feat: validate JWT token and use projected token (#5871)

* Add proxyMetadata to xds config and validate JWT

Signed-off-by: Karol Szwaj <[email protected]>

* Add controller namespace to infra

Signed-off-by: Karol Szwaj <[email protected]>

* Add Metadata envoy bootstrap struct

Signed-off-by: Karol Szwaj <[email protected]>

* Add release note

Signed-off-by: Karol Szwaj <[email protected]>

* fix lint

Signed-off-by: Karol Szwaj <[email protected]>

* fix doc

Signed-off-by: Karol Szwaj <[email protected]>

* use projected service account tokens with eg audience

Signed-off-by: Karol Szwaj <[email protected]>

* lint code

Signed-off-by: Karol Szwaj <[email protected]>

* make gen

Signed-off-by: Karol Szwaj <[email protected]>

* make gen

Signed-off-by: Karol Szwaj <[email protected]>

* Revert "Add controller namespace to infra"

This reverts commit b2fa2ca.

Signed-off-by: Karol Szwaj <[email protected]>

* fetch the node id and initial metadata from first msg

Signed-off-by: Karol Szwaj <[email protected]>

* update codegen

Signed-off-by: Karol Szwaj <[email protected]>

* verify service account

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* validate only sa

Signed-off-by: Karol Szwaj <[email protected]>

* add local hash name func

Signed-off-by: Karol Szwaj <[email protected]>

* Verify pod name for authz

This reverts commit b0748a0.

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

* lint code

Signed-off-by: Karol Szwaj <[email protected]>

---------

Signed-off-by: Karol Szwaj <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Co-authored-by: Huabing (Robin) Zhao <[email protected]>

Author: cnvergence

go.mod

@@ -71,6 +71,7 @@ require (
 	k8s.io/api v0.33.0
 	k8s.io/apiextensions-apiserver v0.33.0
 	k8s.io/apimachinery v0.34.0-alpha.0
+	k8s.io/apiserver v0.33.0
 	k8s.io/cli-runtime v0.33.0
 	k8s.io/client-go v0.33.0
 	k8s.io/klog/v2 v2.130.1
@@ -497,7 +498,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	honnef.co/go/tools v0.6.1 // indirect
-	k8s.io/apiserver v0.33.0 // indirect
 	k8s.io/component-base v0.33.0 // indirect
 	k8s.io/metrics v0.33.0 // indirect
 	mvdan.cc/gofumpt v0.7.0 // indirect

internal/infrastructure/common/proxy_args.go

@@ -33,6 +33,7 @@ func BuildProxyArgs(
 	if bootstrapConfigOptions != nil && bootstrapConfigOptions.IPFamily == nil {
 		bootstrapConfigOptions.IPFamily = getIPFamily(infra)
 	}
+
 	bootstrapConfigOptions.GatewayNamespaceMode = gatewayNamespaceMode
 	bootstrapConfigurations, err := bootstrap.GetRenderedBootstrapConfig(bootstrapConfigOptions)
 	if err != nil {

internal/infrastructure/kubernetes/proxy/resource.go

@@ -139,7 +139,7 @@ func expectedProxyContainers(infra *ir.ProxyInfra,
 			Resources:                *containerSpec.Resources,
 			SecurityContext:          expectedEnvoySecurityContext(containerSpec),
 			Ports:                    ports,
-			VolumeMounts:             expectedContainerVolumeMounts(containerSpec),
+			VolumeMounts:             expectedContainerVolumeMounts(containerSpec, gatewayNamespaceMode),
 			TerminationMessagePolicy: corev1.TerminationMessageReadFile,
 			TerminationMessagePath:   "/dev/termination-log",
 			StartupProbe: &corev1.Probe{
@@ -288,7 +288,7 @@ func expectedShutdownPreStopCommand(cfg *egv1a1.ShutdownConfig) []string {
 }
 
 // expectedContainerVolumeMounts returns expected proxy container volume mounts.
-func expectedContainerVolumeMounts(containerSpec *egv1a1.KubernetesContainerSpec) []corev1.VolumeMount {
+func expectedContainerVolumeMounts(containerSpec *egv1a1.KubernetesContainerSpec, gatewayNamespaceMode bool) []corev1.VolumeMount {
 	volumeMounts := []corev1.VolumeMount{
 		{
 			Name:      "certs",
@@ -300,11 +300,19 @@ func expectedContainerVolumeMounts(containerSpec *egv1a1.KubernetesContainerSpec
 			MountPath: "/sds",
 		},
 	}
+	if gatewayNamespaceMode {
+		volumeMounts = append(volumeMounts, corev1.VolumeMount{
+			Name:      "sa-token",
+			MountPath: "/var/run/secrets/token",
+			ReadOnly:  true,
+		})
+	}
+
 	return resource.ExpectedContainerVolumeMounts(containerSpec, volumeMounts)
 }
 
 // expectedVolumes returns expected proxy deployment volumes.
-func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.KubernetesPodSpec) []corev1.Volume {
+func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.KubernetesPodSpec, dnsDomain string) []corev1.Volume {
 	var volumes []corev1.Volume
 	certsVolume := corev1.Volume{
 		Name: "certs",
@@ -335,6 +343,25 @@ func expectedVolumes(name string, gatewayNamespacedMode bool, pod *egv1a1.Kubern
 				},
 			},
 		}
+		saAudience := fmt.Sprintf("%s.%s.svc.%s", config.EnvoyGatewayServiceName, config.DefaultNamespace, dnsDomain)
+		saTokenProjectedVolume := corev1.Volume{
+			Name: "sa-token",
+			VolumeSource: corev1.VolumeSource{
+				Projected: &corev1.ProjectedVolumeSource{
+					Sources: []corev1.VolumeProjection{
+						{
+							ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+								Path:              "sa-token",
+								Audience:          saAudience,
+								ExpirationSeconds: ptr.To[int64](3600),
+							},
+						},
+					},
+					DefaultMode: ptr.To[int32](420),
+				},
+			},
+		}
+		volumes = append(volumes, saTokenProjectedVolume)
 	}
 
 	volumes = append(volumes, certsVolume)

internal/infrastructure/kubernetes/proxy/resource_provider.go

@@ -322,15 +322,14 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
 					Containers:                    containers,
 					InitContainers:                deploymentConfig.InitContainers,
 					ServiceAccountName:            r.Name(),
-					AutomountServiceAccountToken:  expectedAutoMountServiceAccountToken(r.GatewayNamespaceMode),
 					TerminationGracePeriodSeconds: expectedTerminationGracePeriodSeconds(proxyConfig.Spec.Shutdown),
 					DNSPolicy:                     corev1.DNSClusterFirst,
 					RestartPolicy:                 corev1.RestartPolicyAlways,
 					SchedulerName:                 "default-scheduler",
 					SecurityContext:               deploymentConfig.Pod.SecurityContext,
 					Affinity:                      deploymentConfig.Pod.Affinity,
 					Tolerations:                   deploymentConfig.Pod.Tolerations,
-					Volumes:                       expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, deploymentConfig.Pod),
+					Volumes:                       expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, deploymentConfig.Pod, r.DNSDomain),
 					ImagePullSecrets:              deploymentConfig.Pod.ImagePullSecrets,
 					NodeSelector:                  deploymentConfig.Pod.NodeSelector,
 					TopologySpreadConstraints:     deploymentConfig.Pod.TopologySpreadConstraints,
@@ -537,10 +536,6 @@ func expectedTerminationGracePeriodSeconds(cfg *egv1a1.ShutdownConfig) *int64 {
 	return ptr.To(int64(s))
 }
 
-func expectedAutoMountServiceAccountToken(gatewayNamespacedMode bool) *bool {
-	return ptr.To(gatewayNamespacedMode)
-}
-
 func (r *ResourceRender) getPodSpec(
 	containers, initContainers []corev1.Container,
 	pod *egv1a1.KubernetesPodSpec,
@@ -550,15 +545,14 @@ func (r *ResourceRender) getPodSpec(
 		Containers:                    containers,
 		InitContainers:                initContainers,
 		ServiceAccountName:            ExpectedResourceHashedName(r.infra.Name),
-		AutomountServiceAccountToken:  expectedAutoMountServiceAccountToken(r.GatewayNamespaceMode),
 		TerminationGracePeriodSeconds: expectedTerminationGracePeriodSeconds(proxyConfig.Spec.Shutdown),
 		DNSPolicy:                     corev1.DNSClusterFirst,
 		RestartPolicy:                 corev1.RestartPolicyAlways,
 		SchedulerName:                 "default-scheduler",
 		SecurityContext:               pod.SecurityContext,
 		Affinity:                      pod.Affinity,
 		Tolerations:                   pod.Tolerations,
-		Volumes:                       expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, pod),
+		Volumes:                       expectedVolumes(r.infra.Name, r.GatewayNamespaceMode, pod, r.DNSDomain),
 		ImagePullSecrets:              pod.ImagePullSecrets,
 		NodeSelector:                  pod.NodeSelector,
 		TopologySpreadConstraints:     pod.TopologySpreadConstraints,

internal/infrastructure/kubernetes/proxy/resource_provider_test.go

@@ -1329,7 +1329,6 @@ func TestServiceAccount(t *testing.T) {
 				ns = tc.infra.GetProxyInfra().Namespace
 			}
 			r := NewResourceRender(ns, cfg.DNSDomain, tc.infra.GetProxyInfra(), cfg.EnvoyGateway)
-
 			sa, err := r.ServiceAccount()
 			require.NoError(t, err)
 

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml

@@ -33,7 +33,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml

@@ -28,7 +28,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml

@@ -41,7 +41,6 @@ spec:
         label1: value1-override
         label2: value2
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml

@@ -37,7 +37,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml

@@ -36,7 +36,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml

@@ -36,7 +36,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml

@@ -38,7 +38,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml

@@ -38,7 +38,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml

@@ -37,7 +37,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml

@@ -36,7 +36,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml

@@ -32,7 +32,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml

@@ -36,7 +36,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml

@@ -37,7 +37,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default

internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml

@@ -36,7 +36,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: true
       containers:
       - args:
         - --service-cluster default
@@ -243,7 +242,7 @@ spec:
             - name: jwt-sa-bearer
               generic_secret:
                 secret:
-                  filename: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+                  filename: "/var/run/secrets/token/sa-token"
           overload_manager:
             refresh_interval: 0.25s
             resource_monitors:
@@ -336,6 +335,9 @@ spec:
           readOnly: true
         - mountPath: /sds
           name: sds
+        - mountPath: /var/run/secrets/token
+          name: sa-token
+          readOnly: true
       - args:
         - envoy
         - shutdown-manager
@@ -414,6 +416,14 @@ spec:
       serviceAccountName: envoy-default-37a8eec1
       terminationGracePeriodSeconds: 360
       volumes:
+      - name: sa-token
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              audience: envoy-gateway.envoy-gateway-system.svc.cluster.local
+              expirationSeconds: 3600
+              path: sa-token
       - configMap:
           defaultMode: 420
           items:

internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml

@@ -36,7 +36,6 @@ spec:
         gateway.envoyproxy.io/owning-gateway-name: default
         gateway.envoyproxy.io/owning-gateway-namespace: default
     spec:
-      automountServiceAccountToken: false
       containers:
       - args:
         - --service-cluster default