Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-4633: Graduate to BETA. #4798

Merged
merged 1 commit into from
Sep 3, 2024
Merged

KEP-4633: Graduate to BETA. #4798

merged 1 commit into from
Sep 3, 2024
+117 −29

Conversation

vinayakankugoyal
Copy link
Contributor

  • One-line PR description: Graduate KEP-4633 to BETA.
  • Other comments:

@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/auth Categorizes an issue or PR as relevant to SIG Auth. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Aug 21, 2024
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Aug 21, 2024
@vinayakankugoyal vinayakankugoyal mentioned this pull request Aug 21, 2024
Open
16 tasks
vinayakankugoyal
vinayakankugoyal commented Aug 21, 2024
View reviewed changes
keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md Outdated
@@ -1008,7 +1073,7 @@ Why should this KEP _not_ be implemented?
The following should be resolved before this goes to `beta`:

- Should we apply any restrictions here to anonymous `userInfo` that comes back
Copy link
Contributor Author

@vinayakankugoyal vinayakankugoyal Aug 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt we need to make a call on addressing this. What are your thoughts? I think while it is related to authentication it is a separate concern from the intent of the KEP itself.

Copy link
Member

@liggitt liggitt Aug 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A user that arrives authenticated and is allowed to impersonate system:anonymous is not actually anonymous. I think that is out of scope for this KEP.

This KEP is focused on giving cluster admins a tool to constrain actually anonymous requests. I think it is reasonable to expect cluster admins 1) also control their other configured authenticators, and that 2) other authenticators don't authenticate as system:anonymous.

Admins can already disallow system:anonymous being returned from configured JWT authenticators via userValidationRules. If we wanted to add more options to webhook authenticators and add userValidationRules capabilities there as well, we could consider that, but that is a separate effort.

I wouldn't fold in changes for those to this KEP. You could summarize that and move that discussion to a "possible future improvements" section if you want and delete the "Open Questions for BETA" section

@liggitt
Copy link
Member

liggitt commented Aug 29, 2024

lgtm once the "open questions" bit is moved to "possible future improvements"

@liggitt liggitt added this to the v1.32 milestone Aug 29, 2024
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 29, 2024
@vinayakankugoyal
Copy link
Contributor Author

lgtm once the "open questions" bit is moved to "possible future improvements"

Done! Thanks.

@vinayakankugoyal
KEP-4633: Graduate to BETA.
4e51e03 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
@liggitt
Copy link
Member

liggitt commented Aug 29, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 29, 2024
@liggitt
Copy link
Member

liggitt commented Aug 29, 2024

/assign @jpbetz
for PRR

jpbetz
jpbetz reviewed Sep 3, 2024
View reviewed changes
Copy link
Contributor

@jpbetz jpbetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
For PRR
Thanks for the attention to detail here.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jpbetz, liggitt, vinayakankugoyal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 3, 2024
@k8s-ci-robot k8s-ci-robot merged commit 7e1c131 into kubernetes:master Sep 3, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpbetz jpbetz jpbetz left review comments

@aojea aojea aojea left review comments

@enj enj Awaiting requested review from enj

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@jpbetz jpbetz

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
SIG Auth
Status: Closed / Done
Milestone
v1.32
Development

Successfully merging this pull request may close these issues.
5 participants
@vinayakankugoyal @liggitt @k8s-ci-robot @jpbetz @aojea