/custodia.openshift

Custodia plugins for OpenShift

Primary LanguagePythonGNU General Public License v3.0GPL-3.0

OpenShift and Container plugins for Custodia

WARNING: proof of concept

The code is a simple proof of concept. In the future the plugin will be able to get the hostname from the router/service definition.

ContainerAuth

Map PID to container engine and container id

OpenShiftHostnameAuthz

Authorize hostname against OpenShift API for IPACertRequest

Configuration

Set up a local system according to https://github.com/openshift/origin/blob/master/docs/cluster_up_down.md

  1. Create OC project test

  2. Create custodia service account and grant view permission

$ oc project
test
$ oc create serviceaccount custodia
$ oc policy add-role-to-user view system:serviceaccount:test:custodia
  1. Get authentication token for service account
$ oc describe serviceaccount custodia
Name:           custodia
Namespace:      test
Labels:         <none>

Image pull secrets:     custodia-dockercfg-9w57j

Mountable secrets:      custodia-token-zrz9g
                        custodia-dockercfg-9w57j

Tokens:                 custodia-token-z6j23
                        custodia-token-zrz9g

$ oc describe secret custodia-token-zrz9g
Name:           custodia-token-zrz9g
Namespace:      test
Labels:         <none>
Annotations:    kubernetes.io/service-account.name=custodia
                kubernetes.io/service-account.uid=dccff988-36ff-11e7-8735-54ee7547ca7b

Type:   kubernetes.io/service-account-token

Data
====
ca.crt:         1070 bytes
namespace:      4 bytes
service-ca.crt: 2186 bytes
token:          eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
  1. Configure plugins
[auth:container]
handler = ContainerAuth

[authz:openshift]
handler = OpenShiftHostnameAuthz
oc_uri = https://localhost:8443
token = eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
project = test
tls_verify = false
  1. Bind-mount socket into container

  2. Start an OpenShift app

  3. Edit YAML and add annotation

apiVersion: v1
kind: Pod
metadata:
  annotations:
    latchset.github.io/custodia.hostname: client1.ipa.example

Example:

Invalid request custodia-cli get /certs/HTTP/client2.ipa.example

2017-05-12 16:44:54 - server                           - REQUEST: GET ('', 'secrets', 'certs', 'HTTP', 'client2.ipa.example'), query: {}, cred: {'gid': 1000, 'pid': 32072, 'uid': 1000, 'context': u'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023'}, client_id: 32072, headers: {'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive', 'accept': '*/*', 'user-agent': 'python-requests/2.10.0', 'host': 'localhost', 'content-type': 'application/json'}, body: None
2017-05-12 16:44:54 - ContainerAuth-[auth:container]   - Detected docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076 for pid 32072
2017-05-12 16:44:54 - SimplePathAuthz-[authz:paths]    - PASS: '32072' authorized for '/secrets'
2017-05-12 16:44:54 - OpenShiftAuthz-[authz:openshift] - Found pod /api/v1/namespaces/test/pods/deployment-example-1-s0361 for docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076
2017-05-12 16:44:54 - OpenShiftAuthz-[authz:openshift] - Path ('', 'secrets', 'certs', 'HTTP', 'client2.ipa.example') does not match hostname 'client1.ipa.example' for docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076
2017-05-12 16:44:54 - OpenShiftAuthz-[authz:openshift] - FAIL: '32072' authorized for '/secrets/certs/HTTP/client2.ipa.example'
2017-05-12 16:44:54 - HTTPRequestHandler               - FAIL: '32072' authorized for '('', 'secrets', 'certs', 'HTTP', 'client2.ipa.example')'
2017-05-12 16:44:54 - server                           - code 403, message Forbidden

Matching request custodia-cli get /certs/HTTP/client1.ipa.example

127.0.0.1 - - [12/May/2017 16:44:54] "GET /secrets/certs/HTTP/client2.ipa.example HTTP/1.1" 403 -
2017-05-12 16:44:58 - server                           - REQUEST: GET ('', 'secrets', 'certs', 'HTTP', 'client1.ipa.example'), query: {}, cred: {'gid': 1000, 'pid': 32086, 'uid': 1000, 'context': u'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023'}, client_id: 32086, headers: {'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive', 'accept': '*/*', 'user-agent': 'python-requests/2.10.0', 'host': 'localhost', 'content-type': 'application/json'}, body: None
2017-05-12 16:44:58 - ContainerAuth-[auth:container]   - Detected docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076 for pid 32086
2017-05-12 16:44:58 - SimplePathAuthz-[authz:paths]    - PASS: '32086' authorized for '/secrets'
2017-05-12 16:44:58 - OpenShiftAuthz-[authz:openshift] - Found pod /api/v1/namespaces/test/pods/deployment-example-1-s0361 for docker://e672868dfdadaa30b0a0a84d20317941e7bba741f893b84c713a430fc60d1076
2017-05-12 16:44:58 - OpenShiftAuthz-[authz:openshift] - Container /api/v1/namespaces/test/pods/deployment-example-1-s0361 matches latchset.github.io/custodia.hostname: 'client1.ipa.example'
2017-05-12 16:44:58 - OpenShiftAuthz-[authz:openshift] - PASS: '32086' authorized for '/secrets/certs/HTTP/client1.ipa.example'
2017-05-12 16:44:58 - IPACertRequest-[store:cert]      - Found cached certificate for HTTP/client1.ipa.example@IPA.EXAMPLE
2017-05-12 16:44:58 - Secrets-[/secrets/certs]         - ALLOWED: '<pid=32086 uid=1000 gid=1000>' requested key 'HTTP/client1.ipa.example'
127.0.0.1 - - [12/May/2017 16:44:58] "GET /secrets/certs/HTTP/client1.ipa.example HTTP/1.1" 200 -