b/433135671 Enable groups for GKE RBAC (#731)

* Introduce `gkeEnabled` to control whether a group should be usable for GKE RBAC
* Automatically add (or remove) the group to `gke-security-groups`  to expose it to GKE
* Relax access settings for GKE-enabled groups to comply with the GKE requirements

Author: jpassing

doc/site/sources/docs/policy-reference.md

@@ -151,7 +151,7 @@ A JIT group represents a job function or role and bundles all access that's requ
 perform this job function or role.
 
 
-```yaml hl_lines="7-12"
+```yaml hl_lines="7-13"
 ...
 environment:
   ...
@@ -160,6 +160,7 @@ environment:
     groups:
     - name: "datamart-admins"
       description: "Admin-level access to data and stuff"
+      gkeEnabled: true
       access: []
       constraints:
         join: []
@@ -182,6 +183,15 @@ environment:
 :   Text that describes the purpose of the JIT group. The text is shown in the user interface and
     is for informational purposes only.
 
+`gkeEnabled` **Optional** (Default: `false`)
+
+:   When set to `true`, JIT Groups configures the group so that it can be used for
+    [Google Kubernetes Engine RBAC](https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac):
+
+    +   The Cloud Identity group's access settings are relaxed so that members of the group are 
+        allowed to list all group members.
+    +   The Cloud Identity group is added to `gke-security-groups`.
+
 `access` **Optional**
 
 :   [Access control list](#access-control-list) (ACL) for the JIT Group. The ACL controls 

sources/src/main/java/com/google/solutions/jitaccess/apis/clients/CloudIdentityGroupsClient.java

@@ -33,7 +33,9 @@
 import com.google.solutions.jitaccess.auth.IamPrincipalId;
 import com.google.solutions.jitaccess.common.Coalesce;
 import jakarta.inject.Singleton;
+import org.crac.Resource;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 import java.io.IOException;
 import java.time.Instant;
@@ -61,8 +63,8 @@ public class CloudIdentityGroupsClient {
   private final @NotNull HttpTransport.Options httpOptions;
 
   /**
-   * Settings for new groups:
-   * <p>
+   * Default, restrictive access settings:
+   *
    * - Allow external members.
    * - Disable most self-service features on groups.google.com to
    *   the extent possible.
@@ -87,6 +89,12 @@ public class CloudIdentityGroupsClient {
     .setWhoCanViewGroup("ALL_MANAGERS_CAN_VIEW")
     .setWhoCanViewMembership("ALL_MANAGERS_CAN_VIEW");
 
+  /**
+   * GKE compatible access settings.
+   */
+  private  final @NotNull Groups GKE_COMPATIBLE = RESTRICTED_SETTINGS
+    .setWhoCanViewMembership("ALL_MEMBERS_CAN_VIEW");
+
   public CloudIdentityGroupsClient(
     @NotNull GoogleCredentials credentials,
     @NotNull Options options,
@@ -148,21 +156,27 @@ private static void translateAndThrowApiException(
     }
   }
 
-
   /**
    * Update group settings to restrictive defaults.
    */
-  private void restrictGroupSettings(@NotNull GroupId emailAddress) throws IOException {
+  private void setGroupAccess(
+    @NotNull GroupId emailAddress,
+    @NotNull AccessProfile profile
+  ) throws IOException {
     var settingsClient = createSettingsClient();
 
+    var settings = profile == AccessProfile.GkeCompatible
+      ? this.GKE_COMPATIBLE
+      : this.RESTRICTED_SETTINGS;
+
     //
     // The group settings API is prone to fail for newly created groups.
     //
     for (int attempt = 0; attempt < MAX_GROUP_SETTINGS_PATCH_ATTEMPTS; attempt++) {
       try {
         settingsClient
           .groups()
-          .update(emailAddress.email, this.RESTRICTED_SETTINGS)
+          .update(emailAddress.email, settings)
           .execute();
 
         //
@@ -271,29 +285,15 @@ private void restrictGroupSettings(@NotNull GroupId emailAddress) throws IOExcep
     return lookupGroup(createClient(), groupId);
   }
 
-  public enum GroupType {
-    /**
-     * Normal group. Creating this type of group doesn't require special
-     * privileges.
-     */
-    DiscussionForum,
-
-    /**
-     * Security group. Creating this type of group requires the 'Groups Admin'
-     * admin role, or an equivalent custom role that has the privilege to
-     * assign security labels.
-     */
-    Security
-  }
-
   /**
    * Create group in an idempotent way.
    */
   public @NotNull GroupKey createGroup(
     @NotNull GroupId emailAddress,
     @NotNull GroupType type,
     @NotNull String displayName,
-    @NotNull String description
+    @NotNull String description,
+    @NotNull AccessProfile accessProfile
   ) throws AccessException, IOException {
     try {
       var labels = new HashMap<String, String>();
@@ -372,7 +372,7 @@ public enum GroupType {
       //
       // Lock down group settings.
       //
-      restrictGroupSettings(emailAddress);
+      setGroupAccess(emailAddress, accessProfile);
 
       return groupKey;
     }
@@ -515,11 +515,12 @@ public void deleteGroup(
   /**
    * Delete a group membership in an idempotent way.
    */
-  public void deleteMembership(
+  private void deleteMembership(
+    @NotNull CloudIdentity client,
     @NotNull MembershipId membershipId
   ) throws AccessException, IOException {
     try {
-      createClient()
+      client
         .groups()
         .memberships()
         .delete(membershipId.id)
@@ -537,6 +538,46 @@ public void deleteMembership(
     }
   }
 
+  /**
+   * Delete a group membership in an idempotent way.
+   */
+  public void deleteMembership(
+    @NotNull MembershipId membershipId
+  ) throws AccessException, IOException {
+    deleteMembership(createClient(), membershipId);
+  }
+
+  /**
+   * Delete a group membership in an idempotent way.
+   */
+  public void deleteMembership(
+    @NotNull GroupKey groupKey,
+    @NotNull IamPrincipalId member
+  ) throws AccessException, IOException {
+    var client = createClient();
+
+    //
+    // Lookup membership, assuming it exists.
+    //
+    MembershipId membershipId;
+    try
+    {
+      membershipId = lookupGroupMembership(
+        client,
+        groupKey,
+        member);
+    }
+    catch (AccessException e)
+    {
+      //
+      // Membership doesn't exist, so there's nothing to delete.
+      //
+      return;
+    }
+
+    deleteMembership(client, membershipId);
+  }
+
   private @NotNull MembershipId updateMembership(
     @NotNull CloudIdentity client,
     @NotNull GroupKey groupKey,
@@ -572,15 +613,18 @@ public void deleteMembership(
     @NotNull CloudIdentity client,
     @NotNull GroupKey groupKey,
     @NotNull IamPrincipalId member,
-    @NotNull Instant expiry
+    @Nullable Instant expiry
   ) throws AccessException, IOException {
     var role = new MembershipRole()
-      .setName("MEMBER")
-      .setExpiryDetail(new ExpiryDetail()
+      .setName("MEMBER");
+
+    if (expiry != null) {
+      role.setExpiryDetail(new ExpiryDetail()
         .setExpireTime(expiry
           .atOffset(ZoneOffset.UTC)
           .truncatedTo(ChronoUnit.SECONDS)
           .format(DateTimeFormatter.ISO_DATE_TIME)));
+    }
 
     try {
       //
@@ -619,6 +663,31 @@ public void deleteMembership(
     }
   }
 
+  /**
+   * Permanently add a member to a group in an idempotent way.
+   */
+  public @NotNull MembershipId addPermanentMembership(
+    @NotNull GroupKey groupKey,
+    @NotNull IamPrincipalId member
+  ) throws AccessException, IOException {
+    return addMembership(createClient(), groupKey, member, null);
+  }
+
+  /**
+   * Permanently add a member to a group in an idempotent way.
+   */
+  public @NotNull MembershipId addPermanentMembership(
+    @NotNull GroupId groupId,
+    @NotNull IamPrincipalId member
+  ) throws AccessException, IOException {
+    var client = createClient();
+    return addMembership(
+      client,
+      lookupGroup(client, groupId),
+      member,
+      null);
+  }
+
   /**
    * Add a member to a group in an idempotent way.
    */
@@ -627,6 +696,7 @@ public void deleteMembership(
     @NotNull IamPrincipalId member,
     @NotNull Instant expiry
   ) throws AccessException, IOException {
+    Preconditions.checkNotNull(expiry, "expiry");
     return addMembership(createClient(), groupKey, member, expiry);
   }
 
@@ -638,6 +708,8 @@ public void deleteMembership(
     @NotNull IamPrincipalId member,
     @NotNull Instant expiry
   ) throws AccessException, IOException {
+    Preconditions.checkNotNull(expiry, "expiry");
+
     var client = createClient();
     return addMembership(
       client,
@@ -833,9 +905,36 @@ public void deleteMembership(
   }
 
   //---------------------------------------------------------------------------
-  // Inner classes.
+  // Inner types.
   //---------------------------------------------------------------------------
 
+  public enum GroupType {
+    /**
+     * Normal group. Creating this type of group doesn't require special
+     * privileges.
+     */
+    DiscussionForum,
+
+    /**
+     * Security group. Creating this type of group requires the 'Groups Admin'
+     * admin role, or an equivalent custom role that has the privilege to
+     * assign security labels.
+     */
+    Security
+  }
+
+  public enum AccessProfile {
+    /**
+     * Use restrictive access settings.
+     */
+    Restricted,
+
+    /**
+     * Use access settings that are restrictive, but still compatible GKE RBAC.
+     */
+    GkeCompatible
+  }
+
   public record MembershipId(String id) {}
 
   public record Options(

sources/src/main/java/com/google/solutions/jitaccess/catalog/legacy/LegacyPolicy.java

@@ -436,6 +436,7 @@ private RolePolicy(
         acl,
         constraints,
         privileges,
+        false,
         NAME_MAX_LENGTH);
     }
 

sources/src/main/java/com/google/solutions/jitaccess/catalog/policy/JitGroupPolicy.java

@@ -38,14 +38,17 @@
 public class JitGroupPolicy extends AbstractPolicy {
   static final String NAME_PATTERN = "^[a-zA-Z0-9\\-]+$";
   static final int NAME_MAX_LENGTH = 24;
+
   private final @NotNull List<Privilege> privileges;
+  private final boolean gkeEnabled;
 
   protected JitGroupPolicy(
     @NotNull String name,
     @NotNull String description,
     @Nullable AccessControlList acl,
     @NotNull Map<ConstraintClass, Collection<Constraint>> constraints,
     @NotNull List<Privilege> privileges,
+    boolean gkeEnabled,
     int maxNameLength
   ) {
     super(name, description, acl, constraints);
@@ -60,31 +63,33 @@ protected JitGroupPolicy(
     Preconditions.checkNotNull(privileges, "Privileges must not be null");
 
     this.privileges = privileges;
+    this.gkeEnabled = gkeEnabled;
   }
 
   public JitGroupPolicy(
     @NotNull String name,
     @NotNull String description,
     @Nullable AccessControlList acl,
     @NotNull Map<ConstraintClass, Collection<Constraint>> constraints,
-    @NotNull List<Privilege> privileges
+    @NotNull List<Privilege> privileges,
+    boolean gkeEnabled
   ) {
-    this(name, description, acl, constraints, privileges, NAME_MAX_LENGTH);
+    this(name, description, acl, constraints, privileges, gkeEnabled, NAME_MAX_LENGTH);
   }
 
   public JitGroupPolicy(
     @NotNull String name,
     @NotNull String description,
     @Nullable AccessControlList acl
   ) {
-    this(name, description, acl, Map.of(), List.of());
+    this(name, description, acl, Map.of(), List.of(), false);
   }
 
   public JitGroupPolicy(
     @NotNull String name,
     @NotNull String description
   ) {
-    this(name, description, null, Map.of(), List.of());
+    this(name, description, null, Map.of(), List.of(), false);
   }
 
   /**
@@ -112,6 +117,13 @@ public JitGroupPolicy(
     return this.privileges;
   }
 
+  /**
+   * Indicates if this group can be used for GKE RBAC.
+   */
+  public boolean isGkeEnabled() {
+    return this.gkeEnabled;
+  }
+
   /**
    * Analyze access for a subject.
    */