Hive 2485/mce 2.6: Backport AssumeRole, credential_process, and kubeconfig exec fixes #2389
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Simplify the AssumeRole flow: Rather than doing it via `credential_process` as a callback from within the creds file used by the provision pod, flatten this out so the AssumeRole is done implicitly by the AWS SDK. This flow remains unchanged: The clusterdeployment controller: - Copies the service provider secret into the CD namespace - Creates an AWS credentials secret - Creates the provision pod The provision pod: - Loads the credentials secret - Projects the AWS config therein onto the file system - Invokes the installer The installer: - Creates an AWS client using that config file - Proceeds with installation Before this commit: The AWS config contained a `credential_process` which invoked `hiveutil install-manager aws-credentials` which... - Loaded the service provider secret - Created an AWS client - Used the client to AssumeRole and generate credentials with a 15m expiration - Printed the credentials to stdout in the format expected by AWS. Per AWS docs[1], the SDK will automatically rerun the `credential_process` before the expiration time to refresh the creds. With this commit: The clusterdeployment controller loads the service provider secret and folds it into the AWS config as a separate profile, referenced from the default via `source_profile`: ``` [default] source_profile = source role_arn = arn:aws:iam::123456789012:role/assume-role-customer [profile source] aws_access_key_id: ABCDEFGHIJKLMNOPQRST aws_secret_access_key: 1234567890abcdefghijklmnopqrstuvwxyz0123 role_arn = arn:aws:iam::210987654321:role/assume-role-provider ``` Per AWS docs[2], the SDK will use the source creds to AssumeRole to generate temporary creds, which it will automatically refresh as they expire -- i.e. natively performing the same function as `hiveutil install-manager aws-credentials`. [1] https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-sourcing-external.html [2] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html HIVE-2485 HIVE-2529 (cherry picked from commit 8f11ce3) Conflicts: pkg/install/generate.go (hiveutil binary path changed, no longer relevant.)
As a security measure, check AWS config/credential files for `credential_process`, and explode if found. We used to use `credential_process` deliberately to AssumeRole for STS clusters. A prior commit switched this over to use a different mechanism, but existing clusters in the field may still be configured with the old mechanism in the relevant Secrets. Convert such Secrets to use the new mechanism. HIVE-2485 (cherry picked from commit 13ea4f4)
A previous commit (openshift#2306 / 13ea4f4) put in checks to forbid the use of `credential_process` in AWS config/credentials files. It turns out that AWS accepts this key case-insensitively, so this commit updates our checks accordingly. HIVE-2485 (cherry picked from commit 229f705)
Users with write access to the admin kubeconfig Secret for a given ClusterDeployment should not be able to execute arbitrary code in the privileged environment in which we run the controllers that use those Secrets. Funnel all code paths that load such Secrets through a validator to ensure that the AuthInfos[].Exec path is not used. HIVE-2485 (cherry picked from commit df1ea18)
|
@2uasimojo: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 2uasimojo, jstuever The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/cherry-pick mce-2.5 |
|
@2uasimojo: new pull request created: #2391 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual cherry-picks of commits related to #2306, #2356, and #2366. See individual commit messages for details.
HIVE-2485