Skip to content

Do not send 'failed with error' JWTs to the webhook authenticator #123871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Do not send 'failed with error' JWTs to the webhook authenticator #123871

wants to merge 1 commit into from
+83 −23

Conversation

enj
Copy link
Member

@enj enj commented Mar 11, 2024

This change prevents authentication tokens that are handled and fail authentication via the service account or JWT authenticator from being sent to any configured webhook authenticator. The old behavior of forwarding these tokens to the webhook authenticator can be temporarily restored by disabling the StrictAuthenticationTokenHandling feature gate.

Some important implementation details:

tokenAuthenticators are now split into opaqueTokenAuthenticators and jwtSchemaAuthenticators but the webhook authenticator is modeled as as jwtSchemaAuthenticator because it just needs to come at the end. opaqueTokenAuthenticators and jwtSchemaAuthenticators are unioned and will continue to the next authenticator on error.

Bootstrap tokens are handled before service account tokens (this should be a no-op since they have no schema overlap).

Swap the ordering of the service account authenticators so that new style tokens are attempted first. The service account authenticators are unioned together because we do not validate that their issuers do not overlap. This should also be a no-op with a slight performance improvement since legacy tokens are rare in comparison to the new style service account tokens.

jwtSchemaAuthenticators are unioned but will fail on the first error. Validation already guarantees that the JWT issuers of these authenticators never overlap, so the only behavioral change is that if a incoming JWT has an issuer that matches either the service account authenticators or the any JWT authenticators, they will never be sent to the webhook authenticator. Previously, if all of the prior JWT schema authenticators failed to validate the token, it would be sent to the webhook authenticator so that it could attempt to validate the token.

Note that any non-JWT tokens will continue to be sent to the webhook authenticator, even if they fail with an error on any one of the previous opaqueTokenAuthenticators.

/kind bug
/kind api-change
/sig auth
/triage accepted
/milestone v1.31

Authentication tokens that are handled and fail authentication via the service account or JWT authenticator are no longer sent to any configured webhook authenticator.  The old behavior of forwarding these tokens to the webhook authenticator can be temporarily restored by disabling the StrictAuthenticationTokenHandling feature gate.

Remaining tasks:

  • Discuss at SIG Auth meeting
  • Get an API review
  • Add integration tests

@enj
Do not send 'failed with error' JWTs to the webhook authenticator
5f70b0a 
This change prevents authentication tokens that are handled and fail
authentication via the service account or JWT authenticator from being
sent to any configured webhook authenticator.  The old behavior of
forwarding these tokens to the webhook authenticator can be
temporarily restored by disabling the StrictAuthenticationTokenHandling
feature gate.

Some important implementation details:

tokenAuthenticators are now split into opaqueTokenAuthenticators and
jwtSchemaAuthenticators but the webhook authenticator is modeled as
as jwtSchemaAuthenticator because it just needs to come at the end.
opaqueTokenAuthenticators and jwtSchemaAuthenticators are unioned and
will continue to the next authenticator on error.

Bootstrap tokens are handled before service account tokens (this
should be a no-op since they have no schema overlap).

Swap the ordering of the service account authenticators so that new
style tokens are attempted first.  The service account authenticators
are unioned together because we do not validate that their issuers
do not overlap.  This should also be a no-op with a slight performance
improvement since legacy tokens are rare in comparison to the new style
service account tokens.

jwtSchemaAuthenticators are unioned but will fail on the first error.
Validation already guarantees that the JWT issuers of these
authenticators never overlap, so the only behavioral change is that
if a incoming JWT has an issuer that matches either the service
account authenticators or the any JWT authenticators, they will never
be sent to the webhook authenticator.  Previously, if all of the prior
JWT schema authenticators failed to validate the token, it would be
sent to the webhook authenticator so that it could attempt to validate
the token.

Note that any non-JWT tokens will continue to be sent to the webhook
authenticator, even if they fail with an error on any one of the
previous opaqueTokenAuthenticators.

Signed-off-by: Monis Khan <[email protected]>
@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Mar 11, 2024
@k8s-ci-robot k8s-ci-robot added this to the v1.31 milestone Mar 11, 2024
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API labels Mar 11, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Mar 11, 2024
@k8s-ci-robot k8s-ci-robot requested a review from apelisse March 11, 2024 19:26
@k8s-ci-robot k8s-ci-robot requested a review from thockin March 11, 2024 19:26
@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. approved Indicates a PR has been approved by an approver from all required OWNERS files. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 11, 2024
@enj
Copy link
Member Author

enj commented Mar 11, 2024

/hold

For remaining tasks noted above.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 11, 2024
@sftim
Copy link
Contributor

sftim commented Mar 12, 2024

Changelog suggestion (may be incorrect; I've based what I wrote on what I understood the existing text to mean)

-Authentication tokens that are handled and fail authentication via the service account or JWT authenticator are no longer sent to any configured webhook authenticator.  The old behavior of forwarding these tokens to the webhook authenticator can be temporarily restored by disabling the StrictAuthenticationTokenHandling feature gate.
+Revised how the API server treats authentication tokens that fail verification.
+For authentication tokens that are handled via the service account or JWT authenticator, and that fail authentication,
+these are no longer sent to any configured webhook authenticator.  The previous behavior of forwarding such
+tokens to the webhook authenticator can be restored by disabling the `StrictAuthenticationTokenHandling`
+feature gate (which is beta, and is enabled by default).

@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 14, 2024
@SubhasmitaSw
Copy link
Contributor

SubhasmitaSw commented Jun 12, 2024
edited
Loading

Hello @enj 👋🏻 This PR has not been updated for a long time, so I'd like to check the status. The code freeze starts at 02:00 UTC on Wednesday 10th July 2024 (about 4 weeks from now), and while there is still plenty of time, we want to ensure that each PR has a chance to be merged on time.

As the PR is tagged for 1.31, is it still planned for this release?

@sanchita-07
Copy link
Member

Hi @enj, following up to check the status of this PR.

Reminder: Code freeze starts 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024 (about 1.5 weeks from now). Please make sure the PR has both lgtm and approved labels before the code freeze.

@enj
Copy link
Member Author

enj commented Jul 23, 2024

/milestone v1.32

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.31, v1.32 Jul 23, 2024
@dims dims added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 22, 2024
@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 16, 2024
@knabben
Copy link
Member

knabben commented Oct 18, 2024

Hello @enj @thockin @apelisse
This PR has not been updated for a long time, so I'd like to check what's the status. The code freeze is starting 02:00 UTC Friday November 8th 2024 (about 3 weeks from now), and while there is still time, we want to ensure that each PR has a chance to be merged on time.
As the PR is tagged for 1.32, is it still planned for this release?

@aramase
Copy link
Member

aramase commented Oct 29, 2024

/assign enj

@knabben
Copy link
Member

knabben commented Nov 3, 2024

Hey @enj @aramase @thockin

⚠️ I see this PR is labeled for the v1.32 release. It also hasn't being active in a while. Do we still intend to merge this for v1.32?
Just a reminder that the code freeze is starting 02:00 UTC Friday November 8th 2024 (a little less than 1 week from now). Please make sure the PR has both lgtm and approved labels before the code freeze. Thanks!

@enj
Copy link
Member Author

enj commented Nov 14, 2024

/milestone v1.33

I will sort it out next release.

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.32, v1.33 Nov 14, 2024
@mepi262
Copy link

mepi262 commented Feb 10, 2025

@enj
It seems that this pull request has conflicts.
Would you resolve it?

@wendy-ha18
Copy link
Member

Hello @enj @aramase
This PR has not been updated for a long time, so I'd like to check what's the status. If there's anything we can do, please let us know.

Friendly reminder that code freeze is starting at 02:00 UTC Friday 21st March 2025 (about 4 weeks from now), and while there is still time, we want to ensure that each PR has a chance to be merged on time.

As the issue is tagged for 1.33, is it still planned for this release?

@wendy-ha18
Copy link
Member

Hi @enj @aramase

Just want to checking again whether this issue is still plan to resolve for v1.33 release?

If so, a gentle reminder that the code freeze has started 02:00 UTC Friday 21st March 2025 . Please make sure related PRs have both lgtm and approved labels ASAP, and file an Exception if you haven't done it yet.
Thanks!

@liggitt liggitt modified the milestones: v1.33, v1.34 Apr 9, 2025
@Rajalakshmi-Girish Rajalakshmi-Girish moved this from Tracked to Pending inclusion in [sig-release] Bug Triage May 21, 2025
@Rajalakshmi-Girish
Copy link
Contributor

Rajalakshmi-Girish commented Jun 30, 2025
edited
Loading

Hello @enj @aramase

This pr has not been updated for a long time, so I'd like to check what's the status. If there's anything we can do, please let us know.

The code freeze is starting 02:00 UTC Friday 25th July 2025 (about 4 weeks from now).

As the issue is tagged for 1.34, is it still planned for this release? Please make sure the PR has both lgtm and approved labels before the code freeze.

Thanks!

@Rajalakshmi-Girish Rajalakshmi-Girish moved this from Pending inclusion to Tracked in [sig-release] Bug Triage Jun 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apelisse apelisse Awaiting requested review from apelisse

@thockin thockin Awaiting requested review from thockin

Assignees

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/bug Categorizes issue or PR as related to a bug. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Status: In Review
[sig-release] Bug Triage
Status: Tracked
Milestone
v1.34
Development

Successfully merging this pull request may close these issues.