Include extra attributes in SubjectAccessReview#13170
Closed
multimac wants to merge 1 commit intolinkerd:mainfrom
Closed
Include extra attributes in SubjectAccessReview#13170multimac wants to merge 1 commit intolinkerd:mainfrom
multimac wants to merge 1 commit intolinkerd:mainfrom
Conversation
Kubernetes authorization plugins can rely on extra attributes on a user, and these are provided via `X-Remote-Extra-` headers. Currently the Linkerd Viz `tap` API doesn't include these attributes when making the `SubjectAccessReview` request which means the Tap API cannot be used by end-users who's clusters use such authz plugins. This change updates the `tap` controller to parse the `X-Remote-Extra-` headers and include them in the SubjectAccessReview request. Fixed linkerd#13169 Signed-off-by: David Symons <david.symons@onemodel.co>
Member
|
Hey @multimac, just a quick check-in -- we're heads-down to ship Linkerd 2.17 but will be coming back to this as soon as we can. Sorry for the delay! |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
|
@kflynn: Looks like 2.17 is out by now. Is there plan to revisit this? |
|
Ping @adleong |
Member
|
Unassigning @adleong so that this bubbles back up for prioritization. Since this branch isn't passing CI, it will clearly need some more work before it can be merged. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
Tolsto
added a commit
to Tolsto/linkerd2
that referenced
this pull request
Nov 29, 2025
Problem Kubernetes authorization plugins can rely on extra attributes on a user, provided via X-Remote-Extra- headers, e.g. AWS EKS with AccessEntry authentication. Currently, the Linkerd Viz tap API doesn't include these attributes when making SubjectAccessReview requests, preventing tap from working in clusters that use authorization plugins relying on these extra attributes. Solution Updated the tap API to extract X-Remote-Extra- headers from incoming requests and include them in SubjectAccessReview calls. The header prefix is read from the extension-apiserver-authentication ConfigMap to support custom configurations. This implementation is based on the original work by David Symons in PR linkerd#13170. Changes: - Modified ResourceAuthzForUser in pkg/k8s/authz.go to accept extra attributes as map[string]authV1.ExtraValue - Updated viz/tap/api/handlers.go to extract and URL-decode extra headers - Modified viz/tap/api/server.go to read the configurable header prefix from the Kubernetes ConfigMap - Added tests to verify extra attributes are correctly passed through Validation Ran go test ./viz/tap/api/... ./pkg/k8s/... and all tests pass. Added TestHandleTap_ExtraHeaders to verify extra attributes are correctly extracted and passed to the Kubernetes client. Tested with an actual EKS cluster with AccessEntry authentication. Fixes linkerd#13169 Signed-off-by: Nils Mueller <20240901+Tolsto@users.noreply.github.com>
Tolsto
added a commit
to Tolsto/linkerd2
that referenced
this pull request
Feb 12, 2026
Problem Kubernetes authorization plugins can rely on extra attributes on a user, provided via X-Remote-Extra- headers, e.g. AWS EKS with AccessEntry authentication. Currently, the Linkerd Viz tap API doesn't include these attributes when making SubjectAccessReview requests, preventing tap from working in clusters that use authorization plugins relying on these extra attributes. Solution Updated the tap API to extract X-Remote-Extra- headers from incoming requests and include them in SubjectAccessReview calls. The header prefix is read from the extension-apiserver-authentication ConfigMap to support custom configurations. This implementation is based on the original work by David Symons in PR linkerd#13170. Changes: - Modified ResourceAuthzForUser in pkg/k8s/authz.go to accept extra attributes as map[string]authV1.ExtraValue - Updated viz/tap/api/handlers.go to extract and URL-decode extra headers - Modified viz/tap/api/server.go to read the configurable header prefix from the Kubernetes ConfigMap - Added tests to verify extra attributes are correctly passed through Validation Ran go test ./viz/tap/api/... ./pkg/k8s/... and all tests pass. Added TestHandleTap_ExtraHeaders to verify extra attributes are correctly extracted and passed to the Kubernetes client. Tested with an actual EKS cluster with AccessEntry authentication. Fixes linkerd#13169 Signed-off-by: Nils Mueller <20240901+Tolsto@users.noreply.github.com>
adleong
added a commit
that referenced
this pull request
Mar 2, 2026
* Include extra attributes in SubjectAccessReview Problem Kubernetes authorization plugins can rely on extra attributes on a user, provided via X-Remote-Extra- headers, e.g. AWS EKS with AccessEntry authentication. Currently, the Linkerd Viz tap API doesn't include these attributes when making SubjectAccessReview requests, preventing tap from working in clusters that use authorization plugins relying on these extra attributes. Solution Updated the tap API to extract X-Remote-Extra- headers from incoming requests and include them in SubjectAccessReview calls. The header prefix is read from the extension-apiserver-authentication ConfigMap to support custom configurations. This implementation is based on the original work by David Symons in PR #13170. Changes: - Modified ResourceAuthzForUser in pkg/k8s/authz.go to accept extra attributes as map[string]authV1.ExtraValue - Updated viz/tap/api/handlers.go to extract and URL-decode extra headers - Modified viz/tap/api/server.go to read the configurable header prefix from the Kubernetes ConfigMap - Added tests to verify extra attributes are correctly passed through Validation Ran go test ./viz/tap/api/... ./pkg/k8s/... and all tests pass. Added TestHandleTap_ExtraHeaders to verify extra attributes are correctly extracted and passed to the Kubernetes client. Tested with an actual EKS cluster with AccessEntry authentication. Fixes #13169 Signed-off-by: Nils Mueller <20240901+Tolsto@users.noreply.github.com> * Handle extra auth headers safely --------- Signed-off-by: Nils Mueller <20240901+Tolsto@users.noreply.github.com> Co-authored-by: Alex Leong <alex@buoyant.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Kubernetes authorization plugins can rely on extra attributes on a user, and these are provided via
X-Remote-Extra-headers. Currently the Linkerd ViztapAPI doesn't include these attributes when making theSubjectAccessReviewrequest which means the Tap API cannot be used by end-users who's clusters use such authz plugins.This change updates the
tapcontroller to parse theX-Remote-Extra-headers and include them in the SubjectAccessReview request.Fixed #13169