1. 前言

轉(zhuǎn)載請說明原文出處, 尊重他人勞動成果!

源碼位置: https://github.com/nicktming/istio
分支: tming-v1.3.6 (基于1.3.6版本)

上一篇文章 [istio源碼分析][citadel] citadel之istio_ca 分析了istio_ca的serviceaccount controller 和 自定義簽名, 本文將在此基礎(chǔ)上繼續(xù)分析istio_ca提供的一個grpc server 服務(wù).

2. 認(rèn)證(authenticate)

認(rèn)證的實現(xiàn)體需要實現(xiàn)以下幾個方法:

// security/pkg/server/ca/server.go
type authenticator interface {
    // 認(rèn)證此client端用戶并且返回client端的用戶信息
    Authenticate(ctx context.Context) (*authenticate.Caller, error)
    // 返回認(rèn)證類型
    AuthenticatorType() string
}
// security/pkg/server/ca/authenticate/authenticator.go
type Caller struct {
    // 認(rèn)證的類型
    AuthSource AuthSource
    // client端的用戶信息
    Identities []string
}

authenticator 有三個實現(xiàn)體:
1. KubeJWTAuthenticator (security/pkg/server/ca/authenticate/kube_jwt.go) .
2. IDTokenAuthenticator (security/pkg/server/ca/authenticate/authenticator.go)
3. ClientCertAuthenticator (security/pkg/server/ca/authenticate/authenticator.go)

這里主要分析一下KubeJWTAuthenticator的實現(xiàn).

2.1 KubeJWTAuthenticator

關(guān)于jwt的知識可以參考 https://www.cnblogs.com/cjsblog/p/9277677.html 和 http://www.imooc.com/article/264737?block_id=tuijian_wz .

// security/pkg/server/ca/authenticate/kube_jwt.go
type tokenReviewClient interface {
    // 輸入一個Bearer token, 返回{namespace, serviceaccount name}
    ValidateK8sJwt(targetJWT string) ([]string, error)
}
func NewKubeJWTAuthenticator(k8sAPIServerURL, caCertPath, jwtPath, trustDomain string) (*KubeJWTAuthenticator, error) {
    // 訪問k8sAPIServerURL的證書
    caCert, err := ioutil.ReadFile(caCertPath)
    ...
    // 客戶端用戶的信息(jwt token)
    reviewerJWT, err := ioutil.ReadFile(jwtPath)
    ...
    return &KubeJWTAuthenticator{
        client:      tokenreview.NewK8sSvcAcctAuthn(k8sAPIServerURL, caCert, string(reviewerJWT)),
        trustDomain: trustDomain,
    }, nil
}

1. tokenReviewClient是輸入一個token, 返回一個字符串?dāng)?shù)組, 里面信息有namespace 和 serviceaccount name. 它的實現(xiàn)體在security/pkg/k8s/tokenreview/k8sauthn.go.
2. 生成一個KubeJWTAuthenticator對象.

Authenticate 和 AuthenticatorType

// security/pkg/server/ca/authenticate/kube_jwt.go
func (a *KubeJWTAuthenticator) AuthenticatorType() string {
    // KubeJWTAuthenticatorType = "KubeJWTAuthenticator"
    return KubeJWTAuthenticatorType
}
func (a *KubeJWTAuthenticator) Authenticate(ctx context.Context) (*Caller, error) {
    // 從header Bearer里面獲得token
    targetJWT, err := extractBearerToken(ctx)
    ...
    // 認(rèn)證客戶端并且得到客戶端的信息
    id, err := a.client.ValidateK8sJwt(targetJWT)
    ...
    if len(id) != 2 {
        return nil, fmt.Errorf("failed to parse the JWT. Validation result length is not 2, but %d", len(id))
    }
    callerNamespace := id[0]
    callerServiceAccount := id[1]
    // 返回一個Caller
    return &Caller{
        AuthSource: AuthSourceIDToken,
        // identityTemplate         = "spiffe://%s/ns/%s/sa/%s"
        Identities: []string{fmt.Sprintf(identityTemplate, a.trustDomain, callerNamespace, callerServiceAccount)},
    }, nil
}

1. 從header Bearer里面獲得token.
2. 認(rèn)證客戶端并且得到客戶端的信息.
3. 利用客戶端信息組裝成一個Caller返回. 因為在授權(quán)(authorize)的時候需要用到客戶端的信息.

2.1.1 k8sauthn

func NewK8sSvcAcctAuthn(apiServerAddr string, apiServerCert []byte, callerToken string) *K8sSvcAcctAuthn {
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(apiServerCert)
    // 訪問k8s api-server的證書
    httpClient := &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                RootCAs: caCertPool,
            },
            MaxIdleConnsPerHost: 100,
        },
    }
    return &K8sSvcAcctAuthn{
        apiServerAddr: apiServerAddr,
        callerToken:   callerToken,
        httpClient:    httpClient,
    }
}

作用: K8sSvcAcctAuthn是負(fù)責(zé)認(rèn)證 k8s JWTs.
1. apiServerAddr: the URL of k8s API Server 從上游可知是(https://kubernetes.default.svc/apis/authentication.k8s.io/v1/tokenreviews)
2. apiServerCert: the CA certificate of k8s API Server 是security運(yùn)行的這個pod中對應(yīng)路徑(/var/run/secrets/kubernetes.io/serviceaccount/ca.crt)的內(nèi)容.
3. callerToken: the JWT of the caller to authenticate to k8s API server是security運(yùn)行的這個pod中對應(yīng)路徑(/var/run/secrets/kubernetes.io/serviceaccount/token)的內(nèi)容.

reviewServiceAccountAtK8sAPIServer

defaultAudience = "istio-ca"
func (authn *K8sSvcAcctAuthn) reviewServiceAccountAtK8sAPIServer(targetToken string) (*http.Response, error) {
    saReq := saValidationRequest{
        APIVersion: "authentication.k8s.io/v1",
        Kind:       "TokenReview",
        Spec: specForSaValidationRequest{
            Token: targetToken,
            Audiences: []string{defaultAudience},
        },
    }
    saReqJSON, err := json.Marshal(saReq)
    ...
    // 構(gòu)造request
    req, err := http.NewRequest("POST", authn.apiServerAddr, bytes.NewBuffer(saReqJSON))
    ...
    req.Header.Set("Content-Type", "application/json")
    // authn.callerToken是security這個pod的token
    req.Header.Set("Authorization", "Bearer "+authn.callerToken)
    resp, err := authn.httpClient.Do(req)
    ...
    return resp, nil
}

1. targetToken是客戶端請求的token信息, 也就是客戶端向啟動grpc server組件的pod來發(fā)請求, 所以saReq中的token是targetToken.
2. authn.callerToken是citadel這個pod的token, 因為是citadel來向api-server發(fā)請求, 所以Bearer中需要寫citadel這個pod的token.

例子如下: 具體關(guān)于TokenReview去研究api-server源碼即可.

    // An example SA token:
    // {"alg":"RS256","typ":"JWT"}
    // {"iss":"kubernetes/serviceaccount",
    //  "kubernetes.io/serviceaccount/namespace":"default",
    //  "kubernetes.io/serviceaccount/secret.name":"example-pod-sa-token-h4jqx",
    //  "kubernetes.io/serviceaccount/service-account.name":"example-pod-sa",
    //  "kubernetes.io/serviceaccount/service-account.uid":"ff578a9e-65d3-11e8-aad2-42010a8a001d",
    //  "sub":"system:serviceaccount:default:example-pod-sa"
    //  }

    // An example token review status
    // "status":{
    //   "authenticated":true,
    //   "user":{
    //     "username":"system:serviceaccount:default:example-pod-sa",
    //     "uid":"ff578a9e-65d3-11e8-aad2-42010a8a001d",
    //     "groups":["system:serviceaccounts","system:serviceaccounts:default","system:authenticated"]
    //    }
    // }

ValidateK8sJwt

func (authn *K8sSvcAcctAuthn) ValidateK8sJwt(targetToken string) ([]string, error) {
    // 判斷是否TrustworthyJwt
    // SDS requires JWT to be trustworthy (has aud, exp, and mounted to the pod).
    isTrustworthyJwt, err := isTrustworthyJwt(targetToken)
    ...
    // 返回結(jié)果
    resp, err := authn.reviewServiceAccountAtK8sAPIServer(targetToken)
    ...
    bodyBytes, err := ioutil.ReadAll(resp.Body)
    ...
    tokenReview := &k8sauth.TokenReview{}
    err = json.Unmarshal(bodyBytes, tokenReview)
    ...
    // "username" is in the form of system:serviceaccount:{namespace}:{service account name}",
    // e.g., "username":"system:serviceaccount:default:example-pod-sa"
    subStrings := strings.Split(tokenReview.Status.User.Username, ":")
    ...
    namespace := subStrings[2]
    saName := subStrings[3]
    return []string{namespace, saName}, nil
}

1. 調(diào)用reviewServiceAccountAtK8sAPIServer從api-server返回客戶端的認(rèn)證信息, 也就是說向citadel發(fā)請求的客戶端的token需要得到k8s的認(rèn)證.
2. 從tokenReview.Status.User.Username中得到namespace, serviceaccount name返回.

2.2 ClientCertAuthenticator

func (cca *ClientCertAuthenticator) Authenticate(ctx context.Context) (*Caller, error) {
    peer, ok := peer.FromContext(ctx)
    ...
    tlsInfo := peer.AuthInfo.(credentials.TLSInfo)
    chains := tlsInfo.State.VerifiedChains
    ...
    // 從extensions中獲得ids
    ids, err := util.ExtractIDs(chains[0][0].Extensions)
    ...
    return &Caller{
        AuthSource: AuthSourceClientCertificate,
        Identities: ids,
    }, nil
}

ClientCertAuthenticator針對的是用x509生成的用戶信息.

3. grpc server

// security/cmd/istio_ca/main.go
func runCA() {
    ...
    if opts.grpcPort > 0 {
        ...
        hostnames := append(strings.Split(opts.grpcHosts, ","), fqdn())
        caServer, startErr := caserver.New(ca, opts.maxWorkloadCertTTL, opts.signCACerts, hostnames,
            opts.grpcPort, spiffe.GetTrustDomain(), opts.sdsEnabled)
        ...
        if serverErr := caServer.Run(); serverErr != nil {
            ch <- struct{}{}
            ...
        }
    }
    ...
}
// security/pkg/server/ca/server.go
func New(ca CertificateAuthority, ttl time.Duration, forCA bool,
    hostlist []string, port int, trustDomain string, sdsEnabled bool) (*Server, error) {
    ...
    authenticators := []authenticator{&authenticate.ClientCertAuthenticator{}}
    // Only add k8s jwt authenticator if SDS is enabled.
    if sdsEnabled {
        // 添加一個k8s jwt認(rèn)證
        authenticator, err := authenticate.NewKubeJWTAuthenticator(k8sAPIServerURL, caCertPath, jwtPath,
            trustDomain)
        if err == nil {
            authenticators = append(authenticators, authenticator)
            log.Info("added K8s JWT authenticator")
        } else {
            log.Warnf("failed to add JWT authenticator: %v", err)
        }
    }
    ...
    server := &Server{
        authenticators: authenticators,
        ...
    }
    return server, nil
}

由于authorize在此版本沒有打開, 因此把關(guān)于authorize部分的內(nèi)容都去掉了.
1. 可以看到認(rèn)證的對象默認(rèn)有一個ClientCertAuthenticator類型的對象, 如果sdsEnabled = true, 那么就會增加一個KubeJWTAuthenticator類型的對象.

HandleCSR

func (s *Server) HandleCSR(ctx context.Context, request *pb.CsrRequest) (*pb.CsrResponse, error) {
    s.monitoring.CSR.Inc()
    // 認(rèn)證
    caller := s.authenticate(ctx)
    ...
    // 生成csr
    csr, err := util.ParsePemEncodedCSR(request.CsrPem)
    ...
    _, err = util.ExtractIDs(csr.Extensions)
    ...
    // TODO: Call authorizer. 等待要做的授權(quán)
    // 獲得簽名后的證書
    _, _, certChainBytes, _ := s.ca.GetCAKeyCertBundle().GetAll()
    cert, signErr := s.ca.Sign(
        request.CsrPem, caller.Identities, time.Duration(request.RequestedTtlMinutes)*time.Minute, s.forCA)
    ...
    // 組裝response
    response := &pb.CsrResponse{
        IsApproved: true,
        SignedCert: cert,
        CertChain:  certChainBytes,
    }
    ...
    return response, nil
}

作用: 處理請求簽名證書的request. 對請求做一些認(rèn)證, 然后簽名并且返回簽名后的證書. 如果沒有通過, 則返回錯誤理由.

handlecsr.png