Skip to content

improvement(kubernetes-auth): k8s auth validation and errors #5002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
victorvhs017 wants to merge 10 commits into
base: main
Choose a base branch
from
Open

improvement(kubernetes-auth): k8s auth validation and errors #5002

victorvhs017 wants to merge 10 commits into from

Conversation

@victorvhs017
Copy link
Contributor

@victorvhs017 victorvhs017 commented Dec 9, 2025
edited
Loading

Context

This PR adds validation to the Kubernetes URL and token when adding a Kubernetes auth to a machine identity. It also adds more detailed error messages and centralizes error handling.

https://linear.app/infisical/issue/ENG-4209/improve-kubernetes-auth-error-handling-and-validation-steps

Steps to verify the change

  • Test with an invalid Kubernetes host url
  • Test with a valid URL but unaccessible (for example, trying to use the ip instead of https://host.docker.internal/ for a cluster running inside docker)
  • Test with a valid accessible URL
  • Test with a valid accessible URL with an invalid token
  • Test with a valid accessible URL with a valid token but without permission (a service account without auth-delegator cluster role)
  • Test with a valid accessible URL with a valid token and permission
  • Test with an invalid CA cert
  • Test with a valid CA cert
  • Test with a gateway and manual token reviewer
  • Test with a gateway and the gateway as reviewer

Type

  • Fix
  • Feature
  • Improvement
  • Breaking
  • Docs
  • Chore

Checklist

  • Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
  • Tested locally
  • Updated docs (if needed)
  • Read the contributing guide

Victor Santos added 2 commits December 8, 2025 21:51
feat(identity-kubernetes-auth): implement comprehensive error handlin…
d091105 
…g for Axios requests

- Added a new file for error handlers to manage Axios network and HTTP errors, providing detailed error messages.
- Updated existing functions to utilize the new error handling methods, improving error reporting for Kubernetes authentication processes.
- Introduced validation functions for Kubernetes host connectivity and token reviewer JWT permissions, enhancing the robustness of the authentication service.
refactor(identity-kubernetes-auth): clean up validation comments in a…
3149c2d 
…uth service

- Removed unnecessary comments related to validation of Kubernetes host connectivity and token reviewer JWT permissions, streamlining the code for better readability.
@maidul98
Copy link
Collaborator

maidul98 commented Dec 9, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@victorvhs017 victorvhs017 changed the title Improvement(kubernetes-auth): k8s auth validation and errors improvement(kubernetes-auth): k8s auth validation and errors Dec 9, 2025
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 9, 2025
edited
Loading

Greptile Overview

Greptile Summary

This PR adds validation for Kubernetes authentication configuration by introducing connectivity checks and token permission validation. The implementation includes:

  • New validation module (identity-kubernetes-auth-validators.ts) with two key functions:
    • validateKubernetesHostConnectivity: Checks host reachability via /version endpoint
    • validateTokenReviewerJwtPermissions: Verifies JWT has TokenReview permissions using a test request
  • Centralized error handling (identity-kubernetes-auth-error-handlers.ts) providing context-aware error messages for network errors (connection refused, timeouts, certificate failures) and HTTP errors (401/403 with actionable guidance)
  • SSRF protection: Both validators call blockLocalAndPrivateIpAddresses before making requests to prevent attacks against internal infrastructure
  • Integration: Validators are called during attachKubernetesAuth and updateKubernetesAuth when token review mode is API and no gateway is configured
  • Improved error messages: Better user guidance for common issues like missing ClusterRole bindings

Key improvements:

  • Users receive immediate feedback when configuring invalid Kubernetes hosts or insufficient JWT permissions
  • Clear, actionable error messages guide users to fix configuration issues
  • Security hardened against SSRF attacks via existing validation utilities
  • Proper use of RE2 library for regex operations (no ReDoS vulnerabilities)

Issues found:

  • In updateKubernetesAuth, when updating kubernetesHost or tokenReviewerJwt without updating caCert, the validation doesn't retrieve the existing CA cert from the database, potentially causing validation failures for hosts that require it

Confidence Score: 4/5

  • This PR is largely safe to merge with one logical issue that needs attention
  • Score of 4 reflects solid security practices (SSRF protection, RE2 regex usage, centralized error handling) and good architecture, but there's a logic bug in the update flow where the existing CA cert isn't used during validation when only updating the host or JWT. This could cause validation failures for legitimate configurations that require CA certs.
  • backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts requires attention for the CA cert validation logic in the update flow (lines 907-934)

Important Files Changed

File Analysis

Filename Score Overview
backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-validators.ts 5/5 Added two validation functions: validateKubernetesHostConnectivity checks host reachability and validateTokenReviewerJwtPermissions verifies JWT permissions by attempting a test TokenReview. Both properly use blockLocalAndPrivateIpAddresses to prevent SSRF attacks.
backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-error-handlers.ts 5/5 New centralized error handling module with context-aware error messages for network errors (ECONNREFUSED, ETIMEDOUT, certificate errors) and HTTP errors (401/403). Provides clear, actionable error messages for different contexts (Kubernetes host, API server, gateway proxy).
backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts 5/5 Integrated validation functions into attachKubernetesAuth and updateKubernetesAuth to validate connectivity and JWT permissions when creating/updating auth methods. Enhanced error handling in token review callbacks using centralized error handlers.
backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-fns.ts 5/5 Improved extractK8sUsername error handling to throw UnauthorizedError with clear message format instead of generic Error.

greptile-apps[bot]
greptile-apps bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 6 comments

Edit Code Review Agent Settings | Greptile

Victor Santos added 3 commits December 9, 2025 16:33
feat(identity-kubernetes-auth): add IP address validation to Kubernet…
fed2bbf 
…es connectivity checks

- Integrated blockLocalAndPrivateIpAddresses function to validate Kubernetes host connectivity and token reviewer JWT permissions, enhancing security by preventing local and private IP address usage.
Merge branch 'main' into enhancement/k8s-auth-validation-and-errors
3209d9a
fix(identity-kubernetes-auth): refine error message for Kubernetes ho…
7c39661 
…st connectivity failure
@victorvhs017
Copy link
Contributor Author

victorvhs017 commented Dec 9, 2025

@greptileai re-review the code and update the first comment

greptile-apps[bot]
greptile-apps bot reviewed Dec 9, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

feat(identity-kubernetes-auth): enhance CA certificate handling in Ku…
e34e1e5 
…bernetes auth service

- Implemented logic to decrypt the Kubernetes CA certificate if not provided, ensuring secure handling of sensitive data.
- Updated function calls to use the effective CA certificate for Kubernetes host connectivity validation and token reviewer JWT permissions.
Victor Santos added 4 commits December 15, 2025 11:39
fix(identity-kubernetes-auth): update error handling for Kubernetes u…
98f4ea7 
…sername parsing

- Replaced UnauthorizedError with BadRequestError for invalid Kubernetes service account username format, improving clarity in error reporting.
- Adjusted the logic for determining the effective gateway ID in the identity Kubernetes auth service to ensure correct fallback behavior.
Merge branch 'main' into enhancement/k8s-auth-validation-and-errors
1b241bf
feat(identity-kubernetes-auth): enhance Kubernetes authentication val…
112b459 
…idation and error handling

- Introduced a new GatewayRequestExecutor to support both API and Gateway modes for Kubernetes connectivity validation.
- Updated validateKubernetesHostConnectivity and validateTokenReviewerPermissions functions to handle requests through the gateway.
- Improved error handling and logging for connectivity issues and permission validations, providing clearer context for failures.
- Refactored existing validation logic to accommodate the new gateway functionality, ensuring backward compatibility.
fix(identity-kubernetes-auth): update error handling for token review…
1f6eb9d 
… requests

- Replaced UnauthorizedError with BadRequestError in handleAxiosHttpError for improved clarity in error reporting related to token review requests.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sheensantoscapadngan sheensantoscapadngan Awaiting requested review from sheensantoscapadngan

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@victorvhs017 @maidul98 @sheensantoscapadngan