-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-4601: authorize with field and label selectors #4600
KEP-4601: authorize with field and label selectors #4600
Conversation
d4761ea
to
9e62084
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update looks pretty good to me, a couple more questions / some maybe-stale docs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @deads2k for writing this!
Very excited to get this going, happy to help out on some of the implementation as well 👍
I'm concerned about the sprawl of having two almost-identical representations, but not really in the SAR body. I'm all for making good, canonical client-/server-side libraries instead that wrap the complexity, and contain it there. Just such a thing as anding all requirements together into something that is equivalent but easily comparable/understandable is non-trivial unless one thinks a little bit deeper about the set theoretics.
9b402f1
to
fbfcfc7
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Exploring this further: If authorizers could inject label selectors, instead of just checking them, and if label selectors were supported on ALL verbs, then would it essentially become possible to write label-based RBAC, without client changes? I think at least one remaining issue would be list/watch consistency across RBAC policy changes, as it's dangerous for that to be transparent to clients since it would be similar to "missed" events, and could desync informers. It would open up some really interesting policy use cases if we can solve that problem though. |
I'm not sure I understand this... authorizers do not modify requests, they authorize attributes of the request... what you're describing does not sound like an authorizer but a mediating client or proxy of some kind |
Still in progress, but the bones are here.
/assign @liggitt
/assign @micahhausler
/cc @enj