[KEP-3104] Update KEP with credential plugin allowlist

[pmengelbert]

• One-line PR description: Update kuberc KEP with credential plugin allowlist

• Issue link: Separate kubectl user preferences from cluster configs #3104

• Other comments:

Currently, the kubeconfig may specify arbitrary binaries to run as
client-go credential plugins. Due to the fact that kubeconfig files are
often generated, and because they contain a lot of noise, there is
significant friction in manually inspecting the kubeconfig for
suspicious binaries after it is generated.

To encourage secure behavior, we want to introduce an allowlist to the
kuberc, which will describe the conditions under which a binary plugin
may be run. Currently the only condition is the name (absolute path or
basename of a binary found in PATH).

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: enj / name: Mo Khan (5c0a1a2)
• ✅ login: pmengelbert / name: Peter Engelbert (b7c62b7, d15a576, 3049564, fc26f15, 23506b7, e72021f, 33248b0, 2276629, ae97a4d)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: pmengelbert
Once this PR has been reviewed and has the lgtm label, please assign mpuckett159 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-cli/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @pmengelbert!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @pmengelbert. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[enj]

/sig auth

[enj]

This LGTM from a SIG Auth perspective (I added us as a participating SIG).

[enj]

/ok-to-test

[ardaguclu]

I think, it makes sense to add an example to show how this will be formed.

[pmengelbert]

There is an example in this same PR, below. Or are you asking for something different?

[ardaguclu]

Does this support $PATH/cred_plugin?. Does full path cover ~/cred_plugin?

[ardaguclu]

Actually this depends on the behavior of os.LookPath

[pmengelbert]

This reminds me: the function is exec.LookPath, not os.LookPath. I made a mistake in this PR and will update it accordingly.

exec.LookPath doesn't do tilde expansion, but that is POSIX shell behavior and not exec syscall behavior (at least on linux). I believe we should stop short of emulating POSIX substitution rules; the user can add e.g. $HOME/bin to their PATH if they want.

[pmengelbert]

This reminds me: the function is exec.LookPath, not os.LookPath. I made a mistake in this PR and will update it accordingly.

This has been fixed

[ardaguclu]

I think, we should mention about this list will not be applied for some commands such as kubectl config view and the reason?.

[pmengelbert]

done

[ardaguclu]

This is API behavior. So I wonder opinions from @liggitt.
credentialPluginAllowlist: nil -- all allowed
credentialPluginAllowlist: [] -- all prohibited

[liggitt]

we try to avoid having an empty list and a nil list behave differently ... it tends to confuse users, and some tools that generate config files will not preserve that distinction

instead, having something explicit in the config to indicate this, either as a fixed special value in the list (e.g. credentialPluginAllowlist: ["none"] or credentialPluginAllowlist: [""]) or as a distinct field that works together with the allowlist field (e.g. credentialPluginPolicy: EnableAll | DisableAll | Allowlist)

[pmengelbert]

Thanks. Of the available options, I prefer the explicit policy. I'd prefer to have these nested under a single top-level grouping, such as

credentialPlugin:
  policy: Allowlist
  allowlist:
    - name: credential-plugin.sh

@ardaguclu @liggitt thoughts on the above?

[liggitt]

Playing out what it would look like for the three possibly ways they'd want to configure this:

Allow all

absent / default

explicit with nested structure:

credentialPlugin:
  policy: AllowAll

explicit with peer structure

credentialPluginPolicy: AllowAll

---

Allow none

nested structure:

credentialPlugin:
  policy: DisableAll

flat structure:

credentialPluginPolicy: DisableAll

---

Allowlist

nested structure:

credentialPlugin:
  policy: Allowlist
  allowlist: [...]

flat structure:

credentialPluginPolicy: Allowlist
credentialPluginAllowlist: [...]

---

The flat structure seems simpler for the existing cases, and avoids the possibility of ~invalid constructions like credentialPlugin: {}. Are there any other credentialPlugin preferences / options we anticipate wanting to group along with these?

[pmengelbert]

I have pushed changes addressing this, opting for the flat structure.

[ardaguclu]

Overall looks good to me. I'll defer the final approval from SIG-CLI POV to @soltysh

[ardaguclu]

is there any other command that will be exceptional like kubectl config view?

[pmengelbert]

Off the top of my head, there are
kubectl config (any subcommand)
kubectl version
kubectl plugin list

Should I update the KEP with a full list?

[liggitt]

hmm... I think it's going to be hard to enumerate every specific command that won't actually use the client. There's lots of commands that only run locally with specific options (e.g. all kubectl create ... --dry-run=client commands, or kubectl {label,annotate,set} --local)

I think the implementation should be structured so that it intercepts attempts to use a non-allowlisted credential plugin and rejects them at time of use, so commands that don't even need the plugin don't start failing for no reason.

[ardaguclu]

I think the implementation should be structured so that it intercepts attempts to use a non-allowlisted credential plugin and rejects them at time of use, so commands that don't even need the plugin don't start failing for no reason.

So that significantly changes the implementation. Maybe we just need to get the list of plugins (allowed, disallowed, etc.) in kubectl/cmd and pass it to client-go (or cli-runtime) to accept/reject this credential exec plugin, when there is a request to API Server?

[ardaguclu]

I think, this PR needs a rebase to remove the invalid-commit label. Otherwise, this PR can't be merged.

[pmengelbert]

I think, this PR needs a rebase to remove the invalid-commit label. Otherwise, this PR can't be merged.

Just rebased, and fixed that commit.