Let's consider a current simplified version of NSM authorization.
Note: This scheme simplified many of the complex things that happen in every client and endpoint for simplicity. To understand it in deep consider looking at the source code of applications.
Each application in the path of NSM request doesn't trust anybody. Each endpoint doesn't trust the client and on each incoming request the endpoint validates tokens in the path and if they invalid then the endpoint returns an error. Each client also doesn't trust the endpoint and checks tokens on the response.
Authorization checks enabled by default in NSM. For example, all use-cases are using valid token chains by default.
The example below will do token from step1 from the scheme as invalid. Expected that Endpoint(in this case NSMgr) will fail the Request from the client on step 4.
- Create test namespace:
NAMESPACE=($(kubectl create -f https://raw.githubusercontent.com/networkservicemesh/deployments-k8s/91e80e8e4531562720d50ea9e84a82299813db65/examples/features/namespace.yaml)[0])
NAMESPACE=${NAMESPACE:10}- Select node to deploy NSC and NSE:
NODE=($(kubectl get nodes -o go-template='{{range .items}}{{ if not .spec.taints }}{{index .metadata.labels "kubernetes.io/hostname"}} {{end}}{{end}}')[0])- Create customization file:
cat > kustomization.yaml <<EOF
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ${NAMESPACE}
bases:
- https://github.com/networkservicemesh/deployments-k8s/apps/nsc-kernel?ref=91e80e8e4531562720d50ea9e84a82299813db65
- https://github.com/networkservicemesh/deployments-k8s/apps/nse-kernel?ref=91e80e8e4531562720d50ea9e84a82299813db65
patchesStrategicMerge:
- patch-nsc.yaml
- patch-nse.yaml
EOF- Create NSC patch that making any generated token invalid:
cat > patch-nsc.yaml <<EOF
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nsc-kernel
spec:
template:
spec:
containers:
- name: nsc
env:
- name: NSM_MAX_TOKEN_LIFETIME
value: -1m
- name: NSM_NETWORK_SERVICES
value: kernel://icmp-responder/nsm-1
nodeName: ${NODE}
EOF- Create NSE patch:
cat > patch-nse.yaml <<EOF
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nse-kernel
spec:
template:
spec:
containers:
- name: nse
env:
- name: NSM_CIDR_PREFIX
value: 172.16.1.100/31
nodeName: ${NODE}
EOF- Deploy NSC and NSE:
kubectl apply -k .- Wait for applications ready:
kubectl wait --for=condition=ready --timeout=1m pod -l app=nsc-kernel -n ${NAMESPACE}kubectl wait --for=condition=ready --timeout=1m pod -l app=nse-kernel -n ${NAMESPACE}- Find nsc and nse pods by labels:
NSC=$(kubectl get pods -l app=nsc-kernel -n ${NAMESPACE} --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')NSE=$(kubectl get pods -l app=nse-kernel -n ${NAMESPACE} --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')- Check that NSC is not privileged and it cannot connect to NSE.
kubectl logs ${NSC} -n ${NAMESPACE} | grep "PermissionDenied desc = no sufficient privileges"Delete ns:
kubectl delete ns ${NAMESPACE}