-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-4633: Graduate to BETA. #4798
Conversation
vinayakankugoyal
commented
Aug 21, 2024
- One-line PR description: Graduate KEP-4633 to BETA.
- Issue link: Only allow anonymous auth for configured endpoints. #4633
- Other comments:
81a14bc
to
e8f27cf
Compare
673d4ab
to
384cf00
Compare
@@ -1008,7 +1073,7 @@ Why should this KEP _not_ be implemented? | |||
The following should be resolved before this goes to `beta`: | |||
|
|||
- Should we apply any restrictions here to anonymous `userInfo` that comes back |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt we need to make a call on addressing this. What are your thoughts? I think while it is related to authentication it is a separate concern from the intent of the KEP itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A user that arrives authenticated and is allowed to impersonate system:anonymous is not actually anonymous. I think that is out of scope for this KEP.
This KEP is focused on giving cluster admins a tool to constrain actually anonymous requests. I think it is reasonable to expect cluster admins 1) also control their other configured authenticators, and that 2) other authenticators don't authenticate as system:anonymous
.
Admins can already disallow system:anonymous
being returned from configured JWT authenticators via userValidationRules
. If we wanted to add more options to webhook authenticators and add userValidationRules
capabilities there as well, we could consider that, but that is a separate effort.
I wouldn't fold in changes for those to this KEP. You could summarize that and move that discussion to a "possible future improvements" section if you want and delete the "Open Questions for BETA" section
keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md
Outdated
Show resolved
Hide resolved
keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md
Outdated
Show resolved
Hide resolved
384cf00
to
9961d33
Compare
lgtm once the "open questions" bit is moved to "possible future improvements" |
9961d33
to
b70b377
Compare
Done! Thanks. |
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
b70b377
to
4e51e03
Compare
/lgtm |
/assign @jpbetz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
For PRR
Thanks for the attention to detail here.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jpbetz, liggitt, vinayakankugoyal The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |