steve/pkg/resources/clusters/shell.go

package clusters

import (
	"context"
	"net/http"
	"net/http/httputil"
	"time"

	"github.com/rancher/steve/pkg/podimpersonation"
	"github.com/rancher/steve/pkg/stores/proxy"
	"github.com/rancher/wrangler/pkg/schemas/validation"
	v1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apiserver/pkg/authentication/user"
	"k8s.io/apiserver/pkg/endpoints/request"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/kubernetes/scheme"
	"k8s.io/client-go/rest"
)

type shell struct {
	namespace    string
	impersonator *podimpersonation.PodImpersonation
	cg           proxy.ClientGetter
}

func (s *shell) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
	ctx, user, client, err := s.contextAndClient(req)
	if err != nil {
		http.Error(rw, err.Error(), http.StatusInternalServerError)
		return
	}

	pod, err := s.impersonator.CreatePod(ctx, user, s.createPod(), &podimpersonation.PodOptions{
		Wait: true,
	})
	if err != nil {
		http.Error(rw, err.Error(), http.StatusInternalServerError)
		return
	}

	s.proxyRequest(rw, req, pod, client)
}

func (s *shell) proxyRequest(rw http.ResponseWriter, req *http.Request, pod *v1.Pod, client kubernetes.Interface) {
	attachURL := client.CoreV1().RESTClient().
		Get().
		Namespace(pod.Namespace).
		Resource("pods").
		Name(pod.Name).
		SubResource("attach").
		VersionedParams(&v1.PodAttachOptions{
			Stdin:     true,
			Stdout:    true,
			Stderr:    true,
			TTY:       true,
			Container: "shell",
		}, scheme.ParameterCodec).URL()

	httpClient := client.CoreV1().RESTClient().(*rest.RESTClient).Client
	p := httputil.ReverseProxy{
		Director: func(req *http.Request) {
			req.URL = attachURL
			req.Host = attachURL.Host
			delete(req.Header, "Authorization")
			delete(req.Header, "Cookie")
		},
		Transport:     httpClient.Transport,
		FlushInterval: time.Millisecond * 100,
	}

	p.ServeHTTP(rw, req)
}

func (s *shell) contextAndClient(req *http.Request) (context.Context, user.Info, kubernetes.Interface, error) {
	ctx := req.Context()
	client, err := s.cg.AdminK8sInterface()
	if err != nil {
		return ctx, nil, nil, err
	}

	user, ok := request.UserFrom(ctx)
	if !ok {
		return ctx, nil, nil, validation.Unauthorized
	}

	return ctx, user, client, nil
}

func (s *shell) createPod() *v1.Pod {
	return &v1.Pod{
		ObjectMeta: metav1.ObjectMeta{
			GenerateName: "dashboard-shell-",
			Namespace:    s.namespace,
		},
		Spec: v1.PodSpec{
			TerminationGracePeriodSeconds: new(int64),
			RestartPolicy:                 v1.RestartPolicyNever,
			Containers: []v1.Container{
				{
					Name:      "shell",
					TTY:       true,
					Stdin:     true,
					StdinOnce: true,
					Env: []v1.EnvVar{
						{
							Name:  "KUBECONFIG",
							Value: "/home/shell/.kube/config",
						},
					},
					Image:           "ibuildthecloud/shell:v0.0.1",
					ImagePullPolicy: v1.PullIfNotPresent,
					Command:         []string{"bash"},
				},
			},
		},
	}
}
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`package clusters`

			`import (`
			`"context"`
			`"net/http"`
			`"net/http/httputil"`
			`"time"`

Add podimpersonation package 2020-07-19 20:55:34 +00:00			`"github.com/rancher/steve/pkg/podimpersonation"`
Shuffle around code and use rancher/apiserver 2020-06-12 04:50:59 +00:00			`"github.com/rancher/steve/pkg/stores/proxy"`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`"github.com/rancher/wrangler/pkg/schemas/validation"`
			`v1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apiserver/pkg/authentication/user"`
			`"k8s.io/apiserver/pkg/endpoints/request"`
			`"k8s.io/client-go/kubernetes"`
			`"k8s.io/client-go/kubernetes/scheme"`
			`"k8s.io/client-go/rest"`
Increase security around cluster shell 2020-06-02 15:51:42 +00:00			`)`

Add kubectl shell support 2020-06-01 22:59:38 +00:00			`type shell struct {`
Add podimpersonation package 2020-07-19 20:55:34 +00:00			`namespace string`
			`impersonator *podimpersonation.PodImpersonation`
			`cg proxy.ClientGetter`
Increase security around cluster shell 2020-06-02 15:51:42 +00:00			`}`

Add kubectl shell support 2020-06-01 22:59:38 +00:00			`func (s shell) ServeHTTP(rw http.ResponseWriter, req http.Request) {`
			`ctx, user, client, err := s.contextAndClient(req)`
			`if err != nil {`
			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

Add podimpersonation package 2020-07-19 20:55:34 +00:00			`pod, err := s.impersonator.CreatePod(ctx, user, s.createPod(), &podimpersonation.PodOptions{`
			`Wait: true,`
			`})`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`if err != nil {`
			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

			`s.proxyRequest(rw, req, pod, client)`
			`}`

			`func (s shell) proxyRequest(rw http.ResponseWriter, req http.Request, pod *v1.Pod, client kubernetes.Interface) {`
			`attachURL := client.CoreV1().RESTClient().`
			`Get().`
			`Namespace(pod.Namespace).`
			`Resource("pods").`
			`Name(pod.Name).`
			`SubResource("attach").`
			`VersionedParams(&v1.PodAttachOptions{`
Fix shell 2020-06-22 16:41:48 +00:00			`Stdin: true,`
			`Stdout: true,`
			`Stderr: true,`
			`TTY: true,`
Increase security around cluster shell 2020-06-02 15:51:42 +00:00			`Container: "shell",`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`}, scheme.ParameterCodec).URL()`

			`httpClient := client.CoreV1().RESTClient().(*rest.RESTClient).Client`
			`p := httputil.ReverseProxy{`
			`Director: func(req *http.Request) {`
			`req.URL = attachURL`
			`req.Host = attachURL.Host`
			`delete(req.Header, "Authorization")`
			`delete(req.Header, "Cookie")`
			`},`
			`Transport: httpClient.Transport,`
			`FlushInterval: time.Millisecond * 100,`
			`}`

			`p.ServeHTTP(rw, req)`
			`}`

			`func (s shell) contextAndClient(req http.Request) (context.Context, user.Info, kubernetes.Interface, error) {`
			`ctx := req.Context()`
Increase security around cluster shell 2020-06-02 15:51:42 +00:00			`client, err := s.cg.AdminK8sInterface()`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`if err != nil {`
			`return ctx, nil, nil, err`
			`}`

			`user, ok := request.UserFrom(ctx)`
			`if !ok {`
			`return ctx, nil, nil, validation.Unauthorized`
			`}`

			`return ctx, user, client, nil`
			`}`

Add podimpersonation package 2020-07-19 20:55:34 +00:00			`func (s shell) createPod() v1.Pod {`
			`return &v1.Pod{`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`ObjectMeta: metav1.ObjectMeta{`
			`GenerateName: "dashboard-shell-",`
Add podimpersonation package 2020-07-19 20:55:34 +00:00			`Namespace: s.namespace,`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`},`
			`Spec: v1.PodSpec{`
Add podimpersonation package 2020-07-19 20:55:34 +00:00			`TerminationGracePeriodSeconds: new(int64),`
			`RestartPolicy: v1.RestartPolicyNever,`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`Containers: []v1.Container{`
			`{`
Add podimpersonation package 2020-07-19 20:55:34 +00:00			`Name: "shell",`
			`TTY: true,`
			`Stdin: true,`
			`StdinOnce: true,`
Increase security around cluster shell 2020-06-02 15:51:42 +00:00			`Env: []v1.EnvVar{`
			`{`
			`Name: "KUBECONFIG",`
Add podimpersonation package 2020-07-19 20:55:34 +00:00			`Value: "/home/shell/.kube/config",`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`},`
			`},`
Increase security around cluster shell 2020-06-02 15:51:42 +00:00			`Image: "ibuildthecloud/shell:v0.0.1",`
			`ImagePullPolicy: v1.PullIfNotPresent,`
			`Command: []string{"bash"},`
			`},`
Add kubectl shell support 2020-06-01 22:59:38 +00:00			`},`
			`},`
			`}`
			`}`