adding TokenReview.auth.k8s.io/v1 webhook support

Signed-off-by: Chris Hein <[email protected]>

Author: christopherhein

examples/tokenreview/main.go

@@ -0,0 +1,58 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"os"
+
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+)
+
+func init() {
+	log.SetLogger(zap.New())
+}
+
+func main() {
+	entryLog := log.Log.WithName("entrypoint")
+
+	// Setup a Manager
+	entryLog.Info("setting up manager")
+	mgr, err := manager.New(config.GetConfigOrDie(), manager.Options{})
+	if err != nil {
+		entryLog.Error(err, "unable to set up overall controller manager")
+		os.Exit(1)
+	}
+
+	// Setup webhooks
+	entryLog.Info("setting up webhook server")
+	hookServer := mgr.GetWebhookServer()
+
+	entryLog.Info("registering webhooks to the webhook server")
+	hookServer.Register("/validate-v1-tokenreview", &webhook.Authentication{Handler: &authenticator{}})
+
+	entryLog.Info("starting manager")
+	if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
+		entryLog.Error(err, "unable to run manager")
+		os.Exit(1)
+	}
+}

examples/tokenreview/tokenreview.go

@@ -0,0 +1,37 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"context"
+
+	v1 "k8s.io/api/authentication/v1"
+
+	"sigs.k8s.io/controller-runtime/pkg/webhook/authentication"
+)
+
+// authenticator validates tokenreviews
+type authenticator struct {
+}
+
+// authenticator admits a request by the token.
+func (a *authenticator) Handle(ctx context.Context, req authentication.Request) authentication.Response {
+	if req.Spec.Token == "invalid" {
+		return authentication.Unauthenticated("invalid is an invalid token", v1.UserInfo{})
+	}
+	return authentication.Authenticated("", v1.UserInfo{})
+}

pkg/webhook/alias.go

@@ -19,6 +19,7 @@ package webhook
 import (
 	"gomodules.xyz/jsonpatch/v2"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/authentication"
 )
 
 // define some aliases for common bits of the webhook functionality
@@ -54,6 +55,20 @@ type AdmissionHandler = admission.Handler
 // AdmissionDecoder knows how to decode objects from admission requests.
 type AdmissionDecoder = admission.Decoder
 
+// AuthenticationRequest defines the input for an authentication handler.
+// It contains the token & audiences from the client.
+type AuthenticationRequest = authentication.Request
+
+// AuthenticationResponse is the output of an authentication handler.
+// It contains a response indicating if a given operation is allowed.
+type AuthenticationResponse = authentication.Response
+
+// Authentication is webhook suitable for registration with the server
+type Authentication = authentication.Webhook
+
+// AuthenticationHandler knows how to process authentication requests.
+type AuthenticationHandler = authentication.Handler
+
 // JSONPatchOp represents a single JSONPatch patch operation.
 type JSONPatchOp = jsonpatch.Operation
 
@@ -70,4 +85,13 @@ var (
 
 	// Errored indicates that an error occurred in the admission request.
 	Errored = admission.Errored
+
+	// Authenticated indicates that the token review should be allowed for the given reason.
+	Authenticated = authentication.Authenticated
+
+	// Unauthenticated indicates that the token review should be unauthorized for the given reson.
+	Unauthenticated = authentication.Unauthenticated
+
+	// AuthenticationErrored indicates that an error occurred in the token review
+	AuthenticationErrored = authentication.Errored
 )

pkg/webhook/authentication/authentication_suite_test.go

@@ -0,0 +1,40 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authentication
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"sigs.k8s.io/controller-runtime/pkg/envtest/printer"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+)
+
+func TestAuthenticationWebhook(t *testing.T) {
+	RegisterFailHandler(Fail)
+	suiteName := "Authentication Webhook Suite"
+	RunSpecsWithDefaultAndCustomReporters(t, suiteName, []Reporter{printer.NewlineReporter{}, printer.NewProwReporter(suiteName)})
+}
+
+var _ = BeforeSuite(func(done Done) {
+	logf.SetLogger(zap.New(zap.WriteTo(GinkgoWriter), zap.UseDevMode(true)))
+
+	close(done)
+}, 60)

pkg/webhook/authentication/doc.go

@@ -0,0 +1,29 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package authentication provides implementation for authentication webhook and
+methods to implement authentication webhook handlers.
+
+See examples/tokenreview/ for an example of authentication webhooks.
+*/
+package authentication
+
+import (
+	logf "sigs.k8s.io/controller-runtime/pkg/internal/log"
+)
+
+var log = logf.RuntimeLog.WithName("authentication")

pkg/webhook/authentication/http.go

@@ -0,0 +1,151 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authentication
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+
+	v1 "k8s.io/api/authentication/v1"
+	"k8s.io/api/authentication/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var authenticationScheme = runtime.NewScheme()
+var authenticationCodecs = serializer.NewCodecFactory(authenticationScheme)
+
+func init() {
+	utilruntime.Must(v1.AddToScheme(authenticationScheme))
+	utilruntime.Must(v1beta1.AddToScheme(authenticationScheme))
+}
+
+var _ http.Handler = &Webhook{}
+
+func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	var body []byte
+	var err error
+	ctx := r.Context()
+	if wh.WithContextFunc != nil {
+		ctx = wh.WithContextFunc(ctx, r)
+	}
+
+	var reviewResponse Response
+	if r.Body != nil {
+		if body, err = ioutil.ReadAll(r.Body); err != nil {
+			wh.log.Error(err, "unable to read the body from the incoming request")
+			reviewResponse = Errored(err)
+			wh.writeResponse(w, reviewResponse)
+			return
+		}
+	} else {
+		err = errors.New("request body is empty")
+		wh.log.Error(err, "bad request")
+		reviewResponse = Errored(err)
+		wh.writeResponse(w, reviewResponse)
+		return
+	}
+
+	// verify the content type is accurate
+	contentType := r.Header.Get("Content-Type")
+	if contentType != "application/json" {
+		err = fmt.Errorf("contentType=%s, expected application/json", contentType)
+		wh.log.Error(err, "unable to process a request with an unknown content type", "content type", contentType)
+		reviewResponse = Errored(err)
+		wh.writeResponse(w, reviewResponse)
+		return
+	}
+
+	// Both v1 and v1beta1 TokenReview types are exactly the same, so the v1beta1 type can
+	// be decoded into the v1 type. However the runtime codec's decoder guesses which type to
+	// decode into by type name if an Object's TypeMeta isn't set. By setting TypeMeta of an
+	// unregistered type to the v1 GVK, the decoder will coerce a v1beta1 TokenReview to v1.
+	// The actual TokenReview GVK will be used to write a typed response in case the
+	// webhook config permits multiple versions, otherwise this response will fail.
+	req := Request{}
+	ar := unversionedTokenReview{}
+	// avoid an extra copy
+	ar.TokenReview = &req.TokenReview
+	ar.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("TokenReview"))
+	_, actualTokRevGVK, err := authenticationCodecs.UniversalDeserializer().Decode(body, nil, &ar)
+	if err != nil {
+		wh.log.Error(err, "unable to decode the request")
+		reviewResponse = Errored(err)
+		wh.writeResponse(w, reviewResponse)
+		return
+	}
+	wh.log.V(1).Info("received request", "UID", req.UID, "kind", req.Kind)
+
+	if req.Spec.Token == "" {
+		err = errors.New("token is empty")
+		wh.log.Error(err, "bad request")
+		reviewResponse = Errored(err)
+		wh.writeResponse(w, reviewResponse)
+		return
+	}
+
+	// TODO: add panic-recovery for Handle
+	reviewResponse = wh.Handle(ctx, req)
+	wh.writeResponseTyped(w, reviewResponse, actualTokRevGVK)
+}
+
+// writeResponse writes response to w generically, i.e. without encoding GVK information.
+func (wh *Webhook) writeResponse(w io.Writer, response Response) {
+	wh.writeTokenResponse(w, response.TokenReview)
+}
+
+// writeResponseTyped writes response to w with GVK set to tokRevGVK, which is necessary
+// if multiple TokenReview versions are permitted by the webhook.
+func (wh *Webhook) writeResponseTyped(w io.Writer, response Response, tokRevGVK *schema.GroupVersionKind) {
+	ar := response.TokenReview
+
+	// Default to a v1 TokenReview, otherwise the API server may not recognize the request
+	// if multiple TokenReview versions are permitted by the webhook config.
+	if tokRevGVK == nil || *tokRevGVK == (schema.GroupVersionKind{}) {
+		ar.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("TokenReview"))
+	} else {
+		ar.SetGroupVersionKind(*tokRevGVK)
+	}
+	wh.writeTokenResponse(w, ar)
+}
+
+// writeTokenResponse writes ar to w.
+func (wh *Webhook) writeTokenResponse(w io.Writer, ar v1.TokenReview) {
+	err := json.NewEncoder(w).Encode(ar)
+	if err != nil {
+		wh.log.Error(err, "unable to encode the response")
+		wh.writeResponse(w, Errored(err))
+	} else {
+		res := ar
+		if log := wh.log; log.V(1).Enabled() {
+			log.V(1).Info("wrote response", "UID", res.UID, "authenticated", res.Status.Authenticated)
+		}
+	}
+}
+
+// unversionedTokenReview is used to decode both v1 and v1beta1 TokenReview types.
+type unversionedTokenReview struct {
+	*v1.TokenReview
+}
+
+var _ runtime.Object = &unversionedTokenReview{}