KEP-3325: Auth API to get self user attributes

[nabokihms]

• One-line PR description: Auth API to get self user attributes

• Issue link: Auth API to get self user attributes #3325

• Other comments: -

[k8s-ci-robot]

Welcome @nabokihms!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @nabokihms. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[enj]

/assign

[deads2k]

Calling out to other reviewers. I'm ok with this position.

also typo: s/pf/of

I think it's worth explain that it's not part of conformance because the possession of a token does not necessarily imply the power to know who that token belongs to.

[nabokihms]

Good point. I extended the note.

[deads2k]

A GET request? Can you specify the exact URL of the request please?

OpenShift uses /apis/user.openshift.io/v1/users/~ as I recall, which has aged decently well. I'm open to others, but we should be specific.

[nabokihms]

I added an example of the request URL and the HTTP method.

[deads2k]

This design looks reasonable to me. I'd like to see

1. the exact URL we'll be accessing
2. the http method we'll be using
3. the proposed RBAC rule that grants access by default
4. whether the RBAC rule is always present or only conditionally present (I suggest always present)
5. the command line flag used to disable this API if a cluster-admin wants it off

Once those are cleared up, I'm ok proceeding if the others agree as well. I would review an implementation PR for this if you get me on slack for it.

The PRR lgtm, but I don't want to pre-approve this PR. cc @johnbelamaric

As I recall, @enj had opinions about the shape as well and @mikedanese had comments about what powers the possession of a token should imply. I think guaranteeing this won't be added to conformance, explaining why, and showing how it can be disabled would satisfy his needs, but please confirm.

/assign @enj @mikedanese

[nabokihms]

@deads2k, thank you for the review!

1,2. Added an example of the request URL and the HTTP method for it
3,4. Described RBAC rules in detail
5. Mentioned how to disable the API.

[enj]

This is pretty close. @mikedanese PTAL.

[enj]

Disabling token review isn't practical? I am fine with this not being part of conformance but I think denying this via a validating admission webhook seems more practical (which is possible since this is a create).

@deads2k you mentioned:

the command line flag used to disable this API if a cluster-admin wants it off

Is that requesting a specific flag that disables this one API?

[nabokihms]

The note about using validating webhook was added. Thanks for the hint.

[nabokihms]

There is the KEP #3137 that extended the runtime-config option to be able to disable a single resource of an API like this:

--runtime-config=authentication.k8s.io/v1alpha1/selfsubjectattributesreview=false

Added a note about it to the KEP.

[liggitt]

This API is enabled by default

which API is this referring to? the selfsubjectattributesreviews API would not be enabled by default until it reaches GA

[nabokihms]

It was a suggestion from @deads2k to add a note about how users can disable the selfsubjectattributesreview API. I will mention that the note about disabling only becomes relevant once the selfsubjectattributesreview API reaches GA.

[enj]

/ok-to-test
/lgtm
/approve
/milestone v1.25

[nabokihms]

/retest

[enj]

/lgtm

[johnbelamaric]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, johnbelamaric, nabokihms

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [johnbelamaric]
• keps/sig-auth/OWNERS [enj,johnbelamaric]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment