Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for namespace label selector to authn-k8s #2613

Merged
merged 16 commits into from
Aug 1, 2022
Merged

feat: add support for namespace label selector to authn-k8s #2613

merged 16 commits into from
Aug 1, 2022

Conversation

doodlesbykumbi
Copy link
Contributor

@doodlesbykumbi doodlesbykumbi commented Jul 27, 2022
edited by john-odonnell
Loading

Desired Outcome

Adds support for scoping Authn-K8s workload identity based on namespace labels.
See related solution design for more context.

Implemented Changes

  • Add new constraint class to enforce XOR on a set of resource restrictions
  • Add support for new Authn-K8s host annotation, authn-k8s/namespace-label-selector
  • Update Authn-K8s request validation to fetch a namespace's metadata and validate its labels against the configured selector
  • Unit test the new constraint and validation, and test the new validation end-to-end with the new in-process K8s server mock

Connected Issue/Story

CyberArk internal issue link:
ONYX-23180
ONYX-23186
ONYX-23189
ONYX-23191
ONYX-23193

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a
    CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code
    changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR
  • A follow-up issue to update official docs has been filed here: insert issue ID
  • This PR does not require updating any documentation

Behavior

  • This PR changes product behavior and has been reviewed by a PO, or
  • These changes are part of a larger initiative that will be reviewed later, or
  • No behavior was changed with this PR

Security

  • Security architect has reviewed the changes in this PR,
  • These changes are part of a larger initiative with a separate security review, or
  • There are no security aspects to these changes

@doodlesbykumbi doodlesbykumbi force-pushed the appliance-authn-k8s-label-selector branch from 4d2ba6f to 74ec584 Compare July 27, 2022 14:07
@doodlesbykumbi doodlesbykumbi force-pushed the appliance-authn-k8s-label-selector branch from db53815 to 1a7d45b Compare July 28, 2022 22:06
codeclimate[bot]
codeclimate bot reviewed Jul 28, 2022
View reviewed changes
app/domain/authentication/authn_k8s/k8s_resource_validator.rb
@@ -24,6 +24,41 @@ def valid_resource?(type:, name:)
@logger.debug(LogMessages::Authentication::AuthnK8s::ValidatedK8sResource.new(type, name))
end

def valid_namespace?(label_selector:)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Method valid_namespace? has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
def valid_namespace?(label_selector:)
# Validates label selector and creates a hash
# In the spirit of https://github.com/kubernetes/apimachinery/blob/master/pkg/labels/selector.go
if label_selector.length == 0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use empty? instead of length == 0.

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
@@ -24,6 +24,41 @@ def valid_resource?(type:, name:)
@logger.debug(LogMessages::Authentication::AuthnK8s::ValidatedK8sResource.new(type, name))
end

def valid_namespace?(label_selector:)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Complex method Authentication::AuthnK8s::K8sResourceValidator#valid_namespace? (33.5)

app/domain/authentication/authn_k8s/k8s_object_lookup.rb
def namespace_labels_hash(namespace)
namespace_object = k8s_client_for_method("get_namespace").get_namespace(namespace)

return namespace_object.metadata.labels.to_h unless namespace_object.nil?
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication::AuthnK8s::K8sObjectLookup#namespace_labels_hash refers to 'namespace_object' more than self (maybe move it to another class?)

app/domain/authentication/authn_k8s/k8s_object_lookup.rb
def namespace_labels_hash(namespace)
namespace_object = k8s_client_for_method("get_namespace").get_namespace(namespace)

return namespace_object.metadata.labels.to_h unless namespace_object.nil?
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication::AuthnK8s::K8sObjectLookup#namespace_labels_hash performs a nil-check

john-odonnell and others added 7 commits July 29, 2022 15:39
@john-odonnell
Refactor and test namespace label authentication
1083804
@john-odonnell
Refactor authn-k8s tests for reusability between test cases
5d2bed7
@john-odonnell
Fix refactor
80af822 
- revert to namespace-label-selector
- break out resource validator logs test case
- remove unneeded namespaces list response JSON
@john-odonnell
Refactor errors, authn-k8s test server
35b9a18
@doodlesbykumbi
Merge pull request #2615 from cyberark/refactor-label-tie-in
fd41865 
Refactor and test namespace label authentication
@john-odonnell
Update Changelog
b6e4ff7
@doodlesbykumbi
Merge pull request #2617 from cyberark/label-changelog
0012bb7 
Add Changelog entry for Authn-K8s label-based authn scope
codeclimate[bot]
codeclimate bot reviewed Jul 29, 2022
View reviewed changes
app/domain/authentication/authn_k8s/k8s_resource_validator.rb
end

@logger.debug(LogMessages::Authentication::AuthnK8s::ValidatedK8sResourceLabel.new('namespace', namespace, label_selector))
return true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant return detected.

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
invalid ||= kv_pair.length != 2
invalid ||= kv_pair[0].include?("!")

if (invalid)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use parentheses around a variable.

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
@@ -24,6 +24,44 @@ def valid_resource?(type:, name:)
@logger.debug(LogMessages::Authentication::AuthnK8s::ValidatedK8sResource.new(type, name))
end

# Validates label selector and creates a hash
# In the spirit of https://github.com/kubernetes/apimachinery/blob/master/pkg/labels/selector.go
def valid_namespace?(label_selector:)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Complex method Authentication::AuthnK8s::K8sResourceValidator#valid_namespace? (40.4)

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
kv_pair = kv_pair.split(/={1,2}/, 2)

invalid ||= kv_pair.length != 2
invalid ||= kv_pair[0].include?("!")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication::AuthnK8s::K8sResourceValidator#valid_namespace? calls 'kv_pair[0]' 2 times

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
@logger.debug(LogMessages::Authentication::AuthnK8s::ValidatingK8sResourceLabel.new('namespace', namespace, label_selector))

if label_selector.length == 0
raise Errors::Authentication::AuthnK8s::InvalidLabelSelector.new(label_selector)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication::AuthnK8s::K8sResourceValidator#valid_namespace? calls 'raise Errors::Authentication::AuthnK8s::InvalidLabelSelector.new(label_selector)' 2 times

imheresamir
imheresamir previously requested changes Jul 30, 2022
View reviewed changes
Copy link
Contributor

@imheresamir imheresamir left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change entries in the CHANGELOG should live under 1.18.0, please fix TY!

@doodlesbykumbi doodlesbykumbi marked this pull request as ready for review August 1, 2022 08:02
@doodlesbykumbi doodlesbykumbi requested a review from a team as a code owner August 1, 2022 08:02
@doodlesbykumbi doodlesbykumbi force-pushed the appliance-authn-k8s-label-selector branch from d1b1378 to e7d1727 Compare August 1, 2022 08:03
codeclimate[bot]
codeclimate bot reviewed Aug 1, 2022
View reviewed changes
app/domain/authentication/authn_k8s/k8s_resource_validator.rb
invalid ||= kv_pair[0].include?("!")

if (invalid)
raise Errors::Authentication::AuthnK8s::InvalidLabelSelector.new(label_selector)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Provide an exception class and message as arguments to raise.

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
@logger.debug(LogMessages::Authentication::AuthnK8s::ValidatingK8sResourceLabel.new('namespace', namespace, label_selector))

if label_selector.length == 0
raise Errors::Authentication::AuthnK8s::InvalidLabelSelector.new(label_selector)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Provide an exception class and message as arguments to raise.

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
@@ -24,6 +24,44 @@ def valid_resource?(type:, name:)
@logger.debug(LogMessages::Authentication::AuthnK8s::ValidatedK8sResource.new(type, name))
end

# Validates label selector and creates a hash
# In the spirit of https://github.com/kubernetes/apimachinery/blob/master/pkg/labels/selector.go
def valid_namespace?(label_selector:)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authentication::AuthnK8s::K8sResourceValidator#valid_namespace? has approx 14 statements

app/domain/authentication/authn_k8s/k8s_resource_validator.rb

if label_selector.length == 0
raise Errors::Authentication::AuthnK8s::InvalidLabelSelector.new(label_selector)
end
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add empty line after guard clause.

app/domain/authentication/authn_k8s/k8s_resource_validator.rb
invalid ||= kv_pair.length != 2
invalid ||= kv_pair[0].include?("!")

if (invalid)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use parentheses around the condition of an if.

@codeclimate
Copy link

codeclimate bot commented Aug 1, 2022

Code Climate has analyzed commit e7d1727 and detected 19 issues on this pull request.

Here's the issue category breakdown:

Category Count
Complexity 8
Bug Risk 1
Style 10

The test coverage on the diff in this pull request is 97.3% (50% is the threshold).

This pull request will bring the total coverage in the repository to 89.9% (-1.5% change).

View more on Code Climate.

john-odonnell
john-odonnell approved these changes Aug 1, 2022
View reviewed changes
Copy link
Contributor

@john-odonnell john-odonnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, approved 👍
Not sure if we should remove the appliance build script.

build-and-publish-internal-appliance.sh
@@ -0,0 +1,37 @@
#!/usr/bin/env bash
Copy link
Contributor

@john-odonnell john-odonnell Aug 1, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to merge this script?

Maybe this could be codified as a way of building appliance images for a target working/POC branches, but it seems like once this PR merges, we won't need it in its current form.

@doodlesbykumbi doodlesbykumbi merged commit ee58e09 into master Aug 1, 2022
@doodlesbykumbi doodlesbykumbi deleted the appliance-authn-k8s-label-selector branch August 1, 2022 15:53
@gl-johnson gl-johnson mentioned this pull request Aug 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeclimate codeclimate[bot] codeclimate[bot] left review comments

@john-odonnell john-odonnell john-odonnell approved these changes

@imheresamir imheresamir imheresamir left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@doodlesbykumbi @imheresamir @john-odonnell