Add solution design for Authn-K8s namespace label constraint #2603

john-odonnell · 2022-07-12T20:29:10Z

Desired Outcome

Add solution design for Authn-K8s namespace label constraint

Implemented Changes

N/A

Connected Issue/Story

CyberArk internal issue link: ONYX-21265

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

The CHANGELOG has been updated, or
This PR does not include user-facing changes and doesn't require a
CHANGELOG update

Test coverage

This PR includes new unit and integration tests to go with the code
changes, or
The changes in this PR do not require tests

Documentation

Docs (e.g. READMEs) were updated in this PR
A follow-up issue to update official docs has been filed here: insert issue ID
This PR does not require updating any documentation

Behavior

This PR changes product behavior and has been reviewed by a PO, or
These changes are part of a larger initiative that will be reviewed later, or
No behavior was changed with this PR

Security

Security architect has reviewed the changes in this PR,
These changes are part of a larger initiative with a separate security review, or
There are no security aspects to these changes

design/proposals/namespace_label_authenticator.md

rafis3 · 2022-07-24T06:00:17Z

design/proposals/namespace_label_authenticator.md

+
+| **Subject** | **Description** | **Issue Mitigation** |
+|-------------|-----------------|----------------------|
+| **Many Similarly-Labeled Namespaces** | Using Kubernetes' native label selector implementation would mean receiving a list of all similarly-labeled namespaces, and limiting those results further based on a request's origin namespace. For a cluster with many similarly-labeled namespaces, this operation could be costly. | Instead of querying the Kubernetes API for a list of all similarly-labeled namespaces, we can get only the request's origin namespace, and then validate its labels against the configured selector locally. This means Conjur is only ever querying for a single resource instead of a open-ended multitude. |


Worth mentioning that from a performance standpoint, it's still one more call than all our other types of authentications? (service account, controller, namespace and so on)
Because in others, we query the Pod and we get all the relevant information we need from that object. Here we will need to perform one more call, on the Namespace object of the Pod to get its labels.

rafis3 · 2022-07-24T06:06:52Z

design/proposals/namespace_label_authenticator.md

+
+| **Security Issue** | **Description** | **Resolution** |
+|--------------------|-----------------|----------------|
+| **Added Permissions** | The Authenticator identity needs a new permission to get any namespace in a cluster. | This is necessary, and an improvement over requiring permission to list all namespaces in a cluster. List permission means the identity can discover unknown resources, but get permission requires knowledge of existing resources. |


The permission is required only in the namespaces in which Conjur needs to provide service.
Since we currently already provide permissions on a per namespace level (as a guideline we don't recommend cluster wide permission to Conjur), then this new permission will be on these namespaces only as well.