Working PoC

Author: nicholasdille

120_kubernetes/oidc/README.md

@@ -1,27 +1,73 @@
-# Authenticate GitLab CI jobs against Kubernetes using GitLab OIDC
-
-XXX
-
-## Prepare
-
-Deploy a Kubernetes cluster with authentication configuration from `auth-config.yaml`:
-
-```shell
-kind create cluster \
-    --name gitlab-ci-oidc \
-    --config kind.yaml \
-    --wait 5m
-```
-
-Deploy GitLab runner:
-
-```shell
-helm repo add gitlab https://charts.gitlab.io
-helm repo update
-helm upgrade --install \
-    gitlab-runner gitlab/gitlab-runner \
-    --values values-gitlab-runner.yaml \
-    --set runnerRegistrationToken=TOKEN \
-    --wait \
-    --timeout 5m
-```
+# Authenticate GitLab user and GitLab CI jobs against Kubernetes using GitLab OIDC
+
+This demonstrates how to authenticate GitLab CI jobs against Kubernetes using GitLab OIDC
+
+## Prerequisites
+
+GitLab with...
+- a group called `foo`
+- a project called `bar` in group `foo`
+- an application for group `foo`
+
+`kubectl` is configured with [`kubelogin`](https://github.com/int128/kubelogin) to authenticate against GitLab
+
+## References
+
+XXX https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration
+
+XXX https://cel.dev/
+
+XXX https://docs.gitlab.com/ee/integration/openid_connect_provider.html
+
+XXX https://docs.gitlab.com/ee/ci/yaml/#id_tokens
+
+XXX https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html
+
+## Prepare
+
+Deploy a Kubernetes cluster with authentication configuration from `auth-config.yaml`:
+
+```shell
+kind create cluster \
+    --name gitlab-ci-oidc \
+    --config kind.yaml \
+    --wait 5m
+```
+
+Apply RBAC
+
+```shell
+kubectl apply -f rbac.yaml
+```
+
+## GitLab CI
+
+Deploy GitLab runner
+
+```shell
+helm repo add gitlab https://charts.gitlab.io
+helm repo update
+helm upgrade --install \
+    gitlab-runner gitlab/gitlab-runner \
+    --values values-gitlab-runner.yaml \
+    --set runnerRegistrationToken=TOKEN \
+    --wait \
+    --timeout 5m
+```
+
+Test pipeline based on `.gitlab-ci.yml`
+
+## Test `kubectl`
+
+Test RBAC without OIDC
+
+```shell
+kubectl get pods --as gitlab:MyUserName --as-group gitlab:foo -A
+kubectl get pods --as gitlab-ci:project_path:foo/bar:ref_type:branch:ref:main -A
+```
+
+Test with RBAC
+
+```shell
+kubectl --user=gitlab-oidc get pods
+```

120_kubernetes/oidc/auth-config.yaml

@@ -1,92 +1,17 @@
----
-apiVersion: apiserver.config.k8s.io/v1beta1
-kind: AuthenticationConfiguration
-jwt:
-- issuer:
-    # url must be unique across all authenticators.
-    # url must not conflict with issuer configured in --service-account-issuer.
-    url: https://gitlab.example.com
-    # audiences is the set of acceptable audiences the JWT must be issued to.
-    # At least one of the entries must match the "aud" claim in presented JWTs.
-    audiences:
-    - gitlab_user_auth
-    # this is required to be set to "MatchAny" when multiple audiences are specified.
-    audienceMatchPolicy: MatchAny
-  claimMappings:
-    # username represents an option for the username attribute.
-    # This is the only required attribute.
-    username:
-      # Same as --oidc-username-claim. Mutually exclusive with username.expression.
-      claim: preferred_username
-      # Same as --oidc-username-prefix. Mutually exclusive with username.expression.
-      # if username.claim is set, username.prefix is required.
-      # Explicitly set it to "" if no prefix is desired.
-      prefix: "oidc:"
-    # groups represents an option for the groups attribute.
-    groups:
-      # Same as --oidc-groups-claim. Mutually exclusive with groups.expression.
-      claim: groups_direct
-      # Same as --oidc-groups-prefix. Mutually exclusive with groups.expression.
-      # if groups.claim is set, groups.prefix is required.
-      # Explicitly set it to "" if no prefix is desired.
-      prefix: "gitlab:"
-    # uid represents an option for the uid attribute.
-    uid:
-      # Mutually exclusive with uid.expression.
-      claim: preferred_username
-- issuer:
-    # url must be unique across all authenticators.
-    # url must not conflict with issuer configured in --service-account-issuer.
-    url: https://gitlab.example.com/
-    # audiences is the set of acceptable audiences the JWT must be issued to.
-    # At least one of the entries must match the "aud" claim in presented JWTs.
-    audiences:
-    - gitlab_ci_auth
-    # this is required to be set to "MatchAny" when multiple audiences are specified.
-    audienceMatchPolicy: MatchAny
-  claimMappings:
-    # username represents an option for the username attribute.
-    # This is the only required attribute.
-    username:
-      # Same as --oidc-username-claim. Mutually exclusive with username.expression.
-      claim: sub
-      # Same as --oidc-username-prefix. Mutually exclusive with username.expression.
-      # if username.claim is set, username.prefix is required.
-      # Explicitly set it to "" if no prefix is desired.
-      prefix: "gitlab-ci:"
-    # groups represents an option for the groups attribute.
-    groups:
-      # Same as --oidc-groups-claim. Mutually exclusive with groups.expression.
-      claim: namespace_path
-      # Same as --oidc-groups-prefix. Mutually exclusive with groups.expression.
-      # if groups.claim is set, groups.prefix is required.
-      # Explicitly set it to "" if no prefix is desired.
-      prefix: "gitlab-ci:"
-    # uid represents an option for the uid attribute.
-    uid:
-      # Mutually exclusive with uid.expression.
-      claim: sub
-    # extra attributes to be added to the UserInfo object. Keys must be domain-prefix path and must be unique.
-    #extra:
-    #  # key is a string to use as the extra attribute key.
-    #  # key must be a domain-prefix path (e.g. example.org/foo). All characters before the first "/" must be a valid
-    #  # subdomain as defined by RFC 1123. All characters trailing the first "/" must
-    #  # be valid HTTP Path characters as defined by RFC 3986.
-    #  # k8s.io, kubernetes.io and their subdomains are reserved for Kubernetes use and cannot be used.
-    #  # key must be lowercase and unique across all extra attributes.
-    #- key: gitlab.haufedev.systems/namespace
-    #  valueExpression: namespace_id
-    #- key: gitlab.haufedev.systems/project
-    #  valueExpression: project_id
-    #- key: gitlab.haufedev.systems/triggerer
-    #  valueExpression: user_id
-    #- key: gitlab.haufedev.systems/pipeline
-    #  valueExpression: pipeline_id
-    #- key: gitlab.haufedev.systems/job
-    #  valueExpression: job_id
-    #- key: gitlab.haufedev.systems/runner
-    #  valueExpression: runner_id
-    #- key: gitlab.haufedev.systems/ref
-    #  valueExpression: ref
-    #- key: gitlab.haufedev.systems/sha
-    #  valueExpression: sha
+---
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: https://gitlab.example.com
+    audiences:
+    - group_application_id
+    - id_token_audience
+    audienceMatchPolicy: MatchAny
+  claimMappings:
+    username:
+      expression: 'has(claims.preferred_username) ? "gitlab:" + claims.preferred_username : "gitlab-ci:" + claims.sub'
+    groups:
+      expression: 'has(claims.groups_direct) ? "gitlab:" + claims.groups_direct : "gitlab-ci:" + claims.namespace_path'
+    uid:
+      expression: 'has(claims.preferred_username) ? "gitlab:" + claims.preferred_username : "gitlab-ci:" + claims.sub'

120_kubernetes/oidc/rbac.yaml

@@ -2,23 +2,25 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: oidc-cluster-admin
+  name: oidc-viewer
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: view
 subjects:
-- kind: Group
-  name: gitlab:k8s-oidc-demo
+- kind: User
+  name: gitlab-ci:project_path:foo/bar:ref_type:branch:ref:main
+- kind: User
+  name: gitlab:MyUserName
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: oidc-test
+  name: oidc-admin
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: view
+  name: cluster-admin
 subjects:
-- kind: User
-  name: gitlab-ci:project_path:DilleN/foo:ref_type:branch:ref:main
+- kind: Group
+  name: gitlab:foo

120_kubernetes/oidc/values-gitlab-runner.yaml

@@ -1,54 +1,47 @@
-image:
-  registry: registry.gitlab.com
-  image: gitlab-org/gitlab-runner
-  #tag: alpine-v16.4.0
-imagePullPolicy: Always
-probeTimeoutSeconds: 5
-
-## How many runner pods to launch.
-##
-## Note: Using more than one replica is not supported with a runnerToken. Use a runnerRegistrationToken
-## to create multiple runner replicas.
-# replicas: 1
-
-gitlabUrl: https://gitlab.example.com/
-
-unregisterRunners: true
-terminationGracePeriodSeconds: 3600
-concurrent: 5
-checkInterval: 5
-
-rbac:
-  create: true
-  rules:
-    - resources: ["pods", "secrets", "configmaps"]
-      verbs: ["get", "list", "watch", "create", "patch", "delete", "update"]
-    - apiGroups: [""]
-      resources: ["pods/attach", "pods/exec"]
-      verbs: ["create", "patch", "delete"]
-  clusterWideAccess: false
-  podSecurityPolicy:
-    enabled: false
-    resourceNames:
-      - gitlab-runner
-
-runners:
-  config: |
-    [[runners]]
-      executor = "kubernetes"
-
-      [runners.kubernetes]
-        image = "alpine"
-  locked: false
-
-securityContext:
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: false
-  runAsNonRoot: true
-  privileged: false
-  capabilities:
-    drop: ["ALL"]
-
-podSecurityContext:
-  runAsUser: 100
-  fsGroup: 65533
+image:
+  registry: registry.gitlab.com
+  image: gitlab-org/gitlab-runner
+  #tag: alpine-v16.4.0
+imagePullPolicy: Always
+probeTimeoutSeconds: 5
+
+gitlabUrl: https://gitlab.example.com/
+unregisterRunners: true
+terminationGracePeriodSeconds: 3600
+concurrent: 5
+checkInterval: 5
+
+rbac:
+  create: true
+  rules:
+    - resources: ["pods", "secrets", "configmaps"]
+      verbs: ["get", "list", "watch", "create", "patch", "delete", "update"]
+    - apiGroups: [""]
+      resources: ["pods/attach", "pods/exec"]
+      verbs: ["create", "patch", "delete"]
+  clusterWideAccess: false
+  podSecurityPolicy:
+    enabled: false
+    resourceNames:
+      - gitlab-runner
+
+runners:
+  config: |
+    [[runners]]
+      executor = "kubernetes"
+
+      [runners.kubernetes]
+        image = "alpine"
+  locked: false
+
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  privileged: false
+  capabilities:
+    drop: ["ALL"]
+
+podSecurityContext:
+  runAsUser: 100
+  fsGroup: 65533