Skip to content

improvement(kubernetes-auth): k8s auth validation and errors #5002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
victorvhs017 wants to merge 10 commits into
base: main
Choose a base branch
from
Open

improvement(kubernetes-auth): k8s auth validation and errors #5002

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
d091105
feat(identity-kubernetes-auth): implement comprehensive error handlin…
Dec 9, 2025
3149c2d
refactor(identity-kubernetes-auth): clean up validation comments in a…
Dec 9, 2025
fed2bbf
feat(identity-kubernetes-auth): add IP address validation to Kubernet…
Dec 9, 2025
3209d9a
Merge branch 'main' into enhancement/k8s-auth-validation-and-errors
Dec 9, 2025
7c39661
fix(identity-kubernetes-auth): refine error message for Kubernetes ho…
Dec 9, 2025
e34e1e5
feat(identity-kubernetes-auth): enhance CA certificate handling in Ku…
Dec 9, 2025
98f4ea7
fix(identity-kubernetes-auth): update error handling for Kubernetes u…
Dec 15, 2025
1b241bf
Merge branch 'main' into enhancement/k8s-auth-validation-and-errors
Dec 15, 2025
112b459
feat(identity-kubernetes-auth): enhance Kubernetes authentication val…
Dec 16, 2025
1f6eb9d
fix(identity-kubernetes-auth): update error handling for token review…
Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
200 changes: 200 additions & 0 deletions backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-error-handlers.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
import { AxiosError } from "axios";

import { BadRequestError, NotFoundError, UnauthorizedError } from "@app/lib/errors";

type ErrorContext = {
host?: string;
port?: number;
kubernetesHost?: string;
};

export enum KubernetesAuthErrorContext {
KubernetesHost = "kubernetes-host",
KubernetesApiServer = "kubernetes-api-server",
GatewayProxy = "gateway-proxy"
}

type ErrorContextConfig = {
serviceName: string;
errorNamePrefix: string;
defaultErrorName: string;
default401Message: string;
default403Message: string;
};

const COMMON_KUBERNETES_MESSAGES = {
default401Message:
"Token reviewer JWT is invalid or expired. Please verify the token reviewer JWT is correct and has not expired.",
default403Message:
"Token reviewer JWT does not have permission to perform TokenReviews. Ensure the service account has the 'system:auth-delegator' ClusterRole binding."
} as const;

const ERROR_CONTEXT_CONFIGS: Record<KubernetesAuthErrorContext, ErrorContextConfig> = {
[KubernetesAuthErrorContext.KubernetesHost]: {
serviceName: "Kubernetes host",
errorNamePrefix: "KubernetesHost",
defaultErrorName: "KubernetesHostConnectionError",
...COMMON_KUBERNETES_MESSAGES
},
[KubernetesAuthErrorContext.KubernetesApiServer]: {
serviceName: "Kubernetes API server",
errorNamePrefix: "Kubernetes",
defaultErrorName: "KubernetesConnectionError",
...COMMON_KUBERNETES_MESSAGES
},
[KubernetesAuthErrorContext.GatewayProxy]: {
serviceName: "gateway proxy",
errorNamePrefix: "Gateway",
defaultErrorName: "GatewayConnectionError",
default401Message:
"Gateway service account is not authorized to perform TokenReviews. Verify the gateway has the 'system:auth-delegator' ClusterRole binding.",
default403Message:
"Gateway service account does not have permission to perform TokenReviews. Ensure it has the 'system:auth-delegator' ClusterRole binding."
}
};

/**
* Handles Axios network-level errors (connection refused, DNS failures, timeouts, etc.)
* Returns a BadRequestError with a descriptive message, or null if the error is not a network error.
*/
export const handleAxiosNetworkError = (
err: AxiosError,
context: ErrorContext,
contextType: KubernetesAuthErrorContext
): BadRequestError | null => {
const { host, kubernetesHost } = context;
const target = host || kubernetesHost || "server";
const { errorNamePrefix: prefix, serviceName } = ERROR_CONTEXT_CONFIGS[contextType];

if (err.code === "ECONNREFUSED") {
return new BadRequestError({
name: `${prefix}ConnectionRefused`,
message: `Failed to connect to ${serviceName} at ${target}: Connection refused. Verify the host URL and ensure the ${serviceName.toLowerCase()} is accessible.`
});
}

if (err.code === "ENOTFOUND") {
return new BadRequestError({
name: `${prefix}HostNotFound`,
message: `Failed to resolve ${serviceName} hostname: ${target}. Verify the hostname is correct.`
});
}

if (err.code === "ETIMEDOUT" || err.code === "ECONNABORTED") {
return new BadRequestError({
name: `${prefix}ConnectionTimeout`,
message: `Connection to ${serviceName} at ${target} timed out. Verify network connectivity and firewall rules.`
});
}

if (err.code === "DEPTH_ZERO_SELF_SIGNED_CERT" || err.code === "SELF_SIGNED_CERT_IN_CHAIN") {
return new BadRequestError({
name: `${prefix}CertificateError`,
message: `SSL certificate verification failed for ${serviceName} at ${target}. The server uses a self-signed certificate. Please provide the CA certificate in the configuration.`
});
}

if (err.code === "UNABLE_TO_VERIFY_LEAF_SIGNATURE" || err.code === "CERT_HAS_EXPIRED") {
return new BadRequestError({
name: `${prefix}CertificateError`,
message: `SSL certificate verification failed for ${serviceName} at ${target}. Verify the CA certificate is correct and the server certificate is valid.`
});
}

return null;
};

/**
* Handles Axios HTTP response errors (401, 403, etc.)
* Returns an appropriate error, or null if not an HTTP error.
*/
export const handleAxiosHttpError = (
err: AxiosError,
contextType: KubernetesAuthErrorContext
): UnauthorizedError | BadRequestError | null => {
if (!err.response) {
return null;
}

let message = (err.response.data as { message?: string })?.message;
const statusCode = err.response.status;
const { errorNamePrefix: prefix, default401Message, default403Message } = ERROR_CONTEXT_CONFIGS[contextType];

if (!message && typeof err.response.data === "string") {
message = err.response.data;
}

if (statusCode === 401) {
return new UnauthorizedError({
message: message || default401Message,
name: `${prefix}TokenReviewerUnauthorized`
});
}

if (statusCode === 403) {
return new UnauthorizedError({
message: message || default403Message,
name: `${prefix}TokenReviewerForbidden`
});
}

if (message) {
return new UnauthorizedError({
message,
name: `${prefix}TokenReviewRequestError`
});
}

// Generic HTTP error
return new BadRequestError({
name: `${prefix}TokenReviewRequestError`,
message: `${prefix} returned HTTP ${statusCode}: ${err.response.statusText || "Unknown error"}`
});
};

/**
* Handles generic Axios errors (fallback when network/HTTP handlers don't match)
*/
export const handleAxiosGenericError = (
err: AxiosError,
context: ErrorContext,
contextType: KubernetesAuthErrorContext
): BadRequestError => {
const { host, kubernetesHost } = context;
const target = host || kubernetesHost || "server";
const { defaultErrorName, serviceName } = ERROR_CONTEXT_CONFIGS[contextType];

return new BadRequestError({
name: defaultErrorName,
message: `Failed to communicate with ${serviceName} at ${target}: ${err.message}`
});
};

/**
* Checks if an error is a known error type that should be re-thrown as-is.
*/
export const isKnownError = (err: unknown): boolean => {
return err instanceof UnauthorizedError || err instanceof BadRequestError || err instanceof NotFoundError;
};

/**
* Comprehensive Axios error handler that processes network, HTTP, and generic errors.
* Returns an error to throw.
*/
export const handleAxiosError = (
err: AxiosError,
context: ErrorContext,
contextType: KubernetesAuthErrorContext
): BadRequestError | UnauthorizedError => {
const networkError = handleAxiosNetworkError(err, context, contextType);
if (networkError) {
return networkError;
}

const httpError = handleAxiosHttpError(err, contextType);
if (httpError) {
return httpError;
}

return handleAxiosGenericError(err, context, contextType);
};
7 changes: 6 additions & 1 deletion backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-fns.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import { UnauthorizedError } from "@app/lib/errors";

/**
* Extracts the K8s service account name and namespace
* from the username in this format: system:serviceaccount:default:infisical-auth
Expand All @@ -11,5 +13,8 @@ export const extractK8sUsername = (username: string) => {
name: parts[3]
};
}
throw new Error("Invalid username format");
throw new UnauthorizedError({
name: "KubernetesUsernameParseError",
message: `Invalid Kubernetes service account username format: "${username}". Expected format: system:serviceaccount:<namespace>:<name>`
});
};
Loading
Loading