Merge pull request #138 from JoshVanL/handler-auditing

Auditing

Author: jetstack-bot

Dockerfile

@@ -2,7 +2,7 @@
 FROM alpine:3.10
 LABEL description="OIDC reverse proxy authenticator based on Kubernetes"
 
-RUN apk --no-cache --update add ca-certificates
+RUN apk --no-cache add ca-certificates
 
 COPY ./bin/kube-oidc-proxy-linux /usr/bin/kube-oidc-proxy
 

README.md

@@ -129,6 +129,7 @@ users:
  - [Token Passthrough](./docs/tasks/token-passthrough.md)
  - [No Impersonation](./docs/tasks/no-impersonation.md)
  - [Extra Impersonations Headers](./docs/tasks/extra-impersonation-headers.md)
+ - [Auditing](./docs/tasks/auditing.md)
 
 ## Development
 *NOTE*: building kube-oidc-proxy requires Go version 1.12 or higher.

cmd/app/options/options.go

@@ -19,6 +19,7 @@ type Options struct {
 	App                *KubeOIDCProxyOptions
 	OIDCAuthentication *OIDCAuthenticationOptions
 	SecureServing      *SecureServingOptions
+	Audit              *AuditOptions
 	Client             *ClientOptions
 	Misc               *MiscOptions
 
@@ -33,6 +34,7 @@ func New() *Options {
 		App:                NewKubeOIDCProxyOptions(nfs),
 		OIDCAuthentication: NewOIDCAuthenticationOptions(nfs),
 		SecureServing:      NewSecureServingOptions(nfs),
+		Audit:              NewAuditOptions(nfs),
 		Client:             NewClientOptions(nfs),
 		Misc:               NewMiscOptions(nfs),
 
@@ -80,11 +82,19 @@ func (o *Options) Validate(cmd *cobra.Command) error {
 		errs = append(errs, errors.New("unable to securely serve on port 8080 (used by readiness probe)"))
 	}
 
+	if err := o.Audit.Validate(); len(err) > 0 {
+		errs = append(errs, err...)
+	}
+
 	if o.App.DisableImpersonation &&
 		(o.App.ExtraHeaderOptions.EnableClientIPExtraUserHeader || len(o.App.ExtraHeaderOptions.ExtraUserHeaders) > 0) {
 		errs = append(errs, errors.New("cannot add extra user headers when impersonation disabled"))
 	}
 
+	if o.Audit.DynamicOptions.Enabled {
+		errs = append(errs, errors.New("The flag --audit-dynamic-configuration may not be set"))
+	}
+
 	if len(errs) > 0 {
 		return k8sErrors.NewAggregate(errs)
 	}

cmd/app/run.go

@@ -76,14 +76,15 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 				TokenReview:          opts.App.TokenPassthrough.Enabled,
 				DisableImpersonation: opts.App.DisableImpersonation,
 
-				FlushInterval: opts.App.FlushInterval,
+				FlushInterval:   opts.App.FlushInterval,
+				ExternalAddress: opts.SecureServing.BindAddress.String(),
 
 				ExtraUserHeaders:                opts.App.ExtraHeaderOptions.ExtraUserHeaders,
 				ExtraUserHeadersClientIPEnabled: opts.App.ExtraHeaderOptions.EnableClientIPExtraUserHeader,
 			}
 
 			// Initialise proxy with OIDC token authenticator
-			p, err := proxy.New(restConfig, opts.OIDCAuthentication,
+			p, err := proxy.New(restConfig, opts.OIDCAuthentication, opts.Audit,
 				tokenReviewer, secureServingInfo, proxyConfig)
 			if err != nil {
 				return err
@@ -109,6 +110,10 @@ func buildRunCommand(stopCh <-chan struct{}, opts *options.Options) *cobra.Comma
 
 			<-waitCh
 
+			if err := p.RunPreShutdownHooks(); err != nil {
+				return err
+			}
+
 			return nil
 		},
 	}

deploy/charts/kube-oidc-proxy/templates/deployment.yaml

@@ -74,6 +74,9 @@ spec:
           {{- if .Values.extraImpersonationHeaders.headers }}
           - "--extra-user-headers={{ .Values.extraImpersonationHeaders.headers }}"
           {{ end }}
+          {{- range $key, $value := .Values.extraArgs -}}
+          - "--{{ $key }}={{ $value -}}"
+          {{ end }}
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         env:
@@ -135,14 +138,15 @@ spec:
               key: api-audiences
         {{ end }}
         volumeMounts:
-          {{ if .Values.oidc.caPEM }}
+          {{- if .Values.oidc.caPEM }}
           - name: kube-oidc-proxy-config
             mountPath: /etc/oidc
             readOnly: true
           {{ end }}
           - name: kube-oidc-proxy-tls
             mountPath: /etc/oidc/tls
             readOnly: true
+          {{- if .Values.extraVolumeMounts }}{{ toYaml .Values.extraVolumeMounts | trim | nindent 10 }}{{ end }}
       volumes:
         {{ if .Values.oidc.caPEM }}
         - name: kube-oidc-proxy-config
@@ -152,6 +156,7 @@ spec:
             - key: oidc.ca-pem
               path: oidc-ca.pem
         {{ end }}
+        {{- if .Values.extraVolumes }}{{ toYaml .Values.extraVolumes | trim | nindent 8 }}{{ end }}
         - name: kube-oidc-proxy-tls
           secret:
             secretName: {{ $tlsSecretName }}

deploy/charts/kube-oidc-proxy/values.yaml

@@ -60,6 +60,20 @@ extraImpersonationHeaders:
   clientIP: false
   #headers: key1=foo,key2=bar,key1=bar
 
+extraArgs: {}
+  #audit-log-path: /audit-log
+  #audit-policy-file: /audit/audit.yaml
+
+extraVolumeMounts: {}
+  #- name: audit
+  #  mountPath: /audit
+  #  readOnly: true
+
+extraVolumes: {}
+  #- configMap:
+      #defaultMode: 420
+      #name: kube-oidc-proxy-policy
+    #name: audit
 
 ingress:
   enabled: false
@@ -91,6 +105,7 @@ resources: {}
   # requests:
   #   cpu: 100m
   #   memory: 128Mi
+  #
 
 initContainers: []
 

docs/tasks/auditing.md

@@ -0,0 +1,9 @@
+# Auditing
+
+kube-oidc-proxy allows for the ability to audit requests to the proxy. The proxy
+exposes all the same options for auditing that the Kubernetes API server
+provides, however does _not_ support dynamic configuration
+(`--audit-dynamic-configuration`).
+
+You can read more on how to configure and manage auditing in the [Kubernetes
+documentation](https://kubernetes.io/docs/tasks/debug-application-cluster/audit).

pkg/proxy/audit/audit.go

@@ -0,0 +1,82 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package audit
+
+import (
+	"fmt"
+	"net/http"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
+	"k8s.io/apiserver/pkg/server"
+	genericfilters "k8s.io/apiserver/pkg/server/filters"
+
+	"github.com/jetstack/kube-oidc-proxy/cmd/app/options"
+)
+
+type Audit struct {
+	opts         *options.AuditOptions
+	serverConfig *server.CompletedConfig
+}
+
+// New creates a new Audit struct to handle auditing for proxy requests. This
+// is mostly a wrapper for the apiserver auditing handlers to combine them with
+// the proxy.
+func New(opts *options.AuditOptions, externalAddress string, secureServingInfo *server.SecureServingInfo) (*Audit, error) {
+	serverConfig := &server.Config{
+		ExternalAddress: externalAddress,
+		SecureServing:   secureServingInfo,
+
+		// Default to treating watch as a long-running operation.
+		// Generic API servers have no inherent long-running subresources.
+		// This is so watch requests are handled correctly in the audit log.
+		LongRunningFunc: genericfilters.BasicLongRunningRequestCheck(
+			sets.NewString("watch"), sets.NewString()),
+	}
+
+	// We do not support dynamic auditing, so leave nil
+	if err := opts.ApplyTo(serverConfig, nil, nil, nil, nil); err != nil {
+		return nil, err
+	}
+
+	completed := serverConfig.Complete(nil)
+
+	return &Audit{
+		opts:         opts,
+		serverConfig: &completed,
+	}, nil
+}
+
+// Run will run the audit backend if configured.
+func (a *Audit) Run(stopCh <-chan struct{}) error {
+	if a.serverConfig.AuditBackend != nil {
+		if err := a.serverConfig.AuditBackend.Run(stopCh); err != nil {
+			return fmt.Errorf("failed to run the audit backend: %s", err)
+		}
+	}
+
+	return nil
+}
+
+// Shutdown will shutdown the audit backend if configured.
+func (a *Audit) Shutdown() error {
+	if a.serverConfig.AuditBackend != nil {
+		a.serverConfig.AuditBackend.Shutdown()
+	}
+
+	return nil
+}
+
+// WithRequest will wrap the given handler to inject the request information
+// into the context which is then used by the wrapped audit handler.
+func (a *Audit) WithRequest(handler http.Handler) http.Handler {
+	handler = genericapifilters.WithAudit(handler, a.serverConfig.AuditBackend, a.serverConfig.AuditPolicyChecker, a.serverConfig.LongRunningFunc)
+	return genericapifilters.WithRequestInfo(handler, a.serverConfig.RequestInfoResolver)
+}
+
+// WithUnauthorized will wrap the given handler to inject the request
+// information into the context which is then used by the wrapped audit
+// handler.
+func (a *Audit) WithUnauthorized(handler http.Handler) http.Handler {
+	handler = genericapifilters.WithFailedAuthenticationAudit(handler, a.serverConfig.AuditBackend, a.serverConfig.AuditPolicyChecker)
+	return genericapifilters.WithRequestInfo(handler, a.serverConfig.RequestInfoResolver)
+}

pkg/proxy/audit/handler.go

@@ -0,0 +1,31 @@
+// Copyright Jetstack Ltd. See LICENSE for details.
+package audit
+
+import (
+	"net/http"
+)
+
+// This struct is used to implement an http.Handler interface. This will not
+// actually serve but instead implements auditing during unauthenticated
+// requests. It is expected that consumers of this type will call `ServeHTTP`
+// when an unauthenticated request is received.
+type unauthenticatedHandler struct {
+	serveFunc func(http.ResponseWriter, *http.Request)
+}
+
+func NewUnauthenticatedHandler(a *Audit, serveFunc func(http.ResponseWriter, *http.Request)) http.Handler {
+	u := &unauthenticatedHandler{
+		serveFunc: serveFunc,
+	}
+
+	// if auditor is nil then return without wrapping
+	if a == nil {
+		return u
+	}
+
+	return a.WithUnauthorized(u)
+}
+
+func (u *unauthenticatedHandler) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
+	u.serveFunc(rw, r)
+}

pkg/proxy/handlers.go

@@ -10,13 +10,19 @@ import (
 	"k8s.io/client-go/transport"
 	"k8s.io/klog"
 
+	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/audit"
 	"github.com/jetstack/kube-oidc-proxy/pkg/proxy/context"
 )
 
 func (p *Proxy) withHandlers(handler http.Handler) http.Handler {
 	// Set up proxy handlers
+	handler = p.auditor.WithRequest(handler)
 	handler = p.withImpersonateRequest(handler)
 	handler = p.withAuthenticateRequest(handler)
+
+	// Add the auditor backend as a shutdown hook
+	p.hooks.AddPreShutdownHook("AuditBackend", p.auditor.Shutdown)
+
 	return handler
 }
 
@@ -159,6 +165,11 @@ func (p *Proxy) withImpersonateRequest(handler http.Handler) http.Handler {
 
 // newErrorHandler returns a handler failed requests.
 func (p *Proxy) newErrorHandler() func(rw http.ResponseWriter, r *http.Request, err error) {
+	unauthedHandler := audit.NewUnauthenticatedHandler(p.auditor, func(rw http.ResponseWriter, r *http.Request) {
+		klog.V(2).Infof("unauthenticated user request %s", r.RemoteAddr)
+		http.Error(rw, "Unauthorized", http.StatusUnauthorized)
+	})
+
 	return func(rw http.ResponseWriter, r *http.Request, err error) {
 		if err == nil {
 			klog.Error("error was called with no error")
@@ -170,8 +181,8 @@ func (p *Proxy) newErrorHandler() func(rw http.ResponseWriter, r *http.Request,
 
 		// Failed auth
 		case errUnauthorized:
-			klog.V(2).Infof("unauthenticated user request %s", r.RemoteAddr)
-			http.Error(rw, "Unauthorized", http.StatusUnauthorized)
+			// If Unauthorized then error and report to audit
+			unauthedHandler.ServeHTTP(rw, r)
 			return
 
 			// User request with impersonation