What happened:
When specifying multiple groups to impersonate, setting impersonate-group to a comma separated list is parsed as a single group name containing the entirety of the header value. See RFC.
Example: impersonate-group: foo, bar, baz is parsed as a group named foo, bar, baz.
What you expected to happen:
The header is parsed as multiple groups.
Example: impersonate-group: foo, bar, baz is parsed as a group list foo, bar, baz.
How to reproduce it (as minimally and precisely as possible):
Docker-desktop, but should be easily reproduced with minikube, etc with updated URLs.
Setup:
# assumes default namespace
kubectl create serviceaccount impersonator
TOKEN=$(kubectl get secret $(kubectl get serviceaccounts impersonator -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 -D)
kubectl create clusterrolebinding impersonator --serviceaccount default:impersonator --clusterrole cluster-admin
kubectl create clusterrolebinding group-based-admin --group admins --clusterrole cluster-adminResults in 403:
curl -v --insecure -H "Authorization: Bearer ${TOKEN}" \
-H "impersonate-user: XXXXX" \
-H "impersonate-group: admins, otheradmins" \
https://kubernetes.docker.internal:6443/api/v1/namespaces/default/podsAdd CRB for group with commas/space in name:
kubectl create clusterrolebinding alternate-group-based-admin --group "admins, otheradmins" --clusterrole cluster-admin
Results in 200
curl -v --insecure -H "Authorization: Bearer ${TOKEN}" \
-H "impersonate-user: XXXXX" \
-H "impersonate-group: admins, otheradmins" \
https://kubernetes.docker.internal:6443/api/v1/namespaces/default/podsAnything else we need to know?:
- Proxies and HTTP libraries may not be aware of this limitation and often collapse multi-value headers that are not well known (
set-cookie is usually an exception).
- It isn't very common or reasonable to expect commas and spaces in groups to be supported.
Environment:
- Kubernetes version (use
kubectl version):
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-16T00:04:31Z", GoVersion:"go1.14.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.6-beta.0", GitCommit:"e7f962ba86f4ce7033828210ca3556393c377bcc", GitTreeState:"clean", BuildDate:"2020-01-15T08:18:29Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"linux/amd64"}
- Cloud provider or hardware configuration: Docker-Desktop / OSX
- OS (e.g:
cat /etc/os-release): Docker Desktop
- Kernel (e.g.
uname -a): 4.19.76-linuxkit
- Install tools: N/A
- Network plugin and version (if this is a network-related bug): N/A
- Others: N/A
What happened:
When specifying multiple groups to impersonate, setting
impersonate-groupto a comma separated list is parsed as a single group name containing the entirety of the header value. See RFC.Example:
impersonate-group: foo, bar, bazis parsed as a group namedfoo, bar, baz.What you expected to happen:
The header is parsed as multiple groups.
Example:
impersonate-group: foo, bar, bazis parsed as a group listfoo,bar,baz.How to reproduce it (as minimally and precisely as possible):
Docker-desktop, but should be easily reproduced with minikube, etc with updated URLs.
Setup:
Results in 403:
Add CRB for group with commas/space in name:
kubectl create clusterrolebinding alternate-group-based-admin --group "admins, otheradmins" --clusterrole cluster-adminResults in 200
Anything else we need to know?:
set-cookieis usually an exception).Environment:
kubectl version):cat /etc/os-release):Docker Desktopuname -a):4.19.76-linuxkit