2023-02-03 22:47:52 +00:00
|
|
|
// Copyright (c) Tailscale Inc & AUTHORS
|
|
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
|
2023-08-24 22:02:42 +00:00
|
|
|
//go:build !plan9
|
|
|
|
|
2023-02-03 22:47:52 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2023-03-23 18:37:26 +00:00
|
|
|
"crypto/tls"
|
2023-02-03 22:47:52 +00:00
|
|
|
"fmt"
|
|
|
|
"log"
|
|
|
|
"net/http"
|
|
|
|
"net/http/httputil"
|
|
|
|
"net/url"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
|
2023-08-23 15:20:14 +00:00
|
|
|
"go.uber.org/zap"
|
|
|
|
"k8s.io/client-go/rest"
|
|
|
|
"k8s.io/client-go/transport"
|
2023-02-03 22:47:52 +00:00
|
|
|
"tailscale.com/client/tailscale"
|
|
|
|
"tailscale.com/client/tailscale/apitype"
|
2024-06-10 15:36:22 +00:00
|
|
|
tskube "tailscale.com/kube"
|
2023-08-16 20:20:55 +00:00
|
|
|
"tailscale.com/tailcfg"
|
2023-03-13 19:06:24 +00:00
|
|
|
"tailscale.com/tsnet"
|
2023-08-30 16:49:11 +00:00
|
|
|
"tailscale.com/util/clientmetric"
|
2024-01-16 21:56:23 +00:00
|
|
|
"tailscale.com/util/ctxkey"
|
2023-08-16 20:20:55 +00:00
|
|
|
"tailscale.com/util/set"
|
2023-02-03 22:47:52 +00:00
|
|
|
)
|
|
|
|
|
2024-01-16 21:56:23 +00:00
|
|
|
var whoIsKey = ctxkey.New("", (*apitype.WhoIsResponse)(nil))
|
2023-08-16 20:20:55 +00:00
|
|
|
|
2023-08-30 16:49:11 +00:00
|
|
|
var counterNumRequestsProxied = clientmetric.NewCounter("k8s_auth_proxy_requests_proxied")
|
|
|
|
|
2023-09-14 15:53:21 +00:00
|
|
|
type apiServerProxyMode int
|
|
|
|
|
|
|
|
const (
|
|
|
|
apiserverProxyModeDisabled apiServerProxyMode = iota
|
|
|
|
apiserverProxyModeEnabled
|
|
|
|
apiserverProxyModeNoAuth
|
|
|
|
)
|
|
|
|
|
|
|
|
func parseAPIProxyMode() apiServerProxyMode {
|
|
|
|
haveAuthProxyEnv := os.Getenv("AUTH_PROXY") != ""
|
|
|
|
haveAPIProxyEnv := os.Getenv("APISERVER_PROXY") != ""
|
|
|
|
switch {
|
|
|
|
case haveAPIProxyEnv && haveAuthProxyEnv:
|
|
|
|
log.Fatal("AUTH_PROXY and APISERVER_PROXY are mutually exclusive")
|
|
|
|
case haveAuthProxyEnv:
|
|
|
|
var authProxyEnv = defaultBool("AUTH_PROXY", false) // deprecated
|
|
|
|
if authProxyEnv {
|
|
|
|
return apiserverProxyModeEnabled
|
|
|
|
}
|
|
|
|
return apiserverProxyModeDisabled
|
|
|
|
case haveAPIProxyEnv:
|
|
|
|
var apiProxyEnv = defaultEnv("APISERVER_PROXY", "") // true, false or "noauth"
|
|
|
|
switch apiProxyEnv {
|
|
|
|
case "true":
|
|
|
|
return apiserverProxyModeEnabled
|
|
|
|
case "false", "":
|
|
|
|
return apiserverProxyModeDisabled
|
|
|
|
case "noauth":
|
|
|
|
return apiserverProxyModeNoAuth
|
|
|
|
default:
|
|
|
|
panic(fmt.Sprintf("unknown APISERVER_PROXY value %q", apiProxyEnv))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return apiserverProxyModeDisabled
|
|
|
|
}
|
|
|
|
|
|
|
|
// maybeLaunchAPIServerProxy launches the auth proxy, which is a small HTTP server
|
|
|
|
// that authenticates requests using the Tailscale LocalAPI and then proxies
|
|
|
|
// them to the kube-apiserver.
|
2023-11-02 14:36:20 +00:00
|
|
|
func maybeLaunchAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config, s *tsnet.Server, mode apiServerProxyMode) {
|
2023-09-14 15:53:21 +00:00
|
|
|
if mode == apiserverProxyModeDisabled {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
startlog := zlog.Named("launchAPIProxy")
|
2023-11-01 19:24:44 +00:00
|
|
|
if mode == apiserverProxyModeNoAuth {
|
|
|
|
restConfig = rest.AnonymousClientConfig(restConfig)
|
|
|
|
}
|
2023-08-23 15:20:14 +00:00
|
|
|
cfg, err := restConfig.TransportConfig()
|
|
|
|
if err != nil {
|
|
|
|
startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Kubernetes uses SPDY for exec and port-forward, however SPDY is
|
|
|
|
// incompatible with HTTP/2; so disable HTTP/2 in the proxy.
|
|
|
|
tr := http.DefaultTransport.(*http.Transport).Clone()
|
|
|
|
tr.TLSClientConfig, err = transport.TLSConfigFor(cfg)
|
|
|
|
if err != nil {
|
|
|
|
startlog.Fatalf("could not get transport.TLSConfigFor(): %v", err)
|
|
|
|
}
|
|
|
|
tr.TLSNextProto = make(map[string]func(authority string, c *tls.Conn) http.RoundTripper)
|
|
|
|
|
|
|
|
rt, err := transport.HTTPWrappersForConfig(cfg, tr)
|
|
|
|
if err != nil {
|
|
|
|
startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
|
|
|
|
}
|
2023-11-20 15:41:18 +00:00
|
|
|
go runAPIServerProxy(s, rt, zlog.Named("apiserver-proxy"), mode)
|
2023-08-23 15:20:14 +00:00
|
|
|
}
|
|
|
|
|
2023-09-14 15:53:21 +00:00
|
|
|
// apiserverProxy is an http.Handler that authenticates requests using the Tailscale
|
2023-02-03 22:47:52 +00:00
|
|
|
// LocalAPI and then proxies them to the Kubernetes API.
|
2023-09-14 15:53:21 +00:00
|
|
|
type apiserverProxy struct {
|
2023-11-20 15:41:18 +00:00
|
|
|
log *zap.SugaredLogger
|
|
|
|
lc *tailscale.LocalClient
|
|
|
|
rp *httputil.ReverseProxy
|
2023-02-03 22:47:52 +00:00
|
|
|
}
|
|
|
|
|
2023-09-14 15:53:21 +00:00
|
|
|
func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
2023-02-03 22:47:52 +00:00
|
|
|
who, err := h.lc.WhoIs(r.Context(), r.RemoteAddr)
|
|
|
|
if err != nil {
|
2023-11-20 15:41:18 +00:00
|
|
|
h.log.Errorf("failed to authenticate caller: %v", err)
|
2023-02-03 22:47:52 +00:00
|
|
|
http.Error(w, "failed to authenticate caller", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
2023-08-30 16:49:11 +00:00
|
|
|
counterNumRequestsProxied.Add(1)
|
2024-01-16 21:56:23 +00:00
|
|
|
h.rp.ServeHTTP(w, r.WithContext(whoIsKey.WithValue(r.Context(), who)))
|
2023-02-03 22:47:52 +00:00
|
|
|
}
|
|
|
|
|
2023-09-14 15:53:21 +00:00
|
|
|
// runAPIServerProxy runs an HTTP server that authenticates requests using the
|
2023-03-13 19:06:24 +00:00
|
|
|
// Tailscale LocalAPI and then proxies them to the Kubernetes API.
|
|
|
|
// It listens on :443 and uses the Tailscale HTTPS certificate.
|
|
|
|
// s will be started if it is not already running.
|
|
|
|
// rt is used to proxy requests to the Kubernetes API.
|
|
|
|
//
|
2023-09-14 15:53:21 +00:00
|
|
|
// mode controls how the proxy behaves:
|
|
|
|
// - apiserverProxyModeDisabled: the proxy is not started.
|
|
|
|
// - apiserverProxyModeEnabled: the proxy is started and requests are impersonated using the
|
|
|
|
// caller's identity from the Tailscale LocalAPI.
|
|
|
|
// - apiserverProxyModeNoAuth: the proxy is started and requests are not impersonated and
|
|
|
|
// are passed through to the Kubernetes API.
|
|
|
|
//
|
2023-03-13 19:06:24 +00:00
|
|
|
// It never returns.
|
2023-11-20 15:41:18 +00:00
|
|
|
func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLogger, mode apiServerProxyMode) {
|
2023-09-14 15:53:21 +00:00
|
|
|
if mode == apiserverProxyModeDisabled {
|
|
|
|
return
|
|
|
|
}
|
2023-03-23 18:37:26 +00:00
|
|
|
ln, err := s.Listen("tcp", ":443")
|
2023-03-13 19:06:24 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Fatalf("could not listen on :443: %v", err)
|
|
|
|
}
|
2023-02-03 22:47:52 +00:00
|
|
|
u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
|
|
|
|
if err != nil {
|
2023-09-14 15:53:21 +00:00
|
|
|
log.Fatalf("runAPIServerProxy: failed to parse URL %v", err)
|
2023-02-03 22:47:52 +00:00
|
|
|
}
|
2023-03-13 19:06:24 +00:00
|
|
|
|
|
|
|
lc, err := s.LocalClient()
|
|
|
|
if err != nil {
|
|
|
|
log.Fatalf("could not get local client: %v", err)
|
|
|
|
}
|
2023-09-14 15:53:21 +00:00
|
|
|
ap := &apiserverProxy{
|
2023-11-20 15:41:18 +00:00
|
|
|
log: log,
|
|
|
|
lc: lc,
|
2023-02-03 22:47:52 +00:00
|
|
|
rp: &httputil.ReverseProxy{
|
2023-11-01 18:15:57 +00:00
|
|
|
Rewrite: func(r *httputil.ProxyRequest) {
|
2023-08-16 20:20:55 +00:00
|
|
|
// Replace the URL with the Kubernetes APIServer.
|
2023-11-01 18:15:57 +00:00
|
|
|
|
|
|
|
r.Out.URL.Scheme = u.Scheme
|
|
|
|
r.Out.URL.Host = u.Host
|
2023-09-14 15:53:21 +00:00
|
|
|
if mode == apiserverProxyModeNoAuth {
|
|
|
|
// If we are not providing authentication, then we are just
|
|
|
|
// proxying to the Kubernetes API, so we don't need to do
|
|
|
|
// anything else.
|
|
|
|
return
|
|
|
|
}
|
2023-08-16 20:20:55 +00:00
|
|
|
|
2023-03-13 15:48:09 +00:00
|
|
|
// We want to proxy to the Kubernetes API, but we want to use
|
|
|
|
// the caller's identity to do so. We do this by impersonating
|
|
|
|
// the caller using the Kubernetes User Impersonation feature:
|
|
|
|
// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
|
2023-02-03 22:47:52 +00:00
|
|
|
|
2023-03-13 15:48:09 +00:00
|
|
|
// Out of paranoia, remove all authentication headers that might
|
|
|
|
// have been set by the client.
|
2023-11-01 18:15:57 +00:00
|
|
|
r.Out.Header.Del("Authorization")
|
|
|
|
r.Out.Header.Del("Impersonate-Group")
|
|
|
|
r.Out.Header.Del("Impersonate-User")
|
|
|
|
r.Out.Header.Del("Impersonate-Uid")
|
|
|
|
for k := range r.Out.Header {
|
2023-02-03 22:47:52 +00:00
|
|
|
if strings.HasPrefix(k, "Impersonate-Extra-") {
|
2023-11-01 18:15:57 +00:00
|
|
|
r.Out.Header.Del(k)
|
2023-02-03 22:47:52 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-03-13 15:48:09 +00:00
|
|
|
// Now add the impersonation headers that we want.
|
2023-11-20 15:41:18 +00:00
|
|
|
if err := addImpersonationHeaders(r.Out, log); err != nil {
|
2023-08-16 20:20:55 +00:00
|
|
|
panic("failed to add impersonation headers: " + err.Error())
|
2023-03-13 15:48:09 +00:00
|
|
|
}
|
2023-02-03 22:47:52 +00:00
|
|
|
},
|
|
|
|
Transport: rt,
|
|
|
|
},
|
|
|
|
}
|
2023-03-23 18:37:26 +00:00
|
|
|
hs := &http.Server{
|
|
|
|
// Kubernetes uses SPDY for exec and port-forward, however SPDY is
|
|
|
|
// incompatible with HTTP/2; so disable HTTP/2 in the proxy.
|
|
|
|
TLSConfig: &tls.Config{
|
|
|
|
GetCertificate: lc.GetCertificate,
|
|
|
|
NextProtos: []string{"http/1.1"},
|
|
|
|
},
|
|
|
|
TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
|
|
|
|
Handler: ap,
|
|
|
|
}
|
2023-11-20 15:41:18 +00:00
|
|
|
log.Infof("listening on %s", ln.Addr())
|
2023-03-23 18:37:26 +00:00
|
|
|
if err := hs.ServeTLS(ln, "", ""); err != nil {
|
2023-09-14 15:53:21 +00:00
|
|
|
log.Fatalf("runAPIServerProxy: failed to serve %v", err)
|
2023-02-03 22:47:52 +00:00
|
|
|
}
|
|
|
|
}
|
2023-08-16 20:20:55 +00:00
|
|
|
|
2023-12-11 19:51:20 +00:00
|
|
|
const (
|
2024-06-04 17:31:37 +00:00
|
|
|
// oldCapabilityName is a legacy form of
|
|
|
|
// tailfcg.PeerCapabilityKubernetes capability. The only capability rule
|
|
|
|
// that is respected for this form is group impersonation - for
|
|
|
|
// backwards compatibility reasons.
|
2024-06-10 15:36:22 +00:00
|
|
|
// TODO (irbekrm): determine if anyone uses this and remove if possible.
|
2024-06-04 17:31:37 +00:00
|
|
|
oldCapabilityName = "https://" + tailcfg.PeerCapabilityKubernetes
|
2023-12-11 19:51:20 +00:00
|
|
|
)
|
2023-08-16 20:20:55 +00:00
|
|
|
|
|
|
|
// addImpersonationHeaders adds the appropriate headers to r to impersonate the
|
|
|
|
// caller when proxying to the Kubernetes API. It uses the WhoIsResponse stashed
|
2023-09-14 15:53:21 +00:00
|
|
|
// in the context by the apiserverProxy.
|
2023-11-20 15:41:18 +00:00
|
|
|
func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
|
|
|
|
log = log.With("remote", r.RemoteAddr)
|
2024-01-16 21:56:23 +00:00
|
|
|
who := whoIsKey.Value(r.Context())
|
2024-06-10 15:36:22 +00:00
|
|
|
rules, err := tailcfg.UnmarshalCapJSON[tskube.KubernetesCapRule](who.CapMap, tailcfg.PeerCapabilityKubernetes)
|
2023-12-11 19:51:20 +00:00
|
|
|
if len(rules) == 0 && err == nil {
|
|
|
|
// Try the old capability name for backwards compatibility.
|
2024-06-10 15:36:22 +00:00
|
|
|
rules, err = tailcfg.UnmarshalCapJSON[tskube.KubernetesCapRule](who.CapMap, oldCapabilityName)
|
2023-12-11 19:51:20 +00:00
|
|
|
}
|
2023-08-16 20:20:55 +00:00
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("failed to unmarshal capability: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var groupsAdded set.Slice[string]
|
|
|
|
for _, rule := range rules {
|
|
|
|
if rule.Impersonate == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
for _, group := range rule.Impersonate.Groups {
|
|
|
|
if groupsAdded.Contains(group) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
r.Header.Add("Impersonate-Group", group)
|
|
|
|
groupsAdded.Add(group)
|
2023-11-20 15:41:18 +00:00
|
|
|
log.Debugf("adding group impersonation header for user group %s", group)
|
2023-08-16 20:20:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !who.Node.IsTagged() {
|
|
|
|
r.Header.Set("Impersonate-User", who.UserProfile.LoginName)
|
2023-11-20 15:41:18 +00:00
|
|
|
log.Debugf("adding user impersonation header for user %s", who.UserProfile.LoginName)
|
2023-08-16 20:20:55 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
// "Impersonate-Group" requires "Impersonate-User" to be set, so we set it
|
|
|
|
// to the node FQDN for tagged nodes.
|
2023-11-20 15:41:18 +00:00
|
|
|
nodeName := strings.TrimSuffix(who.Node.Name, ".")
|
|
|
|
r.Header.Set("Impersonate-User", nodeName)
|
|
|
|
log.Debugf("adding user impersonation header for node name %s", nodeName)
|
2023-08-16 20:20:55 +00:00
|
|
|
|
|
|
|
// For legacy behavior (before caps), set the groups to the nodes tags.
|
|
|
|
if groupsAdded.Slice().Len() == 0 {
|
|
|
|
for _, tag := range who.Node.Tags {
|
|
|
|
r.Header.Add("Impersonate-Group", tag)
|
2023-11-20 15:41:18 +00:00
|
|
|
log.Debugf("adding group impersonation header for node tag %s", tag)
|
2023-08-16 20:20:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|