Merge branch 'master' of file:///Users/dims/go/src/github.com/dims/k8s-keystone-auth into add-k8s-keystone-auth-repo

Author: dims

cluster/images/webhook/Dockerfile

@@ -0,0 +1,15 @@
+FROM ubuntu:16.04
+MAINTAINER Saverio Proto <[email protected]>
+RUN apt-get update && \
+    apt-get install -y software-properties-common
+RUN add-apt-repository -y ppa:masterminds/glide
+RUN apt-get update && \
+    apt-get install -y glide git build-essential golang && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+RUN git clone https://github.com/dims/k8s-keystone-auth
+WORKDIR k8s-keystone-auth
+RUN make depend && make build
+EXPOSE 8443
+CMD ./bin/k8s-keystone-auth --tls-cert-file ${API_SERVER_CERT} --tls-private-key-file ${API_SERVER_KEY} --keystone-url ${OPENSTACK_KEYSTONE_URL}
+

cmd/k8s-keystone-auth/main.go

@@ -0,0 +1,77 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"flag"
+	"log"
+	"net/http"
+
+	"github.com/dims/k8s-keystone-auth/pkg/authenticator/token/keystone"
+	"github.com/dims/k8s-keystone-auth/pkg/identity/webhook"
+	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+func webhookServer(authenticator authenticator.Token, authorizer authorizer.Authorizer) http.Handler {
+	return &webhook.WebhookHandler{
+		Authenticator: authenticator,
+		Authorizer:    authorizer,
+	}
+}
+
+var (
+	listenAddr     string
+	tlsCertFile    string
+	tlsPrivateKey  string
+	keystoneURL    string
+	keystoneCaFile string
+	policyFile     string
+)
+
+func main() {
+	flag.StringVar(&listenAddr, "listen", "localhost:8443", "<address>:<port> to listen on")
+	flag.StringVar(&tlsCertFile, "tls-cert-file", "", "File containing the default x509 Certificate for HTTPS.")
+	flag.StringVar(&tlsPrivateKey, "tls-private-key-file", "", "File containing the default x509 private key matching --tls-cert-file.")
+	flag.StringVar(&keystoneURL, "keystone-url", "http://localhost/identity/v3/", "URL for the OpenStack Keystone API")
+	flag.StringVar(&keystoneCaFile, "keystone-ca-file", "", "File containing the certificate authority for Keystone Service.")
+	flag.StringVar(&policyFile, "keystone-policy-file", "", "File containing the policy.")
+	flag.Parse()
+
+	if tlsCertFile == "" || tlsPrivateKey == "" {
+		log.Fatal("Please specify --tls-cert-file and --tls-private-key-file arguments.")
+	}
+	if policyFile == "" {
+		log.Printf("Argument --keystone-policy-file missing. Only keystone authentication will work. Use RBAC for authorization.")
+	}
+
+	authentication_handler, err := keystone.NewKeystoneAuthenticator(keystoneURL, keystoneCaFile)
+	if err != nil {
+		log.Fatal(err.Error())
+	}
+
+	authorization_handler, err := keystone.NewKeystoneAuthorizer(keystoneURL, keystoneCaFile, policyFile)
+	if err != nil {
+		log.Fatal(err.Error())
+	}
+
+	http.Handle("/webhook", webhookServer(authentication_handler, authorization_handler))
+	log.Println("Starting webhook..")
+	log.Fatal(
+		http.ListenAndServeTLS(":8443",
+			tlsCertFile,
+			tlsPrivateKey,
+			nil))
+}

examples/webhook/policy.json

@@ -0,0 +1,46 @@
+[
+  {
+    "resource": {
+      "verb": "*",
+      "resource": "*",
+      "version": "*",
+      "namespace": "*"
+    },
+    "match": {
+      "type": "role",
+      "value": "*"
+    }
+  },
+  {
+    "resource": {
+      "verb": "*",
+      "resource": "*",
+      "version": "*",
+      "namespace": "*"
+    },
+    "match": {
+      "type": "group",
+      "value": "*"
+    }
+  },
+  {
+    "nonresource": {
+      "verb": "*",
+      "path": "*"
+    },
+    "match": {
+      "type": "role",
+      "value": "*"
+    }
+  },
+  {
+    "nonresource": {
+      "verb": "*",
+      "path": "*"
+    },
+    "match": {
+      "type": "group",
+      "value": "*"
+    }
+  }
+]

manifests/webhook/k8s-keystone-auth.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    scheduler.alpha.kubernetes.io/critical-pod: ""
+  creationTimestamp: null
+  labels:
+    component: k8s-keystone-auth
+    tier: control-plane
+  name: k8s-keystone-auth
+  namespace: kube-system
+spec:
+  containers:
+  - command:
+    - ./bin/k8s-keystone-auth
+    - --tls-cert-file
+    - /etc/kubernetes/pki/apiserver.crt
+    - --tls-private-key-file
+    - /etc/kubernetes/pki/apiserver.key
+    - --keystone-url
+    - https://mykeystone.com:5000/v3
+    image: k8s-keystone-auth
+    imagePullPolicy: Always
+    #livenessProbe:
+    #  failureThreshold: 8
+    #  httpGet:
+    #    host: 127.0.0.1
+    #    path: /healthz
+    #    port: 6443
+    #    scheme: HTTPS
+    #  initialDelaySeconds: 15
+    #  timeoutSeconds: 15
+    name: k8s-keystone-auth
+    resources:
+      requests:
+        cpu: 250m
+    volumeMounts:
+    - mountPath: /etc/kubernetes/pki
+      name: k8s-certs
+      readOnly: true
+    - mountPath: /etc/ssl/certs
+      name: ca-certs
+      readOnly: true
+  hostNetwork: true
+  volumes:
+  - hostPath:
+      path: /etc/kubernetes/pki
+      type: DirectoryOrCreate
+    name: k8s-certs
+  - hostPath:
+      path: /etc/ssl/certs
+      type: DirectoryOrCreate
+    name: ca-certs
+status: {}

pkg/authenticator/token/keystone/authenticator.go

@@ -0,0 +1,110 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package keystone
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+
+	"github.com/golang/glog"
+	"github.com/gophercloud/gophercloud"
+
+	"k8s.io/apiserver/pkg/authentication/user"
+)
+
+// KeystoneAuthenticator contacts openstack keystone to validate user's token passed in the request.
+// The keystone endpoint is passed during apiserver startup
+type KeystoneAuthenticator struct {
+	authURL string
+	client  *gophercloud.ServiceClient
+}
+
+// AuthenticatePassword checks the token via Keystone call
+func (keystoneAuthenticator *KeystoneAuthenticator) AuthenticateToken(token string) (user.Info, bool, error) {
+
+	// We can use the Keystone GET /v3/auth/tokens API to validate the token
+	// and get information about the user as well
+	// http://git.openstack.org/cgit/openstack/keystone/tree/api-ref/source/v3/authenticate-v3.inc#n437
+	// https://developer.openstack.org/api-ref/identity/v3/?expanded=validate-and-show-information-for-token-detail
+	request_opts := gophercloud.RequestOpts{
+		MoreHeaders: map[string]string{
+			"X-Auth-Token":    token,
+			"X-Subject-Token": token,
+		},
+	}
+	url := keystoneAuthenticator.client.ServiceURL("auth", "tokens")
+	response, err := keystoneAuthenticator.client.Request("GET", url, &request_opts)
+	if err != nil {
+		glog.V(4).Info("Failed: bad response from API call: %v", err)
+		return nil, false, errors.New("Failed to authenticate")
+	}
+
+	defer response.Body.Close()
+	bodyBytes, err := ioutil.ReadAll(response.Body)
+	if err != nil {
+		glog.V(4).Infof("Cannot get HTTP response body from keystone token validate: %v", err)
+		return nil, false, errors.New("Failed to authenticate")
+	}
+
+	obj := struct {
+		Token struct {
+			User struct {
+				Id   string `json:"id"`
+				Name string `json:"name"`
+			} `json:"user"`
+			Project struct {
+				Id   string `json:"id"`
+				Name string `json:"name"`
+			} `json:"project"`
+			Roles []struct {
+				Name string `json:"name"`
+			} `json:"roles"`
+		} `json:"token"`
+	}{}
+
+	err = json.Unmarshal(bodyBytes, &obj)
+	if err != nil {
+		glog.V(4).Infof("Cannot unmarshal response: %v", err)
+		return nil, false, errors.New("Failed to authenticate")
+	}
+
+	var roles []string
+	if obj.Token.Roles != nil && len(obj.Token.Roles) > 0 {
+		roles = make([]string, len(obj.Token.Roles))
+		for i := 0; i < len(obj.Token.Roles); i++ {
+			roles[i] = obj.Token.Roles[i].Name
+		}
+	} else {
+		roles = make([]string, 0)
+	}
+
+	extra := map[string][]string{
+		"alpha.kubernetes.io/identity/roles":        roles,
+		"alpha.kubernetes.io/identity/project/id":   []string{obj.Token.Project.Id},
+		"alpha.kubernetes.io/identity/project/name": []string{obj.Token.Project.Name},
+	}
+
+	authenticated_user := &user.DefaultInfo{
+		Name:   obj.Token.User.Name,
+		UID:    obj.Token.User.Id,
+		Groups: []string{obj.Token.Project.Id},
+		Extra:  extra,
+	}
+
+	return authenticated_user, true, nil
+}