argoproj · alexec · Aug 20, 2020 · Aug 20, 2020 · Aug 20, 2020 · Aug 20, 2020
diff --git a/api/openapi-spec/swagger.json b/api/openapi-spec/swagger.json
@@ -2472,6 +2472,12 @@
  "io.argoproj.workflow.v1alpha1.GetUserInfoResponse": {
  "type": "object",
  "properties": {
+ "groups": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
  "issuer": {
  "type": "string"
  },

diff --git a/docs/swagger.md b/docs/swagger.md
@@ -1030,6 +1030,7 @@ Gauge is a Gauge prometheus metric
 
 | Name | Type | Description | Required |
 | ---- | ---- | ----------- | -------- |
+| groups | [ string ] | | No |
 | issuer | string | | No |
 | subject | string | | No |
 

diff --git a/docs/workflow-controller-configmap.yaml b/docs/workflow-controller-configmap.yaml
@@ -232,7 +232,24 @@ data:
  # be in the form <argo-server-root-url>/oauth2/callback. It must be
  # browser-accessible.
  redirectUrl: https://argo-server/oauth2/callback
-
+ # RBAC Config. >= v2.11
+ # By default, SSO uses the service account of the server (typically `serviceaccounts/argo-server`). Adding RBAC
+ # means that that SSO account cannot use that account anymore, they must either match a rule, or fall-back to
+ # a defined default service account. For example:
+ # * If the user is in an `admin` group - they might get `serviceaccounts/admin-user`.
+ # * If the user is authenticated, but does not match any rule, perhaps you might have `serviceaccount/basic-user`.
+ # * Finally, if the user is unauthenticated you might configure `serviceaccount/argo-server` to be read-only.
+ rbac:
+ # Rules in order of precedence. Maybe empty.
+ rules:
+ - anyOf:
+ - admin
+ # Use this service account if any of the groups match.
+ serviceAccountRef:
+ name: admin-user
+ # Use this default service account if none of the rules match. Typically either read-only, or no permissions at all.
+ defaultServiceAccountRef:
+ name: readonly-user
  # workflowRequirements restricts the Workflows that the controller will process.
  # Current options:
  # referenceOnly: Only Workflows using "workflowTemplateRef" will be processed. This allows the administrator of the controller

diff --git a/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml b/manifests/quick-start/sso/overlays/workflow-controller-configmap.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
- sso : |
+ sso: |
  issuer: https://dex:5556/dex
  clientId:
  name: argo-server-sso
@@ -9,6 +9,14 @@ data:
  name: argo-server-sso
  key: clientSecret
  redirectUrl: https://localhost:2746/oauth2/callback
+ rbac:
+ rules:
+ - anyOf:
+ - authors
+ serviceAccountRef:
+ name: argo-server
+ defaultServiceAccountRef:
+ name: argo-server
 kind: ConfigMap
 metadata:
  name: workflow-controller-configmap
diff --git a/pkg/apiclient/argo-kube-client.go b/pkg/apiclient/argo-kube-client.go
@@ -44,7 +44,7 @@ func newArgoKubeClient(clientConfig clientcmd.ClientConfig, instanceIDService in
  if err != nil {
  return nil, nil, err
  }
- gatekeeper, err := auth.NewGatekeeper(auth.Modes{auth.Server: true}, wfClient, kubeClient, restConfig, nil)
+ gatekeeper, err := auth.NewGatekeeper(auth.Modes{auth.Server: true}, wfClient, kubeClient, restConfig, nil, "unused")
  if err != nil {
  return nil, nil, err
  }

diff --git a/pkg/apiclient/info/info.pb.go b/pkg/apiclient/info/info.pb.go
diff --git a/pkg/apiclient/info/info.proto b/pkg/apiclient/info/info.proto
@@ -26,6 +26,7 @@ message GetUserInfoRequest {
 message GetUserInfoResponse {
  string issuer = 1;
  string subject = 2;
+ repeated string groups = 3;
 }
 
 service InfoService {

diff --git a/server/apiserver/argoserver.go b/server/apiserver/argoserver.go
@@ -104,7 +104,7 @@ func NewArgoServer(opts ArgoServerOpts) (*argoServer, error) {
  } else {
  log.Info("SSO disabled")
  }
- gatekeeper, err := auth.NewGatekeeper(opts.AuthModes, opts.WfClientSet, opts.KubeClientset, opts.RestConfig, ssoIf)
+ gatekeeper, err := auth.NewGatekeeper(opts.AuthModes, opts.WfClientSet, opts.KubeClientset, opts.RestConfig, ssoIf, opts.Namespace)
  if err != nil {
  return nil, err
  }

diff --git a/server/auth/gatekeeper.go b/server/auth/gatekeeper.go
@@ -10,6 +10,7 @@ import (
  "google.golang.org/grpc/codes"
  "google.golang.org/grpc/metadata"
  "google.golang.org/grpc/status"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/client-go/kubernetes"
  "k8s.io/client-go/rest"
 
@@ -41,13 +42,15 @@ type gatekeeper struct {
  kubeClient kubernetes.Interface
  restConfig *rest.Config
  ssoIf sso.Interface
+ // The namespace the server is installed in.
+ namespace string
 }
 
-func NewGatekeeper(modes Modes, wfClient versioned.Interface, kubeClient kubernetes.Interface, restConfig *rest.Config, ssoIf sso.Interface) (Gatekeeper, error) {
+func NewGatekeeper(modes Modes, wfClient versioned.Interface, kubeClient kubernetes.Interface, restConfig *rest.Config, ssoIf sso.Interface, namespace string) (Gatekeeper, error) {
  if len(modes) == 0 {
  return nil, fmt.Errorf("must specify at least one auth mode")
  }
- return &gatekeeper{modes, wfClient, kubeClient, restConfig, ssoIf}, nil
+ return &gatekeeper{modes, wfClient, kubeClient, restConfig, ssoIf, namespace}, nil
 }
 
 func (s *gatekeeper) UnaryServerInterceptor() grpc.UnaryServerInterceptor {
@@ -111,29 +114,21 @@ func getAuthHeader(md metadata.MD) string {
  return ""
 }
 
-func (s gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubernetes.Interface, *jws.ClaimSet, error) {
+func (s *gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubernetes.Interface, *jws.ClaimSet, error) {
  md, _ := metadata.FromIncomingContext(ctx)
  authorization := getAuthHeader(md)
  mode, err := GetMode(authorization)
  if err != nil {
  return nil, nil, nil, status.Error(codes.InvalidArgument, err.Error())
  }
  if !s.Modes[mode] {
- return nil, nil, nil, status.Errorf(codes.Unauthenticated, "no valid authentication methods found for mode %v", mode)
+ return nil, nil, nil, status.Errorf(codes.Unauthenticated, "client auth-mode is %v, but that mode is disabled", mode)
  }
  switch mode {
  case Client:
- restConfig, err := kubeconfig.GetRestConfig(authorization)
+ restConfig, wfClient, kubeClient, err := s.clientForAuthorization(authorization)
  if err != nil {
- return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failed to create REST config: %v", err)
- }
- wfClient, err := versioned.NewForConfig(restConfig)
- if err != nil {
- return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failure to create wfClientset with ClientConfig: %v", err)
- }
- kubeClient, err := kubernetes.NewForConfig(restConfig)
- if err != nil {
- return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failure to create kubeClientset with ClientConfig: %v", err)
+ return nil, nil, nil, status.Error(codes.Unauthenticated, err.Error())
  }
  claimSet, _ := jwt.ClaimSetFor(restConfig)
  return wfClient, kubeClient, claimSet, nil
@@ -145,8 +140,55 @@ func (s gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubern
  if err != nil {
  return nil, nil, nil, status.Error(codes.Unauthenticated, err.Error())
  }
- return s.wfClient, s.kubeClient, claimSet, nil
+ // RBAC for SSO maybe disabled, in that case both `serviceAccount` and `err` will be nil
+ serviceAccount, err := s.ssoIf.GetServiceAccount(claimSet.Groups)
+ if err != nil {
+ return nil, nil, nil, status.Errorf(codes.Unauthenticated, "failed to get SSO RBAC service account ref: %v", err)
+ } else if serviceAccount != nil {
+ authorization, err := s.authorizationForServiceAccount(serviceAccount.Name)
+ if err != nil {
+ return nil, nil, nil, status.Error(codes.Unauthenticated, err.Error())
+ }
+ _, wfClient, kubeClient, err := s.clientForAuthorization(authorization)
+ if err != nil {
+ return nil, nil, nil, status.Error(codes.Unauthenticated, err.Error())
+ }
+ return wfClient, kubeClient, claimSet, nil
+ } else {
+ return s.wfClient, s.kubeClient, claimSet, nil
+ }
  default:
  panic("this should never happen")
  }
 }
+
+func (s *gatekeeper) authorizationForServiceAccount(serviceAccountName string) (string, error) {
+ serviceAccount, err := s.kubeClient.CoreV1().ServiceAccounts(s.namespace).Get(serviceAccountName, metav1.GetOptions{})
+ if err != nil {
+ return "", fmt.Errorf("failed to get SSO RBAC service account: %w", err)
+ }
+ if len(serviceAccount.Secrets) == 0 {
+ return "", fmt.Errorf("expected at least one secret for SSO RBAC service account: %w", err)
+ }
+ secret, err := s.kubeClient.CoreV1().Secrets(s.namespace).Get(serviceAccount.Secrets[0].Name, metav1.GetOptions{})
+ if err != nil {
+ return "", fmt.Errorf("failed to get SSO RBAC service account secret: %w", err)
+ }
+ return "Bearer " + string(secret.Data["token"]), nil
+}
+
+func (s *gatekeeper) clientForAuthorization(authorization string) (*rest.Config, versioned.Interface, kubernetes.Interface, error) {
+ restConfig, err := kubeconfig.GetRestConfig(authorization)
+ if err != nil {
+ return nil, nil, nil, fmt.Errorf("failed to create REST config: %w", err)
+ }
+ wfClient, err := versioned.NewForConfig(restConfig)
+ if err != nil {
+ return nil, nil, nil, fmt.Errorf("failure to create workflow client: %w", err)
+ }
+ kubeClient, err := kubernetes.NewForConfig(restConfig)
+ if err != nil {
+ return nil, nil, nil, fmt.Errorf("failure to create kubernetes client: %w", err)
+ }
+ return restConfig, wfClient, kubeClient, nil
+}