Implement CEL for StructuredAuthenticationConfig

[aramase]

• Add additional fields to JWTAuthenticator in AuthenticationConfiguration v1alpha1
• Add support for CEL expressions and integrate with OIDC authenticator

fixes #119235

/kind feature
/sig auth
/triage accepted
/milestone v1.29
/priority important-soon

Adds CEL expressions to v1alpha1 AuthenticationConfiguration.

[KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration

[k8s-ci-robot]

@aramase: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility.

In response to this:

TODO

fixes #119235

/kind feature
/sig auth
/triage accepted
/milestone v1.29
/priority important-soon

TODO

[KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@aramase: The label(s) kind/api-review cannot be applied, because the repository doesn't have them.

In response to this:

/kind api-review

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[aramase]

/label api-review

[enj]

Initial API review on 10-12-23

[enj]

The CEL variable that contains the final user info should be called user

Suggested change

	UserInfoValidationRules []UserInfoValidationRule `json:"userInfoValidationRules,omitempty"`
	UserValidationRules []UserValidationRule `json:"userValidationRules,omitempty"`

[enj]

Specifically that all validation rules are logically ANDed

[enj]

Internally, we may want to combine all the CEL expressions by wrapping them in parentheses and using logical ANDs (after we benchmark to see if it worth it). On a failure, we would run the individual expressions so that we could provide the correct error message.

[cici37]

Just did a quick pass, will save time for another pass on imp details and tests. Thank you!

[MaryamTavakkoli]

Hello!
Bug triage for the 1.29 release cycle is here! I want to check the status and remind you that the code freeze is starting 01:00 UTC Wednesday 1st November 2023 / 18:00 PDT Tuesday 31st October 2023 (next week), as we want to ensure that each PR has a chance to be merged.
Are we still targeting the 1.29 release?

[aramase]

Hello! Bug triage for the 1.29 release cycle is here! I want to check the status and remind you that the code freeze is starting 01:00 UTC Wednesday 1st November 2023 / 18:00 PDT Tuesday 31st October 2023 (next week), as we want to ensure that each PR has a chance to be merged. Are we still targeting the 1.29 release?

Yes, this PR is still targeted for v1.29.

[liggitt]

non-blocking since this doesn't touch the config API layer, but ClaimsMapper is a really confusing interface... each instance held in CELMapper is only valid to call one of the methods. It's weird to have to put the documentation about which uses of this interface should call which methods on the interface doc.

interaces like these would be clearer (even if the names get a little silly by the end):

Username             StringMapper
Groups               StringArrayMapper
UID                  StringMapper
Extra                MapStringStringArrayMapper
ClaimValidationRules BoolMapper
UserValidationRules  BoolMapper

type BoolMapper interface {
  MapBool(context.Context, *unstructured.Unstructured) (bool, error)
}
type StringMapper interface {
  MapString(context.Context, *unstructured.Unstructured) (string, error)
}
type StringArrayMapper interface {
  MapStringArray(context.Context, *unstructured.Unstructured) ([]string, error)
}
type MapStringStringArrayMapper interface {
  MapMapStringStringArray(context.Context, *unstructured.Unstructured) (map[string][]string, error)
}

specific implementations of those could wrap an interface like

EvalSingle(context.Context, *unstructured.Unstructured) (EvaluationResult, error)

or

EvalMultiple(context.Context, *unstructured.Unstructured) ([]EvaluationResult, error)

and type-check / accumulate

I think this could be cleaned up in 1.30 to be a lot more composable

[aramase]

added this to the follow-up items list for v1.30. I'll get this cleaned up.

[liggitt]

nit: if we're doing more than validation, rename to CompileAndValidateJWTAuthenticator?

will celMapper be nil if there are no CEL rules? will fieldErr be non-nil if the structuredauthn feature is off and JWTAuthenticator contains cel rules?

[aramase]

will celMapper be nil if there are no CEL rules? will fieldErr be non-nil if the structuredauthn feature is off and JWTAuthenticator contains cel rules?

1. celMapper is not nil when there are no CEL rules. The subfields will be empty if there are no expressions defined for the field.
2. fieldErr will be non-nil if feature is off and any of the fields in JWTAuthenticator contain expressions. We have validation in all the fields that support an expression.

[liggitt]

if the feature's not enabled, probably don't need to construct these, right?

[liggitt]

hmm.. I can't tell if celMapper is conditional on the feature gate (will be nil if the feature's off) or on whether CEL expressions were used for various things (subfields will be nil if there's no CEL group expression, etc) or both.

[aramase]

if the feature's not enabled, probably don't need to construct these, right?

right now I'm passing the struct to different validate funcs that set the subfields instead of returning subfields, so we're initializing this.

hmm.. I can't tell if celMapper is conditional on the feature gate (will be nil if the feature's off) or on whether CEL expressions were used for various things (subfields will be nil if there's no CEL group expression, etc) or both.

In the current implementation, if the feature gate is not set, the subfields that contain an expression will be nil but celMapper is not nil.

We can return nil from validateJWTAuthenticator if feature gate is not set.

[liggitt]

to strengthen in 1.30: if we're using the same validatePrefixClaimOrExpression function to construct the CEL mapper for both username and groups, how is it doing any kind of type checking that the result is a string (for username) or a string / string array / null (for groups)?

a username or groups expression of "true" should fail type checking, but I don't think it would, I think it would fail at runtime

obviously, things returning claims directly we can't typecheck until runtime since claims are dynamic, but things returning cel literals can be typechecked

[liggitt]

we shouldn't be able to get here if structuredAuthnFeatureEnabled is false, right?

[aramase]

we do compile the CEL expression even when feature gate isn’t enabled and don’t short circuit on error. This is done to aggregate all errors as part of validation.

Leaving this as-is based on the slack conversation.

[liggitt]

it shouldn't be possible to have non-zero compilation results and the feature be off, right?

[aramase]

It would be possible for non-zero compilation results when the feature is off as we perform validation and compiling of expression always. This was done to aggregate all errors from validation and return to user.

[liggitt]

this needs cleanup in 1.30... I suspect there are more efficient ways to switch on the types natively in go, possibly like:

switch t := val.Value().(type) {
case nilType:
  ... no-op
case stringType:
  if len(t) > 0 {
    append
  }
case []interface{}:
  ... iterate, safely cast, skip nil and empty string, append non-empty string, error on other types
case []ref.Val{}:
  ... iterate, safely cast, skip nil and empty string, append non-empty string, error on other types
default:
  ... error, unexpected type
}

[liggitt]

this cast is a code smell to clean up in 1.30 before beta... we're encapsulating the key information in the accessor, carrying it along to the evalresults, and then digging it back out here.

[aramase]

Agreed! Have a task in #121553 to try and use generics.

[liggitt]

/approve
for API bits

@enj has lgtm

[enj]

/lgtm
/approve

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: b34c77509b763f829284ef76394d17d3538ccba4

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, enj, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• staging/src/k8s.io/apiserver/pkg/apis/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/pkg/authentication/OWNERS [enj,liggitt]
• staging/src/k8s.io/apiserver/plugin/pkg/authenticator/OWNERS [enj,liggitt]
• test/OWNERS [enj,liggitt]
• vendor/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment