Knative Eventing 的发送方身份

标志名称：authentication-oidc

阶段：Alpha，默认情况下禁用

跟踪问题：#6806

概述

目前，集群内的事件传递是未经身份验证的，可寻址的事件使用者无法确定任何发送方的身份。

Knative Eventing 可寻址对象将其 OIDC 受众公开在状态中，作为其地址的一部分（例如 .status.address.audience），并要求请求包含为该受众颁发的 OIDC 访问令牌。

Knative Eventing 源请求针对目标受众的 OIDC 访问令牌，并将它们添加到请求中。每个源都使用专用的服务帐户作为请求的身份。

先决条件

• Eventing 安装

注意

为了不在网络上以明文形式提供访问令牌，还应启用传输加密。请查看 传输加密，它说明了如何启用传输加密功能标志。

兼容性

目前，以下组件支持 OIDC 身份验证

• 代理
  • MTChannelBasedBroker
  • Apache Kafka 的 Knative Broker
• 频道
  • InMemoryChannel
  • KafkaChannel
• 来源
  • ApiServerSource
  • PingSource
  • KafkaSource

发送方身份配置

authentication-oidc 的可能值为

• disabled
  • 行为无变化
• enabled
  • 可寻址对象在其状态中宣布其受众
  • 源在其请求中添加授权标头，其中包含针对其目标的访问令牌

例如，要启用发送方身份，config-features ConfigMap 将如下所示

apiVersion: v1
kind: ConfigMap
metadata:
  name: config-features
  namespace: knative-eventing
data:
  authentication-oidc: "enabled"

验证功能是否正常工作

将以下 YAML 保存到名为 default-broker-example.yaml 的文件中

# default-broker-example.yaml

apiVersion: eventing.knative.dev/v1
kind: Broker
metadata:
  name: br

---
apiVersion: eventing.knative.dev/v1
kind: Trigger
metadata:
  name: tr
spec:
  broker: br
  subscriber:
    ref:
      apiVersion: v1
      kind: Service
      name: event-display

---
apiVersion: v1
kind: Service
metadata:
  name: event-display
spec:
  selector:
    app: event-display
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080

---
apiVersion: v1
kind: Pod
metadata:
  name: event-display
  labels:
    app: event-display
spec:
  containers:
    - name: event-display
      image: gcr.io/knative-releases/knative.dev/eventing/cmd/event_display
      imagePullPolicy: Always
      ports:
        - containerPort: 8080

将 default-broker-example.yaml 文件应用到测试命名空间 authentication-oidc-test

kubectl create namespace authentication-oidc-test

kubectl apply -n authentication-oidc-test -f default-broker-example.yaml

验证 Broker 是否宣布其受众

kubectl -n authentication-oidc-test get broker br -o yaml

示例输出

apiVersion: eventing.knative.dev/v1
kind: Broker
metadata:
  name: br
  namespace: authentication-oidc-test
spec:
  config:
    # ...
  delivery:
    # ...
status:
  address:
    audience: eventing.knative.dev/broker/authentication-oidc-test/br
    name: http
    url: http://broker-ingress.knative-eventing.svc.cluster.local/authentication-oidc-test/br
  annotations:
  # ...

使用 OIDC 身份验证向 Broker 发送事件

1. 创建 OIDC 令牌（访问令牌）

   kubectl -n authentication-oidc-test create serviceaccount oidc-test-user; kubectl -n authentication-oidc-test create token oidc-test-user --audience eventing.knative.dev/broker/authentication-oidc-test/br
   

   示例输出

   serviceaccount/oidc-test-user created
   eyJhbGciOiJSUzI1NiIsImtpZCI6IlZBWmppNEVJZkVSVDZoYTA4dU1xTWJxSHFYQTgtbE00VU1tMmpFZUNuakUifQ.eyJhdWQiOlsiZXZlbnRpbmcua25hdGl2ZS5kZXYvYnJva2VyL2F1dGhlbnRpY2F0aW9uLW9pZGMtdGVzdC9iciJdLCJleHAiOjE3MDU5MzQyMTQsImlhdCI6MTcwNTkzMDYxNCwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJhdXRoZW50aWNhdGlvbi1vaWRjLXRlc3QiLCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoib2lkYy10ZXN0LXVzZXIiLCJ1aWQiOiJkNGM5MjkzMy1kZThlLTRhNDYtYjkxYS04NjRjNTZkZDU4YzIifX0sIm5iZiI6MTcwNTkzMDYxNCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmF1dGhlbnRpY2F0aW9uLW9pZGMtdGVzdDpvaWRjLXRlc3QtdXNlciJ9.Taqk11LRC7FKMbt_1VvmRjMolJL54CFGbRT85ZgNdG8YT6MXiw_S2rMHxLyC9RyX0hb720szHhiVIPj15jbz597egSBbcuk-f_MCsUFMyK1Nb95blo6UNDFKIQxC5_aleoT-qaGtXlt4OEE6RjA28mFeeSCjcJUCRdLGLuSiQT47lxLqNK5OfKjd4wGMiUsbBzOcXor9ouJc1lr4gFlCzzIMJNLfXU0O_AB8J--yh6wP07Q-2AWwwv7J1CtZCrIqaPBFjWnplLqtBgo33ZNbqomXyYVdO_0HlEN9XtlK_y_2veEvKOkINzpic_ipf5ZhTxEpXWaztZzdkWd-e2mHMg
   

2. 向 Broker 发送 curl 请求

   kubectl -n authentication-oidc-test run curl --image=curlimages/curl -i --tty -- sh
   
   # Send unauthenticated request (should result in a 401)
   curl -v http://broker-ingress.knative-eventing.svc.cluster.local/authentication-oidc-test/br -H "Content-Type:application/json" -H "Ce-Id:1" -H "Ce-Source:cloud-event-example" -H "Ce-Type:myCloudEventGreeting" -H "Ce-Specversion:1.0" -d "{\"name\": \"unauthenticated\"}"
   
   # Send authenticated request (should request in 202)
   curl -v http://broker-ingress.knative-eventing.svc.cluster.local/authentication-oidc-test/br -H "Content-Type:application/json" -H "Ce-Id:1" -H "Ce-Source:cloud-event-example" -H "Ce-Type:myCloudEventGreeting" -H "Ce-Specversion:1.0" -H "Authorization: Bearer <YOUR-TOKEN-FROM-STEP-1>" -d "{\"name\": \"authenticated\"}"
   

   示例输出

   $ curl -v http://broker-ingress.knative-eventing.svc.cluster.local/authentication-oidc-test/br -H "Content-Type:application/json" -H "Ce-Id:1" -H "Ce-Source:cloud-event-example" -H "Ce-Type:myCloudEventGreeting" -H "Ce-Specversion:1.0" -d "{\"name\": \"unauthenticated\"}"
   
   * Host broker-ingress.knative-eventing.svc.cluster.local:80 was resolved.
   * IPv6: (none)
   * IPv4: 10.96.110.167
   *   Trying 10.96.110.167:80...
   * Connected to broker-ingress.knative-eventing.svc.cluster.local (10.96.110.167) port 80
   > POST /authentication-oidc-test/br HTTP/1.1
   > Host: broker-ingress.knative-eventing.svc.cluster.local
   > User-Agent: curl/8.5.0
   > Accept: */*
   > Content-Type:application/json
   > Ce-Id:1
   > Ce-Source:cloud-event-example
   > Ce-Type:myCloudEventGreeting
   > Ce-Specversion:1.0
   > Content-Length: 27
   > 
   < HTTP/1.1 401 Unauthorized
   < Allow: POST, OPTIONS
   < Date: Mon, 22 Jan 2024 13:33:57 GMT
   < Content-Length: 0
   < 
   * Connection #0 to host broker-ingress.knative-eventing.svc.cluster.local left intact
   
   ~ $ curl -v http://broker-ingress.knative-eventing.svc.cluster.local/authentication-oidc-test/br -H "Content-Type:application/json" -H "Ce-Id:1" -H "Ce-Source:cloud-event-example" -H "Ce-Type:myCloudEventGreeting" -H "Ce-Specversion:1.0" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlZBWmppNEVJZkVSV
   DZoYTA4dU1xTWJxSHFYQTgtbE00VU1tMmpFZUNuakUifQ.eyJhdWQiOlsiZXZlbnRpbmcua25hdGl2ZS5kZXYvYnJva2VyL2F1dGhlbnRpY2F0aW9uLW9pZGMtdGVzdC9iciJdLCJleHAiOjE3MDU5MzQwMDgsImlhdCI6MTcwNTkzMDQwOCwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJhdXRoZW50aWNhdGlvbi1vaWRjLXRlc3QiLCJ
   zZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoib2lkYy10ZXN0LXVzZXIiLCJ1aWQiOiI3MTlkMWI3ZC1hZjBkLTQzMDAtOGUxNy1lNTk4YmZmN2VmYTIifX0sIm5iZiI6MTcwNTkzMDQwOCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmF1dGhlbnRpY2F0aW9uLW9pZGMtdGVzdDpvaWRjLXRlc3QtdXNlciJ9.UrleSi54mxgThesyrC4kzG7rO3-Fic1B3kPOY8k1l-oslhvw3dbT0n24bvP96m7Ke4ZGoXE3Efo
   966LZM_61-bfntFbw8kTRe_w6wGXVGpadrBSZsIChVgFYqsPNX_7r1LSNTy5tFXze9phVz6EpO7XeUct_PXyYLASNw0LNXWyqbcEqBNtgWmDKHaS_1pIscFP6MaoGVj968hpVqli8O6okQUQitIoPwFEGAIbaBlIX6Z5ZqlGwL9eqbIiNEMEgjlduv9dyZVmpDc0hsF6GHk2RnAhLeOniUNdUo4VO3z27TJY5JYK7xIMBD6Z5dUAhud9ofA8VWEl7Mziw4fsdCw" -d "{\"name\": \"authenticated\"}"
   * Host broker-ingress.knative-eventing.svc.cluster.local:80 was resolved.
   * IPv6: (none)
   * IPv4: 10.96.110.167
   *   Trying 10.96.110.167:80...
   * Connected to broker-ingress.knative-eventing.svc.cluster.local (10.96.110.167) port 80
   > POST /authentication-oidc-test/br HTTP/1.1
   > Host: broker-ingress.knative-eventing.svc.cluster.local
   > User-Agent: curl/8.5.0
   > Accept: */*
   > Content-Type:application/json
   > Ce-Id:1
   > Ce-Source:cloud-event-example
   > Ce-Type:myCloudEventGreeting
   > Ce-Specversion:1.0
   > Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IlZBWmppNEVJZkVSVDZoYTA4dU1xTWJxSHFYQTgtbE00VU1tMmpFZUNuakUifQ.eyJhdWQiOlsiZXZlbnRpbmcua25hdGl2ZS5kZXYvYnJva2VyL2F1dGhlbnRpY2F0aW9uLW9pZGMtdGVzdC9iciJdLCJleHAiOjE3MDU5MzQwMDgsImlhdCI6MTcwNTkzMDQwOCwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJhdXRoZW50aWNhdGlvbi1vaWRjLXRlc3QiLCJzZXJ2aWNlYWNjb3VudCI6eyJuYW1lIjoib2lkYy10ZXN0LXVzZXIiLCJ1aWQiOiI3MTlkMWI3ZC1hZjBkLTQzMDAtOGUxNy1lNTk4YmZmN2VmYTIifX0sIm5iZiI6MTcwNTkzMDQwOCwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmF1dGhlbnRpY2F0aW9uLW9pZGMtdGVzdDpvaWRjLXRlc3QtdXNlciJ9.UrleSi54mxgThesyrC4kzG7rO3-Fic1B3kPOY8k1l-oslhvw3dbT0n24bvP96m7Ke4ZGoXE3Efo966LZM_61-bfntFbw8kTRe_w6wGXVGpadrBSZsIChVgFYqsPNX_7r1LSNTy5tFXze9phVz6EpO7XeUct_PXyYLASNw0LNXWyqbcEqBNtgWmDKHaS_1pIscFP6MaoGVj968hpVqli8O6okQUQitIoPwFEGAIbaBlIX6Z5ZqlGwL9eqbIiNEMEgjlduv9dyZVmpDc0hsF6GHk2RnAhLeOniUNdUo4VO3z27TJY5JYK7xIMBD6Z5dUAhud9ofA8VWEl7Mziw4fsdCw
   > Content-Length: 25
   > 
   < HTTP/1.1 202 Accepted
   < Allow: POST, OPTIONS
   < Date: Mon, 22 Jan 2024 13:34:27 GMT
   < Content-Length: 0
   < 
   * Connection #0 to host broker-ingress.knative-eventing.svc.cluster.local left intact
   ~ $
   

   3. 验证第二个事件是否已到达 event-display pod

   kubectl -n authentication-oidc-test logs event-display
   

   示例输出

   ☁️  cloudevents.Event
   Context Attributes,
     specversion: 1.0
     type: myCloudEventGreeting
     source: cloud-event-example
     id: 1
     datacontenttype: application/json
   Extensions,
     knativearrivaltime: 2024-01-22T13:34:26.032199371Z
   Data,
     {
       "name": "authenticated"
     }
   

Istio 的限制

当 JWKS URI 通过 IP 表示时，您可能会遇到 与 Istio 的 eventing 集成 以及启用 authentication-oidc 功能标志的问题。例如，在以下情况下

$ kubectl get --raw /.well-known/openid-configuration | jq
{
  "issuer": "https://kubernetes.default.svc",
  "jwks_uri": "https://172.18.0.3:6443/openid/v1/jwks",
  ...
}

在这种情况下，您需要将 traffic.sidecar.istio.io/excludeOutboundIPRanges: <JWKS IP>/32 注释添加到以下部署的 pod 模板中

• imc-dispatcher
• mt-broker-ingress
• mt-broker-filter

例如

$ kubectl -n knative-eventing patch deploy imc-dispatcher --patch '{"spec":{"template":{"metadata":{"annotations":{"traffic.sidecar.istio.io/excludeOutboundIPRanges":"172.18.0.3/32"}}}}}'
deployment.apps/imc-dispatcher patched