Merge pull request kubernetes#128077 from aramase/aramase/f/kep_4412_sa_node_aud_restriction

Enforce service account node audience restriction

Author: k8s-ci-robot

pkg/features/kube_features.go

@@ -585,6 +585,13 @@ const (
 	// Decouples Taint Eviction Controller, performing taint-based Pod eviction, from Node Lifecycle Controller.
 	SeparateTaintEvictionController featuregate.Feature = "SeparateTaintEvictionController"
 
+	// owner: @aramase
+	// kep: https://kep.k8s.io/4412
+	//
+	// ServiceAccountNodeAudienceRestriction is used to restrict the audience for which the
+	// kubelet can request a service account token for.
+	ServiceAccountNodeAudienceRestriction featuregate.Feature = "ServiceAccountNodeAudienceRestriction"
+
 	// owner: @munnerz
 	// kep: http://kep.k8s.io/4193
 	//

pkg/features/versioned_kube_features.go

@@ -662,6 +662,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
 	},
 
+	ServiceAccountNodeAudienceRestriction: {
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.Beta},
+	},
+
 	ServiceAccountTokenJTI: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},

plugin/pkg/admission/noderestriction/admission.go

@@ -24,17 +24,21 @@ import (
 	"strings"
 
 	"github.com/google/go-cmp/cmp"
+
 	v1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/labels"
+	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apiserver/pkg/admission"
 	apiserveradmission "k8s.io/apiserver/pkg/admission/initializer"
 	"k8s.io/client-go/informers"
 	corev1lister "k8s.io/client-go/listers/core/v1"
+	storagelisters "k8s.io/client-go/listers/storage/v1"
 	"k8s.io/component-base/featuregate"
+	"k8s.io/component-helpers/storage/ephemeral"
 	kubeletapis "k8s.io/kubelet/pkg/apis"
 	podutil "k8s.io/kubernetes/pkg/api/pod"
 	authenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
@@ -43,7 +47,7 @@ import (
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/apis/resource"
-	storage "k8s.io/kubernetes/pkg/apis/storage"
+	"k8s.io/kubernetes/pkg/apis/storage"
 	"k8s.io/kubernetes/pkg/auth/nodeidentifier"
 	"k8s.io/kubernetes/pkg/features"
 )
@@ -70,13 +74,17 @@ func NewPlugin(nodeIdentifier nodeidentifier.NodeIdentifier) *Plugin {
 // Plugin holds state for and implements the admission plugin.
 type Plugin struct {
 	*admission.Handler
-	nodeIdentifier nodeidentifier.NodeIdentifier
-	podsGetter     corev1lister.PodLister
-	nodesGetter    corev1lister.NodeLister
+	nodeIdentifier  nodeidentifier.NodeIdentifier
+	podsGetter      corev1lister.PodLister
+	nodesGetter     corev1lister.NodeLister
+	csiDriverGetter storagelisters.CSIDriverLister
+	pvcGetter       corev1lister.PersistentVolumeClaimLister
+	pvGetter        corev1lister.PersistentVolumeLister
 
 	expansionRecoveryEnabled                       bool
 	dynamicResourceAllocationEnabled               bool
 	allowInsecureKubeletCertificateSigningRequests bool
+	serviceAccountNodeAudienceRestriction          bool
 }
 
 var (
@@ -90,12 +98,18 @@ func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
 	p.expansionRecoveryEnabled = featureGates.Enabled(features.RecoverVolumeExpansionFailure)
 	p.dynamicResourceAllocationEnabled = featureGates.Enabled(features.DynamicResourceAllocation)
 	p.allowInsecureKubeletCertificateSigningRequests = featureGates.Enabled(features.AllowInsecureKubeletCertificateSigningRequests)
+	p.serviceAccountNodeAudienceRestriction = featureGates.Enabled(features.ServiceAccountNodeAudienceRestriction)
 }
 
 // SetExternalKubeInformerFactory registers an informer factory into Plugin
 func (p *Plugin) SetExternalKubeInformerFactory(f informers.SharedInformerFactory) {
 	p.podsGetter = f.Core().V1().Pods().Lister()
 	p.nodesGetter = f.Core().V1().Nodes().Lister()
+	if p.serviceAccountNodeAudienceRestriction {
+		p.csiDriverGetter = f.Storage().V1().CSIDrivers().Lister()
+		p.pvcGetter = f.Core().V1().PersistentVolumeClaims().Lister()
+		p.pvGetter = f.Core().V1().PersistentVolumes().Lister()
+	}
 }
 
 // ValidateInitialization validates the Plugin was initialized properly
@@ -109,6 +123,17 @@ func (p *Plugin) ValidateInitialization() error {
 	if p.nodesGetter == nil {
 		return fmt.Errorf("%s requires a node getter", PluginName)
 	}
+	if p.serviceAccountNodeAudienceRestriction {
+		if p.csiDriverGetter == nil {
+			return fmt.Errorf("%s requires a CSI driver getter", PluginName)
+		}
+		if p.pvcGetter == nil {
+			return fmt.Errorf("%s requires a PVC getter", PluginName)
+		}
+		if p.pvGetter == nil {
+			return fmt.Errorf("%s requires a PV getter", PluginName)
+		}
+	}
 	return nil
 }
 
@@ -594,6 +619,12 @@ func (p *Plugin) admitServiceAccount(nodeName string, a admission.Attributes) er
 		return admission.NewForbidden(a, fmt.Errorf("node requested token bound to a pod scheduled on a different node"))
 	}
 
+	if p.serviceAccountNodeAudienceRestriction {
+		if err := p.validateNodeServiceAccountAudience(tr, pod); err != nil {
+			return admission.NewForbidden(a, err)
+		}
+	}
+
 	// Note: A token may only be bound to one object at a time. By requiring
 	// the Pod binding, noderestriction eliminates the opportunity to spoof
 	// a Node binding. Instead, kube-apiserver automatically infers and sets
@@ -603,6 +634,106 @@ func (p *Plugin) admitServiceAccount(nodeName string, a admission.Attributes) er
 	return nil
 }
 
+func (p *Plugin) validateNodeServiceAccountAudience(tr *authenticationapi.TokenRequest, pod *v1.Pod) error {
+	// ensure all items in tr.Spec.Audiences are present in a volume mount in the pod
+	requestedAudience := ""
+	switch len(tr.Spec.Audiences) {
+	case 0:
+		requestedAudience = ""
+	case 1:
+		requestedAudience = tr.Spec.Audiences[0]
+	default:
+		return fmt.Errorf("node may only request 0 or 1 audiences")
+	}
+
+	foundAudiencesInPodSpec, err := p.podReferencesAudience(pod, requestedAudience)
+	if err != nil {
+		return fmt.Errorf("error validating audience %q: %w", requestedAudience, err)
+	}
+	if !foundAudiencesInPodSpec {
+		return fmt.Errorf("audience %q not found in pod spec volume", requestedAudience)
+	}
+	return nil
+}
+
+func (p *Plugin) podReferencesAudience(pod *v1.Pod, audience string) (bool, error) {
+	var errs []error
+
+	for _, v := range pod.Spec.Volumes {
+		if v.Projected != nil {
+			for _, src := range v.Projected.Sources {
+				if src.ServiceAccountToken != nil && src.ServiceAccountToken.Audience == audience {
+					return true, nil
+				}
+			}
+		}
+
+		// also allow audiences for CSI token requests
+		// - pod --> ephemeral --> pvc --> pv --> csi --> driver --> tokenrequest with audience
+		// - pod --> pvc --> pv --> csi --> driver --> tokenrequest with audience
+		// - pod --> csi --> driver --> tokenrequest with audience
+		var driverName string
+		var err error
+		switch {
+		case v.Ephemeral != nil && v.Ephemeral.VolumeClaimTemplate != nil:
+			pvcName := ephemeral.VolumeClaimName(pod, &v)
+			driverName, err = p.getCSIFromPVC(pod.Namespace, pvcName)
+		case v.PersistentVolumeClaim != nil:
+			driverName, err = p.getCSIFromPVC(pod.Namespace, v.PersistentVolumeClaim.ClaimName)
+		case v.CSI != nil:
+			driverName = v.CSI.Driver
+		}
+
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+
+		if len(driverName) > 0 {
+			hasAudience, hasAudienceErr := p.csiDriverHasAudience(driverName, audience)
+			if hasAudienceErr != nil {
+				errs = append(errs, hasAudienceErr)
+				continue
+			}
+			if hasAudience {
+				return true, nil
+			}
+		}
+	}
+
+	return false, utilerrors.NewAggregate(errs)
+}
+
+// getCSIFromPVC returns the CSI driver name from the PVC->PV->CSI->Driver chain
+func (p *Plugin) getCSIFromPVC(namespace, claimName string) (string, error) {
+	pvc, err := p.pvcGetter.PersistentVolumeClaims(namespace).Get(claimName)
+	if err != nil {
+		return "", err
+	}
+	pv, err := p.pvGetter.Get(pvc.Spec.VolumeName)
+	if err != nil {
+		return "", err
+	}
+	if pv.Spec.CSI != nil {
+		return pv.Spec.CSI.Driver, nil
+	}
+	return "", nil
+}
+
+func (p *Plugin) csiDriverHasAudience(driverName, audience string) (bool, error) {
+	driver, err := p.csiDriverGetter.Get(driverName)
+	if err != nil {
+		return false, err
+	}
+
+	for _, tokenRequest := range driver.Spec.TokenRequests {
+		if tokenRequest.Audience == audience {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 func (p *Plugin) admitLease(nodeName string, a admission.Attributes) error {
 	// the request must be against the system namespace reserved for node leases
 	if a.GetNamespace() != api.NamespaceNodeLease {