 'pid': 32072, 'uid': 1000, 'context': u'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023'}, client_id: 32072, headers: {'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive', 'accept': '*/*', 'user-agent': 'python-requests/2.10.0', 'host': 'localhost', 'content-type': 'application/json'}, body: None
2017-05-12 16:44:54 - ContainerAuth-[auth:container] - Detected docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076 for pid 32072
2017-05-12 16:44:54 - SimplePathAuthz-[authz:paths] - PASS: '32072' authorized for '/secrets'
2017-05-12 16:44:54 - OpenShiftAuthz-[authz:openshift] - Found pod /api/v1/namespaces/test/pods/deployment-example-1-s0361 for docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076
2017-05-12 16:44:54 - OpenShiftAuthz-[authz:openshift] - Path ('', 'secrets', 'certs', 'HTTP', 'client2.ipa.example') does not match hostname 'client1.ipa.example' for docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076
2017-05-12 16:44:54 - OpenShiftAuthz-[authz:openshift] - FAIL: '32072' authorized for '/secrets/certs/HTTP/client2.ipa.example'
2017-05-12 16:44:54 - HTTPRequestHandler - FAIL: '32072' authorized for '('', 'secrets', 'certs', 'HTTP', 'client2.ipa.example')'
2017-05-12 16:44:54 - server - code 403, message Forbidden
Matching request ``custodia-cli get /certs/HTTP/client1.ipa.example``
::
127.0.0.1 - - [12/May/2017 16:44:54] "GET /secrets/certs/HTTP/client2.ipa.example HTTP/1.1" 403 -
2017-05-12 16:44:58 - server - REQUEST: GET ('', 'secrets', 'certs', 'HTTP', 'client1.ipa.example'), query: {}, cred: {'gid': 1000, 'pid': 32086, 'uid': 1000, 'context': u'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023'}, client_id: 32086, headers: {'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive', 'accept': '*/*', 'user-agent': 'python-requests/2.10.0', 'host': 'localhost', 'content-type': 'application/json'}, body: None
2017-05-12 16:44:58 - ContainerAuth-[auth:container] - Detected docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076 for pid 32086
2017-05-12 16:44:58 - SimplePathAuthz-[authz:paths] - PASS: '32086' authorized for '/secrets'
2017-05-12 16:44:58 - OpenShiftAuthz-[authz:openshift] - Found pod /api/v1/namespaces/test/pods/deployment-example-1-s0361 for docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076
2017-05-12 16:44:58 - OpenShiftAuthz-[authz:openshift] - Container /api/v1/namespaces/test/pods/deployment-example-1-s0361 matches latchset.github.io/custodia.hostname: 'client1.ipa.example'
2017-05-12 16:44:58 - OpenShiftAuthz-[authz:openshift] - PASS: '32086' authorized for '/secrets/certs/HTTP/client1.ipa.example'
2017-05-12 16:44:58 - IPACertRequest-[store:cert] - Found cached certificate for HTTP/client1.ipa.example@IPA.EXAMPLE
2017-05-12 16:44:58 - Secrets-[/secrets/certs] - ALLOWED: '<pid=32086 uid=1000 gid=1000>' requested key 'HTTP/client1.ipa.example'
127.0.0.1 - - [12/May/2017 16:44:58] "GET /secrets/certs/HTTP/client1.ipa.example HTTP/1.1" 200 -