Skip to content

Impersonate-Group header does not support comma-separated format #94683

New issue
New issue
Closed
Closed
Impersonate-Group header does not support comma-separated format#94683
Labels
kind/bugCategorizes issue or PR as related to a bug.sig/authCategorizes an issue or PR as relevant to SIG Auth.
@travisgroth

Description

@travisgroth
travisgroth
opened on Sep 10, 2020

What happened:

When specifying multiple groups to impersonate, setting impersonate-group to a comma separated list is parsed as a single group name containing the entirety of the header value. See RFC.

Example: impersonate-group: foo, bar, baz is parsed as a group named foo, bar, baz.

What you expected to happen:

The header is parsed as multiple groups.

Example: impersonate-group: foo, bar, baz is parsed as a group list foo, bar, baz.

How to reproduce it (as minimally and precisely as possible):

Docker-desktop, but should be easily reproduced with minikube, etc with updated URLs.

Setup:

# assumes default namespace
kubectl create serviceaccount impersonator
TOKEN=$(kubectl get secret $(kubectl get serviceaccounts impersonator -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -D)
kubectl create clusterrolebinding impersonator --serviceaccount default:impersonator --clusterrole cluster-admin
kubectl create clusterrolebinding group-based-admin --group admins --clusterrole cluster-admin

Results in 403:

curl -v --insecure -H "Authorization: Bearer ${TOKEN}" \
  -H "impersonate-user: XXXXX" \
  -H "impersonate-group: admins, otheradmins" \
  https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods

Add CRB for group with commas/space in name:

kubectl create clusterrolebinding alternate-group-based-admin --group "admins, otheradmins" --clusterrole cluster-admin

Results in 200

curl -v --insecure -H "Authorization: Bearer ${TOKEN}" \
  -H "impersonate-user: XXXXX" \
  -H "impersonate-group: admins, otheradmins" \
  https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods

Anything else we need to know?:

  • Proxies and HTTP libraries may not be aware of this limitation and often collapse multi-value headers that are not well known (set-cookie is usually an exception).
  • It isn't very common or reasonable to expect commas and spaces in groups to be supported.

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-16T00:04:31Z", GoVersion:"go1.14.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.6-beta.0", GitCommit:"e7f962ba86f4ce7033828210ca3556393c377bcc", GitTreeState:"clean", BuildDate:"2020-01-15T08:18:29Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration: Docker-Desktop / OSX
  • OS (e.g: cat /etc/os-release): Docker Desktop
  • Kernel (e.g. uname -a): 4.19.76-linuxkit
  • Install tools: N/A
  • Network plugin and version (if this is a network-related bug): N/A
  • Others: N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.sig/authCategorizes an issue or PR as relevant to SIG Auth.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions