From fd5bf8c1b59556e6c4b60209ea288a96084fe958 Mon Sep 17 00:00:00 2001 From: Volodymyr Stoiko Date: Thu, 14 May 2026 21:04:48 +0000 Subject: [PATCH] auth: drop AUTH_ROLES; add AUTH_GROUP_MAPPING + built-in defaultRole MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Companion to kubeshark/hub#permissions-refactoring. Aligns the CLI config struct, chart values, and rendered ConfigMap with the post-refactor hub. config/configStructs/tapConfig.go: - Drop AuthConfig.Roles (admin-authored map[string]Role) and the Role + ScriptingPermissions structs they referenced. - Drop AuthConfig.DefaultFilter (no namespace scoping in v1). - Add AuthConfig.GroupMapping (map[string]string) — SSO group name → built-in role translation. - Tighten DefaultRole godoc to reference the four built-in role constants (kubeshark-admin / kubeshark-realtime / kubeshark-snapshot / kubeshark-viewer) and the strict-deny semantics on empty. config/configStruct.go: - Drop the legacy "admin" entry from the AuthConfig default — operators now configure DefaultRole + GroupMapping instead. - Default RolesClaim is now "groups" (Okta/OIDC convention; was "role"), matching the hub's runtime default. helm-chart/templates/12-config-map.yaml: - Drop AUTH_ROLES emission (key no longer read by hub). - Add AUTH_GROUP_MAPPING emission from tap.auth.groupMapping (JSON map; hub validates each value against the built-in role names at sync time). helm-chart/values.yaml: regenerated from the Go config — drops the tap.auth.roles block, adds tap.auth.groupMapping with the new documentation header for DefaultRole. Breaking change: deployments carrying tap.auth.roles in their values will silently lose those role definitions. Migration is to remove the roles: block and either (a) name their SSO groups to match the four built-in role constants, or (b) populate tap.auth.groupMapping with explicit translations. --- config/configStruct.go | 19 ++----------- config/configStructs/tapConfig.go | 38 ++++++++++--------------- helm-chart/templates/12-config-map.yaml | 2 +- helm-chart/values.yaml | 34 ++-------------------- 4 files changed, 20 insertions(+), 73 deletions(-) diff --git a/config/configStruct.go b/config/configStruct.go index e5640c200..83832434b 100644 --- a/config/configStruct.go +++ b/config/configStruct.go @@ -102,23 +102,8 @@ func CreateDefaultConfig() ConfigStruct { }, }, Auth: configStructs.AuthConfig{ - RolesClaim: "role", - Roles: map[string]configStructs.Role{ - "admin": { - Filter: "", - CanDownloadPCAP: true, - CanUseScripting: true, - ScriptingPermissions: configStructs.ScriptingPermissions{ - CanSave: true, - CanActivate: true, - CanDelete: true, - }, - CanUpdateTargetedPods: true, - CanStopTrafficCapturing: true, - CanControlDissection: true, - ShowAdminConsoleLink: true, - }, - }, + RolesClaim: "groups", + GroupMapping: map[string]string{}, }, EnabledDissectors: []string{ "amqp", diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go index fcd6cca46..c181ee827 100644 --- a/config/configStructs/tapConfig.go +++ b/config/configStructs/tapConfig.go @@ -155,23 +155,6 @@ type ProbeConfig struct { FailureThreshold int `yaml:"failureThreshold" json:"failureThreshold" default:"3"` } -type ScriptingPermissions struct { - CanSave bool `yaml:"canSave" json:"canSave" default:"true"` - CanActivate bool `yaml:"canActivate" json:"canActivate" default:"true"` - CanDelete bool `yaml:"canDelete" json:"canDelete" default:"true"` -} - -type Role struct { - Filter string `yaml:"filter" json:"filter" default:""` - CanDownloadPCAP bool `yaml:"canDownloadPCAP" json:"canDownloadPCAP" default:"false"` - CanUseScripting bool `yaml:"canUseScripting" json:"canUseScripting" default:"false"` - ScriptingPermissions ScriptingPermissions `yaml:"scriptingPermissions" json:"scriptingPermissions"` - CanUpdateTargetedPods bool `yaml:"canUpdateTargetedPods" json:"canUpdateTargetedPods" default:"false"` - CanStopTrafficCapturing bool `yaml:"canStopTrafficCapturing" json:"canStopTrafficCapturing" default:"false"` - CanControlDissection bool `yaml:"canControlDissection" json:"canControlDissection" default:"false"` - ShowAdminConsoleLink bool `yaml:"showAdminConsoleLink" json:"showAdminConsoleLink" default:"false"` -} - type SamlConfig struct { IdpMetadataUrl string `yaml:"idpMetadataUrl" json:"idpMetadataUrl"` X509crt string `yaml:"x509crt" json:"x509crt"` @@ -190,12 +173,21 @@ type AuthConfig struct { // NOTE: prior releases routed `oidc` to Descope. If you were using `oidc` // to mean Descope, switch to `descope` (or `default`). The rename is a // breaking change documented in the release notes. - Type string `yaml:"type" json:"type" default:"saml"` - Roles map[string]Role `yaml:"roles" json:"roles"` - RolesClaim string `yaml:"rolesClaim" json:"rolesClaim"` - DefaultRole string `yaml:"defaultRole" json:"defaultRole"` - DefaultFilter string `yaml:"defaultFilter" json:"defaultFilter"` - Saml SamlConfig `yaml:"saml" json:"saml"` + Type string `yaml:"type" json:"type" default:"saml"` + RolesClaim string `yaml:"rolesClaim" json:"rolesClaim"` + // DefaultRole is applied when the authenticated user's SSO claim has no + // recognized group. Must be one of the four built-in roles + // (kubeshark-admin / kubeshark-realtime / kubeshark-snapshot / + // kubeshark-viewer) or empty for strict-deny. See hub plans/ + // permissions-refactoring.md for the capability matrix per role. + DefaultRole string `yaml:"defaultRole" json:"defaultRole"` + // GroupMapping translates SSO group names into built-in role names. + // Optional — groups whose name already matches a built-in role are + // identity-matched and don't need an entry here. Use this map when SSO + // groups are named differently from the built-in roles (e.g. an existing + // AD group "engineering-leads" that should resolve to kubeshark-admin). + GroupMapping map[string]string `yaml:"groupMapping" json:"groupMapping"` + Saml SamlConfig `yaml:"saml" json:"saml"` } type IngressConfig struct { diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml index dc7f15641..79a558a48 100644 --- a/helm-chart/templates/12-config-map.yaml +++ b/helm-chart/templates/12-config-map.yaml @@ -29,9 +29,9 @@ data: {{ (default false .Values.demoModeEnabled) | ternary "default" .Values.tap.auth.type }} {{- end }}' AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}' - AUTH_ROLES: '{{ .Values.tap.auth.roles | toJson }}' AUTH_ROLES_CLAIM: '{{ .Values.tap.auth.rolesClaim }}' AUTH_DEFAULT_ROLE: '{{ default "" .Values.tap.auth.defaultRole }}' + AUTH_GROUP_MAPPING: '{{ default (dict) .Values.tap.auth.groupMapping | toJson }}' AUTH_OIDC_ISSUER: '{{ default "not set" (((.Values.tap).auth).oidc).issuer }}' AUTH_OIDC_REFRESH_TOKEN_LIFETIME: '{{ default "3960h" (((.Values.tap).auth).oidc).refreshTokenLifetime }}' AUTH_OIDC_STATE_PARAM_EXPIRY: '{{ default "10m" (((.Values.tap).auth).oidc).oauth2StateParamExpiry }}' diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 9fe77e5f5..cd39e1aa1 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -152,40 +152,10 @@ tap: front: [] auth: enabled: false - # Valid values: saml, oidc (generic OIDC — Dex, Okta, Auth0, Keycloak, - # Azure AD, Google, …), dex (permanent alias of oidc), descope, default - # (also Descope). Was previously misnamed: prior releases routed `oidc` - # to Descope. See release notes for migration. type: saml - # Name of the JWT claim (OIDC) or SAML attribute carrying role memberships. - rolesClaim: role - # Optional: role name inside `roles` applied as a fallback when an - # authenticated user has no matching role in their token/assertion. - # Empty string means no fallback (authenticated but no elevated permissions). + rolesClaim: groups defaultRole: "" - # Backend-neutral role map shared by SAML and OIDC. Empty/unset grants - # nothing — admins opt into elevated access by populating this map. - # - # Per-role `namespaces` controls which Kubernetes namespaces the role's - # users are allowed to see traffic for. Comma-separated list: - # "" — deny all (explicit deny-default for this role). - # "*" — allow every namespace (no scope filter applied). - # "foo" — only the literal namespace "foo" (src or dst). - # "foo,bar" — OR over both literal namespaces. - # "foo-*" — glob expansion against the cluster's known namespaces. - roles: - admin: - namespaces: "*" - canDownloadPCAP: true - canUseScripting: true - scriptingPermissions: - canSave: true - canActivate: true - canDelete: true - canUpdateTargetedPods: true - canStopTrafficCapturing: true - canControlDissection: true - showAdminConsoleLink: true + groupMapping: {} saml: idpMetadataUrl: "" x509crt: ""