Fix extensions apiserver to authenticate requests via RequestHeader CA#4557
Fix extensions apiserver to authenticate requests via RequestHeader CA#4557anandppatil wants to merge 1 commit into
Conversation
|
This PR exceeds the recommended size of 1000 lines. Please make sure you are NOT addressing multiple issues with one PR. Note this PR might be rejected due to its size. |
The agones-extensions apiserver serves the allocation.agones.dev/v1 aggregated APIService but did not verify that incoming requests came from the kube-apiserver aggregator. Any workload with network reach to agones-controller-service:443 could bypass Kubernetes RBAC and allocate GameServers in arbitrary namespaces. This change: - Loads the extension-apiserver-authentication ConfigMap at startup to obtain the RequestHeader CA and allowed proxy client CNs. - Configures the TLS server to verify client certificates against the RequestHeader CA (VerifyClientCertIfGiven). - Authenticates API requests by verifying the proxy client cert CN and extracting X-Remote-User/X-Remote-Group headers. - Authorizes allocation requests via SubjectAccessReview before processing them. The system:auth-delegator ClusterRoleBinding (already present in the Helm chart) grants the agones-controller ServiceAccount the necessary permission to create SubjectAccessReviews. Ref: https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/ Signed-off-by: anandppatil <anandppatil4383@gmail.com>
anandppatil
force-pushed
the
fix/extensions-apiserver-auth
branch
from
e4e6c38 to
4ae6955
Compare
|
This PR exceeds the recommended size of 1000 lines. Please make sure you are NOT addressing multiple issues with one PR. Note this PR might be rejected due to its size. |
|
So I'm going to close this - it's pretty clearly AI slop.
If you are serious about inspecting this as a potential issue - please file an issue and we'll discuss approaches and implementation details. |
|
Fair point on the PR shape — closing this. The underlying vulnerability (missing RequestHeader CA authentication on the aggregated APIService) is a real finding, but the fix should come from maintainers who know the codebase. I'll open a focused issue with the vulnerability details and repro steps so the team can discuss the right implementation approach. |
2 participants
What
Fixes an authentication bypass in the agones-extensions apiserver where
any in-cluster workload could directly call the aggregated APIService
endpoint and allocate GameServers in any namespace, bypassing Kubernetes RBAC.
Why
The extensions apiserver serves
/apis/allocation.agones.dev/v1/...as aKubernetes aggregated APIService but did not implement the client-side
authentication required by the Kubernetes aggregation layer specification.
How
extension-apiserver-authenticationConfigMap from kube-systemClientAuth: VerifyClientCertIfGivenwith the RequestHeader CArequestheader-allowed-namesX-Remote-User/X-Remote-GroupheadersSubjectAccessReviewforcreate gameserverallocationsTesting
LoadRequestHeaderConfig,AuthenticateRequest, andparseJSONStringArrayadded inpkg/util/apiserver/auth_test.gocurlto the service without a valid proxy client cert returns 401.Fixes: https://issuetracker.google.com/issues/505221322