Merge pull request #3565 from ntnn/kcp3513-per-workspace-auth-system

Add authenticated group adder to workspace auth

Author: kcp-ci-bot

docs/content/concepts/authentication/workspace.md

@@ -45,6 +45,8 @@ This feature has some small limitations that users should keep in mind:
 * Workspace authenticators are started asynchronously and it will take a couple of seconds for them to be ready.
 * The workspace authentication in the localproxy, as part of a single shard server, only knows about the data on the local shard and cannot handle cross-shard authentication. Users are advised to use the front-proxy instead.
 * Even when the feature is disabled on all shards and all front-proxies, the API (CRDs) are always available in kcp. Admins might uses RBAC or webhooks to prevent creating `WorkspaceAuthenticationConfiguration` objects if needed.
+* It is not possible to authenticate users with a username starting with with `system:` through per-workspace authentication.
+* It is not possible to assign groups starting with `system:` to users authenticated via per-workspace authentication, e.g. via claim mappings.
 
 ## Example
 

pkg/authentication/authenticators.go

@@ -47,9 +47,7 @@ func withClusterScope(delegate authenticator.Request) authenticator.Request {
 			if extra == nil {
 				extra = map[string][]string{}
 			}
-			if true {
-				extra["authentication.kcp.io/scopes"] = append(extra["authentication.kcp.io/scopes"], fmt.Sprintf("cluster:%s", cluster))
-			}
+			extra["authentication.kcp.io/scopes"] = append(extra["authentication.kcp.io/scopes"], fmt.Sprintf("cluster:%s", cluster))
 
 			response.User = &user.DefaultInfo{
 				Name:   response.User.GetName(),

pkg/authentication/filters.go

@@ -21,6 +21,7 @@ import (
 	"net/http"
 
 	"k8s.io/apiserver/pkg/authentication/authenticator"
+	"k8s.io/apiserver/pkg/authentication/group"
 
 	"github.com/kcp-dev/kcp/pkg/proxy/lookup"
 )
@@ -43,6 +44,8 @@ func WithWorkspaceAuthResolver(handler http.Handler, authIndex AuthenticatorInde
 			return
 		}
 
+		authn = group.NewAuthenticatedGroupAdder(authn)
+
 		// make the authenticator always add the target cluster to the user scopes
 		authn = withClusterScope(authn)
 

test/e2e/authentication/workspace_test.go

@@ -122,7 +122,6 @@ func TestWorkspaceOIDC(t *testing.T) {
 
 	for _, path := range []logicalcluster.Path{teamAPath, teamBPath, teamCPath} {
 		t.Logf("An unauthenticated user shouldn't be able to list ConfigMaps in %s...", path)
-
 		_, err = randoKubeClusterClient.Cluster(path).CoreV1().ConfigMaps("default").List(ctx, metav1.ListOptions{})
 		require.Error(t, err)
 	}
@@ -241,7 +240,6 @@ func TestWorkspaceOIDC(t *testing.T) {
 
 						require.Eventually(t, func() bool {
 							_, err := client.Cluster(workspace).CoreV1().ConfigMaps("default").List(ctx, metav1.ListOptions{})
-
 							return err == nil
 						}, wait.ForeverTestTimeout, 500*time.Millisecond)
 					} else {
@@ -282,7 +280,7 @@ func TestUserScope(t *testing.T) {
 		userName       = "peter"
 		userEmail      = "[email protected]"
 		userGroups     = []string{"developers", "admins"}
-		expectedGroups = []string{}
+		expectedGroups = []string{"system:authenticated"}
 	)
 
 	for _, group := range userGroups {
@@ -377,7 +375,6 @@ func TestForbiddenSystemAccess(t *testing.T) {
 	t.Log("Waiting for authenticator to be ready...")
 	require.Eventually(t, func() bool {
 		_, err := client.Cluster(teamPath).CoreV1().ConfigMaps("default").List(ctx, metav1.ListOptions{})
-
 		return err == nil
 	}, wait.ForeverTestTimeout, 500*time.Millisecond)