Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-4601: authorize with field and label selectors #4600

Merged
merged 11 commits into from
Jun 6, 2024
Merged

KEP-4601: authorize with field and label selectors #4600

merged 11 commits into from
Jun 6, 2024
+917 −0

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Apr 26, 2024

Still in progress, but the bones are here.

/assign @liggitt
/assign @micahhausler
/cc @enj

  • One-line PR description:
  • Issue link:
  • Other comments:

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 26, 2024
@k8s-ci-robot k8s-ci-robot requested a review from enj April 26, 2024 20:26
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Apr 26, 2024
@deads2k deads2k mentioned this pull request Apr 26, 2024
Open
8 tasks
@deads2k deads2k changed the title [wip] authorize with field and label selectors KEP-4601: authorize with field and label selectors Apr 26, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 26, 2024
liggitt
liggitt reviewed May 2, 2024
View reviewed changes
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
liggitt
liggitt reviewed May 7, 2024
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update looks pretty good to me, a couple more questions / some maybe-stale docs

keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
luxas
luxas reviewed May 8, 2024
View reviewed changes
Copy link
Member

@luxas luxas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @deads2k for writing this!

Very excited to get this going, happy to help out on some of the implementation as well 👍

I'm concerned about the sprawl of having two almost-identical representations, but not really in the SAR body. I'm all for making good, canonical client-/server-side libraries instead that wrap the complexity, and contain it there. Just such a thing as anding all requirements together into something that is equivalent but easily comparable/understandable is non-trivial unless one thinks a little bit deeper about the set theoretics.

keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
@enj enj mentioned this pull request May 8, 2024
Closed
liggitt
liggitt reviewed May 14, 2024
View reviewed changes
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4601-authorize-with-selectors/README.md Outdated Show resolved Hide resolved
@deads2k deads2k force-pushed the label-selector-permissions branch from 9b402f1 to fbfcfc7 Compare May 22, 2024 18:53
@deads2k deads2k mentioned this pull request May 23, 2024
Closed
@liggitt liggitt mentioned this pull request May 29, 2024
Merged
@deads2k deads2k added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jun 4, 2024
@liggitt
Copy link
Member

liggitt commented Jun 6, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 6, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 91fb85c into kubernetes:master Jun 6, 2024
4 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.31 milestone Jun 6, 2024
@mtaufen
Copy link
Contributor

mtaufen commented Jun 7, 2024
edited
Loading

Exploring this further: If authorizers could inject label selectors, instead of just checking them, and if label selectors were supported on ALL verbs, then would it essentially become possible to write label-based RBAC, without client changes?

I think at least one remaining issue would be list/watch consistency across RBAC policy changes, as it's dangerous for that to be transparent to clients since it would be similar to "missed" events, and could desync informers. It would open up some really interesting policy use cases if we can solve that problem though.

@liggitt
Copy link
Member

liggitt commented Jun 7, 2024

If authorizers could inject label selectors

I'm not sure I understand this... authorizers do not modify requests, they authorize attributes of the request... what you're describing does not sound like an authorizer but a mediating client or proxy of some kind

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpbetz jpbetz jpbetz left review comments

@mtaufen mtaufen mtaufen left review comments

@liggitt liggitt liggitt left review comments

@luxas luxas luxas left review comments

@enj enj enj left review comments

@wojtek-t wojtek-t wojtek-t left review comments

Assignees

@micahhausler micahhausler

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
SIG Auth
Archived in project
Milestone
v1.31
Development

Successfully merging this pull request may close these issues.
9 participants
@deads2k @liggitt @k8s-ci-robot @mtaufen @jpbetz @luxas @enj @wojtek-t @micahhausler