Serge Bazanski | 6495653 | 2021-01-30 19:19:32 +0100 | [diff] [blame] | 1 | package main |
| 2 | |
| 3 | import ( |
Serge Bazanski | 5d2c8fc | 2021-01-30 21:23:53 +0100 | [diff] [blame] | 4 | "encoding/json" |
Serge Bazanski | 6495653 | 2021-01-30 19:19:32 +0100 | [diff] [blame] | 5 | "fmt" |
| 6 | "strings" |
| 7 | |
Serge Bazanski | 5d2c8fc | 2021-01-30 21:23:53 +0100 | [diff] [blame] | 8 | "github.com/golang/glog" |
Serge Bazanski | 6495653 | 2021-01-30 19:19:32 +0100 | [diff] [blame] | 9 | admission "k8s.io/api/admission/v1beta1" |
Serge Bazanski | 5d2c8fc | 2021-01-30 21:23:53 +0100 | [diff] [blame] | 10 | networking "k8s.io/api/networking/v1beta1" |
| 11 | meta "k8s.io/apimachinery/pkg/apis/meta/v1" |
Serge Bazanski | 6495653 | 2021-01-30 19:19:32 +0100 | [diff] [blame] | 12 | ) |
| 13 | |
| 14 | // ingressFilter is a filter which allows or denies the creation of an ingress |
| 15 | // backing a given domain with a namespace. It does so by operating on an |
| 16 | // explicit list of allowed namespace/domain pairs, where each domain is either |
| 17 | // a single domain or a DNS wildcard at a given root. |
| 18 | // By default every domain is allowed in every namespace. However, the moment |
| 19 | // an entry is added for a given domain (or wildcard that matches some |
| 20 | // domains), this domain will only be allowed in that namespace. |
| 21 | // |
| 22 | // For example, with the given allowed domains: |
| 23 | // - ns: example, domain: one.example.com |
| 24 | // - ns: example, domain: *.google.com |
| 25 | // The logic will be as follows: |
| 26 | // - one.example.com will be only allowed in the example namespace |
| 27 | // - any .google.com domain will be only allowed in the example namespace |
| 28 | // - all other domains will be allowed everywhere. |
| 29 | // |
| 30 | // This logic allows for the easy use of arbitrary domains by k8s users within |
| 31 | // their personal namespaces, but allows critical domains to only be allowed in |
| 32 | // trusted namespaces. |
| 33 | // |
| 34 | // ingressFilter can be used straight away after constructing it as an empty |
| 35 | // type. |
| 36 | type ingressFilter struct { |
| 37 | // allowed is a map from namespace to list of domain matchers. |
| 38 | allowed map[string][]*domain |
| 39 | } |
| 40 | |
| 41 | // domain is a matcher for either a single given domain, or a domain wildcard. |
| 42 | // If this is a wildcard matcher, any amount of dot-delimited levels under the |
| 43 | // domain will be permitted. |
| 44 | type domain struct { |
| 45 | // dns is either the domain name matched by this matcher (if wildcard == |
| 46 | // false), or the root of a wildcard represented by this matcher (if |
| 47 | // wildcard == true). |
| 48 | dns string |
| 49 | wildcard bool |
| 50 | } |
| 51 | |
| 52 | // match returns whether this matcher matches a given domain. |
| 53 | func (d *domain) match(dns string) bool { |
| 54 | if !d.wildcard { |
| 55 | return dns == d.dns |
| 56 | } |
| 57 | return strings.HasSuffix(dns, "."+d.dns) |
| 58 | } |
| 59 | |
| 60 | // allow adds a given (namespace, dns) pair to the filter. The dns variable is |
| 61 | // a string that is either a simple domain name, or a wildcard like |
| 62 | // *.foo.example.com. An error is returned if the dns stirng could not be |
| 63 | // parsed. |
| 64 | func (i *ingressFilter) allow(ns, dns string) error { |
| 65 | // If the filter is brand new, initialize it. |
| 66 | if i.allowed == nil { |
| 67 | i.allowed = make(map[string][]*domain) |
| 68 | } |
| 69 | |
| 70 | // Try to parse the name as a wildcard. |
| 71 | parts := strings.Split(dns, ".") |
| 72 | wildcard := false |
| 73 | for i, part := range parts { |
| 74 | if i == 0 && part == "*" { |
| 75 | wildcard = true |
| 76 | continue |
| 77 | } |
| 78 | // Do some basic validation of the name. |
| 79 | if part == "" || strings.Contains(part, "*") { |
| 80 | return fmt.Errorf("invalid domain") |
| 81 | } |
| 82 | } |
| 83 | if wildcard { |
| 84 | if len(parts) < 2 { |
| 85 | return fmt.Errorf("invalid domain") |
| 86 | } |
| 87 | dns = strings.Join(parts[1:], ".") |
| 88 | } |
| 89 | i.allowed[ns] = append(i.allowed[ns], &domain{ |
| 90 | dns: dns, |
| 91 | wildcard: wildcard, |
| 92 | }) |
| 93 | return nil |
| 94 | } |
| 95 | |
| 96 | // domainAllowed returns whether a given domain is allowed to be backed by an |
| 97 | // ingress within a given namespace. |
| 98 | func (i *ingressFilter) domainAllowed(ns, domain string) bool { |
| 99 | if i.allowed == nil { |
| 100 | return true |
| 101 | } |
| 102 | |
| 103 | domainFound := false |
| 104 | // TODO(q3k): if this becomes too slow, build some inverted index for this. |
| 105 | for n, ds := range i.allowed { |
| 106 | for _, d := range ds { |
| 107 | if !d.match(domain) { |
| 108 | continue |
| 109 | } |
| 110 | // Domain matched, see if allowed in this namespace. |
| 111 | domainFound = true |
| 112 | if n == ns { |
| 113 | return true |
| 114 | } |
| 115 | } |
| 116 | // Otherwise, maybe it's allowed in another domain. |
| 117 | } |
| 118 | // No direct match found - if this domain has been at all matched before, |
| 119 | // it means that it's a restriected domain and the requested namespace is |
| 120 | // not one that's allowed to host it. Refuse. |
| 121 | if domainFound { |
| 122 | return false |
| 123 | } |
| 124 | // No direct match found, and this domain is not restricted. Allow. |
| 125 | return true |
| 126 | } |
| 127 | |
| 128 | func (i *ingressFilter) admit(req *admission.AdmissionRequest) (*admission.AdmissionResponse, error) { |
| 129 | if req.Kind.Group != "networking.k8s.io" || req.Kind.Kind != "Ingress" { |
| 130 | return nil, fmt.Errorf("not an ingress") |
| 131 | } |
Serge Bazanski | 5d2c8fc | 2021-01-30 21:23:53 +0100 | [diff] [blame] | 132 | |
| 133 | result := func(s string, args ...interface{}) (*admission.AdmissionResponse, error) { |
| 134 | res := &admission.AdmissionResponse{ |
| 135 | UID: req.UID, |
| 136 | } |
| 137 | if s == "" { |
| 138 | res.Allowed = true |
| 139 | } else { |
| 140 | res.Allowed = false |
| 141 | res.Result = &meta.Status{ |
| 142 | Code: 403, |
| 143 | Message: fmt.Sprintf("admitomatic: %s", fmt.Sprintf(s, args...)), |
| 144 | } |
| 145 | } |
| 146 | return res, nil |
| 147 | } |
| 148 | |
| 149 | // Permit any actions on critical system namespaes. See: |
| 150 | // https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/ |
| 151 | // “Avoiding operating on the kube-system namespace” |
| 152 | if req.Namespace == "kube-system" { |
| 153 | return result("") |
| 154 | } |
| 155 | |
| 156 | switch req.Operation { |
| 157 | case "CREATE": |
| 158 | case "UPDATE": |
| 159 | default: |
| 160 | // We only care about creations/updates, everything else is referred to plain RBAC. |
| 161 | return result("") |
| 162 | } |
| 163 | |
| 164 | ingress := networking.Ingress{} |
| 165 | err := json.Unmarshal(req.Object.Raw, &ingress) |
| 166 | if err != nil { |
| 167 | glog.Errorf("Unmarshaling Ingress failed: %v", err) |
| 168 | return result("invalid object") |
| 169 | } |
| 170 | |
| 171 | // Check TLS config for hosts. |
| 172 | for j, t := range ingress.Spec.TLS { |
| 173 | for k, h := range t.Hosts { |
| 174 | if strings.Contains(h, "*") { |
| 175 | // TODO(q3k): support wildcards |
| 176 | return result("wildcard host %q (%d in TLS entry %d) is not permitted", h, k, j) |
| 177 | } |
| 178 | if !i.domainAllowed(req.Namespace, h) { |
| 179 | return result("host %q (%d) in TLS entry %d is not allowed in namespace %q", h, k, j, req.Namespace) |
| 180 | } |
| 181 | } |
| 182 | } |
| 183 | |
| 184 | // Check rules for hosts. |
| 185 | for j, r := range ingress.Spec.Rules { |
| 186 | h := r.Host |
| 187 | // Per IngressRule spec: |
| 188 | // If the host is unspecified, the Ingress routes all traffic based |
| 189 | // on the specified IngressRuleValue. Host can be "precise" which is |
| 190 | // a domain name without the terminating dot of a network host (e.g. |
| 191 | // "foo.bar.com") or "wildcard", which is a domain name prefixed with |
| 192 | // a single wildcard label (e.g. "*.foo.com"). |
| 193 | // |
| 194 | // We reject everything other than precise hosts. |
| 195 | if h == "" { |
| 196 | return result("empty host %q (in rule %d) is not permitted", h, j) |
| 197 | } |
| 198 | if strings.Contains(h, "*") { |
| 199 | // TODO(q3k): support wildcards |
| 200 | return result("wildcard host %q (in rule %d) is not permitted", h, j) |
| 201 | } |
| 202 | if !i.domainAllowed(req.Namespace, h) { |
| 203 | return result("host %q (in rule %d) is not allowed in namespace %q", h, j, req.Namespace) |
| 204 | } |
| 205 | } |
| 206 | |
| 207 | // Only allow a trusted subset of n-i-c annotations. |
| 208 | // TODO(q3k): allow opt-out for some namespaces |
| 209 | allowed := map[string]bool{ |
| 210 | "proxy-body-size": true, |
| 211 | "ssl-redirect": true, |
| 212 | "backend-protocol": true, |
Serge Bazanski | 89a16f4 | 2021-06-06 12:28:28 +0000 | [diff] [blame] | 213 | "use-regex": true, |
Serge Bazanski | 943ab5b | 2021-02-08 00:33:45 +0100 | [diff] [blame] | 214 | // Used by cert-manager |
| 215 | "whitelist-source-range": true, |
Serge Bazanski | 5d2c8fc | 2021-01-30 21:23:53 +0100 | [diff] [blame] | 216 | } |
| 217 | prefix := "nginx.ingress.kubernetes.io/" |
| 218 | for k, _ := range ingress.Annotations { |
| 219 | if !strings.HasPrefix(k, prefix) { |
| 220 | continue |
| 221 | } |
| 222 | k = strings.TrimPrefix(k, prefix) |
| 223 | if !allowed[k] { |
| 224 | return result("forbidden annotation %q", k) |
| 225 | } |
| 226 | } |
| 227 | |
| 228 | // All clear, accept this Ingress. |
| 229 | return result("") |
Serge Bazanski | 6495653 | 2021-01-30 19:19:32 +0100 | [diff] [blame] | 230 | } |