Add workload_identity_labels to RoleCondition (#50071)

* Add WorkloadIdentityLabels field to role * Wire up access checker * Add validation for new field * Update CRDs * Add to terraform provider * Mispel some words to keep the republic happy * Add WorkloadIdentityLabelsExpression * Update Terraform provider * Add to operator CRD * PLS RUN CLA CHECK
gravitational · Dec 12, 2024 · 49c3083 · 49c3083
1 parent ca45908
commit 49c3083
Show file tree

Hide file tree

Showing 16 changed files with 2,656 additions and 2,085 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -3439,6 +3439,18 @@ message RoleConditions {
     (gogoproto.nullable) = false,
     (gogoproto.jsontag) = "github_permissions,omitempty"
   ];
+
+  // WorkloadIdentityLabels controls whether or not specific WorkloadIdentity
+  // resources can be invoked. Further authorization controls exist on the
+  // WorkloadIdentity resource itself.
+  wrappers.LabelValues WorkloadIdentityLabels = 44 [
+    (gogoproto.nullable) = false,
+    (gogoproto.jsontag) = "workload_identity_labels,omitempty",
+    (gogoproto.customtype) = "Labels"
+  ];
+  // WorkloadIdentityLabelsExpression is a predicate expression used to
+  // allow/deny access to issuing a WorkloadIdentity.
+  string WorkloadIdentityLabelsExpression = 45 [(gogoproto.jsontag) = "workload_identity_labels_expression,omitempty"];
 }
 
 // IdentityCenterAccountAssignment captures an AWS Identity Center account

diff --git a/api/types/role.go b/api/types/role.go
@@ -107,6 +107,13 @@ type Role interface {
 	// SetNodeLabels sets the map of node labels this role is allowed or denied access to.
 	SetNodeLabels(RoleConditionType, Labels)
 
+	// GetWorkloadIdentityLabels gets the map of node labels this role is
+	// allowed or denied access to.
+	GetWorkloadIdentityLabels(RoleConditionType) Labels
+	// SetWorkloadIdentityLabels sets the map of WorkloadIdentity labels this
+	// role is allowed or denied access to.
+	SetWorkloadIdentityLabels(RoleConditionType, Labels)
+
 	// GetAppLabels gets the map of app labels this role is allowed or denied access to.
 	GetAppLabels(RoleConditionType) Labels
 	// SetAppLabels sets the map of app labels this role is allowed or denied access to.
@@ -616,6 +623,25 @@ func (r *RoleV6) SetNodeLabels(rct RoleConditionType, labels Labels) {
 	}
 }
 
+// GetWorkloadIdentityLabels gets the map of WorkloadIdentity labels for
+// allow or deny.
+func (r *RoleV6) GetWorkloadIdentityLabels(rct RoleConditionType) Labels {
+	if rct == Allow {
+		return r.Spec.Allow.WorkloadIdentityLabels
+	}
+	return r.Spec.Deny.WorkloadIdentityLabels
+}
+
+// SetWorkloadIdentityLabels sets the map of WorkloadIdentity labels this role
+// is allowed or denied access to.
+func (r *RoleV6) SetWorkloadIdentityLabels(rct RoleConditionType, labels Labels) {
+	if rct == Allow {
+		r.Spec.Allow.WorkloadIdentityLabels = labels.Clone()
+	} else {
+		r.Spec.Deny.WorkloadIdentityLabels = labels.Clone()
+	}
+}
+
 // GetAppLabels gets the map of app labels this role is allowed or denied access to.
 func (r *RoleV6) GetAppLabels(rct RoleConditionType) Labels {
 	if rct == Allow {
@@ -1255,6 +1281,7 @@ func (r *RoleV6) CheckAndSetDefaults() error {
 		r.Spec.Allow.DatabaseLabels,
 		r.Spec.Allow.WindowsDesktopLabels,
 		r.Spec.Allow.GroupLabels,
+		r.Spec.Allow.WorkloadIdentityLabels,
 	} {
 		if err := checkWildcardSelector(labels); err != nil {
 			return trace.Wrap(err)
@@ -1970,6 +1997,8 @@ func (r *RoleV6) GetLabelMatchers(rct RoleConditionType, kind string) (LabelMatc
 		return LabelMatchers{cond.GroupLabels, cond.GroupLabelsExpression}, nil
 	case KindGitServer:
 		return r.makeGitServerLabelMatchers(cond), nil
+	case KindWorkloadIdentity:
+		return LabelMatchers{cond.WorkloadIdentityLabels, cond.WorkloadIdentityLabelsExpression}, nil
 	}
 	return LabelMatchers{}, trace.BadParameter("can't get label matchers for resource kind %q", kind)
 }
@@ -2023,6 +2052,10 @@ func (r *RoleV6) SetLabelMatchers(rct RoleConditionType, kind string, labelMatch
 		cond.GroupLabels = labelMatchers.Labels
 		cond.GroupLabelsExpression = labelMatchers.Expression
 		return nil
+	case KindWorkloadIdentity:
+		cond.WorkloadIdentityLabels = labelMatchers.Labels
+		cond.WorkloadIdentityLabelsExpression = labelMatchers.Expression
+		return nil
 	}
 	return trace.BadParameter("can't set label matchers for resource kind %q", kind)
 }

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_roles.mdx
@@ -74,6 +74,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.allow.account_assignments items
 
@@ -253,6 +255,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.deny.account_assignments items
 
@@ -535,6 +539,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.allow.account_assignments items
 
@@ -714,6 +720,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.deny.account_assignments items
 

diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv6.mdx
@@ -74,6 +74,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.allow.account_assignments items
 
@@ -253,6 +255,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.deny.account_assignments items
 

diff --git a/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx b/docs/pages/reference/operator-resources/resources.teleport.dev_rolesv7.mdx
@@ -74,6 +74,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.allow.account_assignments items
 
@@ -253,6 +255,8 @@ resource, which you can apply after installing the Teleport Kubernetes operator.
 |windows_desktop_labels|object|WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.|
 |windows_desktop_labels_expression|string|WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.|
 |windows_desktop_logins|[]string|WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.|
+|workload_identity_labels|object|WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.|
+|workload_identity_labels_expression|string|WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.|
 
 ### spec.deny.account_assignments items
 

diff --git a/docs/pages/reference/terraform-provider/data-sources/role.mdx b/docs/pages/reference/terraform-provider/data-sources/role.mdx
@@ -89,6 +89,8 @@ Optional:
 - `windows_desktop_labels` (Map of List of String) WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
+- `workload_identity_labels` (Map of List of String) WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
+- `workload_identity_labels_expression` (String) WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.
 
 ### Nested Schema for `spec.allow.account_assignments`
 
@@ -285,6 +287,8 @@ Optional:
 - `windows_desktop_labels` (Map of List of String) WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
+- `workload_identity_labels` (Map of List of String) WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
+- `workload_identity_labels_expression` (String) WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.
 
 ### Nested Schema for `spec.deny.account_assignments`
 

diff --git a/docs/pages/reference/terraform-provider/resources/role.mdx b/docs/pages/reference/terraform-provider/resources/role.mdx
@@ -143,6 +143,8 @@ Optional:
 - `windows_desktop_labels` (Map of List of String) WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
+- `workload_identity_labels` (Map of List of String) WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
+- `workload_identity_labels_expression` (String) WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.
 
 ### Nested Schema for `spec.allow.account_assignments`
 
@@ -339,6 +341,8 @@ Optional:
 - `windows_desktop_labels` (Map of List of String) WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops.
 - `windows_desktop_labels_expression` (String) WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops.
 - `windows_desktop_logins` (List of String) WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops.
+- `workload_identity_labels` (Map of List of String) WorkloadIdentityLabels controls whether or not specific WorkloadIdentity resources can be invoked. Further authorization controls exist on the WorkloadIdentity resource itself.
+- `workload_identity_labels_expression` (String) WorkloadIdentityLabelsExpression is a predicate expression used to allow/deny access to issuing a WorkloadIdentity.
 
 ### Nested Schema for `spec.deny.account_assignments`
 

diff --git a/...teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml b/...teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml
@@ -607,6 +607,17 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
                 type: object
               deny:
                 description: Deny is the set of conditions evaluated to deny access.
@@ -1184,6 +1195,17 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
                 type: object
               options:
                 description: Options is for OpenSSH options like agent forwarding.
@@ -2058,6 +2080,17 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
                 type: object
               deny:
                 description: Deny is the set of conditions evaluated to deny access.
@@ -2635,6 +2668,17 @@ spec:
                       type: string
                     nullable: true
                     type: array
+                  workload_identity_labels:
+                    additionalProperties:
+                      x-kubernetes-preserve-unknown-fields: true
+                    description: WorkloadIdentityLabels controls whether or not specific
+                      WorkloadIdentity resources can be invoked. Further authorization
+                      controls exist on the WorkloadIdentity resource itself.
+                    type: object
+                  workload_identity_labels_expression:
+                    description: WorkloadIdentityLabelsExpression is a predicate expression
+                      used to allow/deny access to issuing a WorkloadIdentity.
+                    type: string
                 type: object
               options:
                 description: Options is for OpenSSH options like agent forwarding.