-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-3325: Auth API to get self user attributes #3326
KEP-3325: Auth API to get self user attributes #3326
Conversation
nabokihms
commented
May 30, 2022
- One-line PR description: Auth API to get self user attributes
- Issue link: Auth API to get self user attributes #3325
- Other comments: -
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
Welcome @nabokihms! |
Hi @nabokihms. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign |
|
||
- Corresponding kubectl command implemented | ||
|
||
NOTE: Should not be a part pf [conformance tests](https://git.k8s.io/community/contributors/devel/sig-architecture/conformance-tests.md). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Calling out to other reviewers. I'm ok with this position.
also typo: s/pf/of
I think it's worth explain that it's not part of conformance because the possession of a token does not necessarily imply the power to know who that token belongs to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I extended the note.
} | ||
``` | ||
|
||
On receiving a request, the Kubernetes API server fills the status with the user attributes and returns it to the user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A GET request? Can you specify the exact URL of the request please?
OpenShift uses /apis/user.openshift.io/v1/users/~
as I recall, which has aged decently well. I'm open to others, but we should be specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added an example of the request URL and the HTTP method.
This design looks reasonable to me. I'd like to see
Once those are cleared up, I'm ok proceeding if the others agree as well. I would review an implementation PR for this if you get me on slack for it. The PRR lgtm, but I don't want to pre-approve this PR. cc @johnbelamaric As I recall, @enj had opinions about the shape as well and @mikedanese had comments about what powers the possession of a token should imply. I think guaranteeing this won't be added to conformance, explaining why, and showing how it can be disabled would satisfy his needs, but please confirm. /assign @enj @mikedanese |
* Provide an example for the request and response * Add the note about how to disable the API Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
@deads2k, thank you for the review! 1,2. Added an example of the request URL and the HTTP method for it |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is pretty close. @mikedanese PTAL.
This API is enabled by default and can be disabled by the following kube-apiserver flag (along with the TokenReview API). | ||
``` | ||
--runtime-config=authentication.k8s.io/v1=false | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Disabling token review isn't practical? I am fine with this not being part of conformance but I think denying this via a validating admission webhook seems more practical (which is possible since this is a create
).
@deads2k you mentioned:
the command line flag used to disable this API if a cluster-admin wants it off
Is that requesting a specific flag that disables this one API?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The note about using validating webhook was added. Thanks for the hint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is the KEP #3137 that extended the runtime-config option to be able to disable a single resource of an API like this:
--runtime-config=authentication.k8s.io/v1alpha1/selfsubjectattributesreview=false
Added a note about it to the KEP.
Co-authored-by: Mo Khan <theenjeru@gmail.com> Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
4d49551
to
431b422
Compare
c52fcc5
to
144f269
Compare
- create | ||
``` | ||
|
||
This API is enabled by default and can be disabled by using one of the following options: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This API is enabled by default
which API is this referring to? the selfsubjectattributesreviews API would not be enabled by default until it reaches GA
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was a suggestion from @deads2k to add a note about how users can disable the selfsubjectattributesreview API. I will mention that the note about disabling only becomes relevant once the selfsubjectattributesreview API reaches GA.
Co-authored-by: Mo Khan <theenjeru@gmail.com> Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
…PI reaches GA Co-authored-by: Mo Khan <theenjeru@gmail.com> Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
/ok-to-test |
Co-authored-by: Mo Khan <theenjeru@gmail.com> Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
6aee303
to
9f17245
Compare
/retest |
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, johnbelamaric, nabokihms The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |