Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Role-based access control (RBAC) #2

Closed
erictune opened this issue May 3, 2016 · 67 comments
Closed

Role-based access control (RBAC) #2

erictune opened this issue May 3, 2016 · 67 comments
Assignees
Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Milestone

Comments

@erictune
Copy link
Member

erictune commented May 3, 2016

Feature Description

  • One-line feature description (can be used as a release note): Role-based access control
  • Primary contact (assignee): @ericchiang @deads2k @liggitt
  • Responsible SIGs: sig-auth
  • Design proposal link (community repo):
  • Reviewer(s): @deads2k @ericchiang
  • Approver (likely from SIG/area to which feature belongs): @erictune @smarterclayton
  • Feature target (which target equals to which milestone):
    • Alpha release target - 1.3
    • Beta release target - 1.6
    • Stable release target - 1.8

kubernetes/kubernetes#25634
kubernetes/kubernetes#26753
kubernetes/website#643

@liggitt
Copy link
Member

liggitt commented May 3, 2016

it’s astonishing how much checklists on github make me want to do whatever it takes to complete them

@ericchiang
Copy link
Contributor

An update on this issue for alpha.

TODO before alpha release

  • Complete testing by adding integration tests
  • Add minimal documentation to kubernetes/kubernetes.github.io
  • Write release notes

@philips
Copy link
Contributor

philips commented May 31, 2016

@erictune As we can't update this issue I think you have to check the boxes based on @ericchiang's comment #2 (comment)

@philips
Copy link
Contributor

philips commented Jun 8, 2016

Ping @erictune cc @ericchiang

@erictune erictune changed the title Upstream Openshift Authz Role-base access control Jun 9, 2016
@erictune
Copy link
Member Author

erictune commented Jun 9, 2016

The API group name "rbac.authorization.k8s.io/v1alpha1" is really long. Perhaps for Beta or GA we can shorten it somehow.

@erictune
Copy link
Member Author

erictune commented Jun 15, 2016

For beta, we need to:

@ericchiang
Copy link
Contributor

ericchiang commented Jun 15, 2016

A couple other notes (not necessarily for beta)

  • Add some basic caching mechanisms to the authorizer implementation. It's currently using a naive implementation that just queries the API group each time. - added in 1.6
  • Get feedback on the bootstrapping procedure (--authorizer-rbac-super-user) - flag is removed in 1.6, default cluster roles/rolebindings are reconciled at startup
  • Get feedback on the privilege escalation checks. Do these make sense, should an admin be able to turn them off or get around them some other way, etc.) - cluster admin can make API calls against unsecured port or as the system:masters superuser group to bypass escalation checks

@liggitt
Copy link
Member

liggitt commented Jun 15, 2016

Not sure I'd consider choosing a default role for service accounts in rbac a breaking change. Authorizer settings have always been able to limit service account permissions.

@guoshimin
Copy link

Hi @erictune will RBAC in 1.3 have the ability to make policy decisions based on the attributes in the requested API object? Such as specifying what secrets can a pod mount as a volume? Looking over the code seems the answer is no, but I'd like to confirm. Thanks!

@ericchiang
Copy link
Contributor

@guoshimin no. For alpha RBAC will only deal with top level objects. No field level authorization.

@olegshaldybin has a large proposal in kubernetes/kubernetes#27330. You may want to take a look at the discussion there.

@liggitt
Copy link
Member

liggitt commented Jun 16, 2016

no, RBAC is object-level, not field-level.

@erictune erictune changed the title Role-base access control Role-bases access control Jun 24, 2016
@erictune erictune removed their assignment Jun 24, 2016
@erictune erictune changed the title Role-bases access control Role-based access control Jun 24, 2016
@ericchiang
Copy link
Contributor

Also realized that we don't have garbage collection (cleaning up role bindings to deleted roles). This would probably be something good to add to the beta release.

@deads2k
Copy link
Contributor

deads2k commented Jun 30, 2016

I'd like to see an intent-based, idempotent API for binding roles to subjects. Something where I can post: "bind role/foo to user/bar" or "delete role/foo from group/bar" and not have to worry about the details of exactly which named binding needs to be mutated.

I think we should also consider a way to select which roles and subjects a given subject is allowed to bind. Right now, Jane in namespace J can forcibly add David to her namespace and there's nothing he can do about it. In addition, a permission granting role has value since the person handing out permissions may not want to have all the powers he's granting.

@alexbrand
Copy link

An intent-based API for managing policy sounds great. Just out of curiosity - Are there existing intent-based APIs in K8s?

@deads2k
Copy link
Contributor

deads2k commented Jun 30, 2016

An intent-based API for managing policy sounds great. Just out of curiosity - Are there existing intent-based APIs in K8s?

The existing bindings endpoint comes to mind. I can't actually think of other resources where the primary usage is through mutation of existing resources instead of creation of new ones. Maintaining individual tuples doesn't seem like it would be a good idea though.

@erictune
Copy link
Member Author

erictune commented Jul 9, 2016

Request for a non-flag way to turn off bootstrapping mode (kubernetes/kubernetes#25634 (comment)) @jimmycuadra

@ericchiang
Copy link
Contributor

I'm a little confused by that comment.

@jimmycuadra why do you need to turn this off the bootstrapping flag in the first place? I don't actually see anything in that post which explained that.

@jimmycuadra
Copy link

In our setup, the systemd unit file that starts apiserver is immutable, so we don't necessarily want the user specified by --authorization-rbac-super-user to have unlimited access for the foreseeable future. We want a way to bootstrap RBAC roles and bindings and then disable the initial user's unlimited access without having to change the set of arguments that the apiserver is started with.

@SEJeff
Copy link

SEJeff commented Jul 27, 2016

@jimmycuadra And you couldn't use systemd's EnvironmentFile pointing to a file that is mutable to change the flags? That achieves the immutable systemd unit file with the flags without changing the scope of this feature. Could that work?

k8s-ci-robot pushed a commit that referenced this issue Jan 21, 2020
ingvagabund pushed a commit to ingvagabund/enhancements that referenced this issue Apr 2, 2020
ingvagabund pushed a commit to ingvagabund/enhancements that referenced this issue Apr 2, 2020
…/kargs-day-1

Update Proposal Method 2 for Day1 kargs
ingvagabund pushed a commit to ingvagabund/enhancements that referenced this issue Apr 2, 2020
The bracketed openshift/docs is from 881dbb7 (Add initial
enhancement templates, 2019-08-23, kubernetes#2).  But a link makes it easy for
folks to see where changes should go, and is something that can be
updated by enhancements to link specific PRs as they check off this
box.
brahmaroutu pushed a commit to brahmaroutu/enhancements that referenced this issue Jul 22, 2020
* add user stories, fixed metadata
brahmaroutu pushed a commit to brahmaroutu/enhancements that referenced this issue Jul 29, 2020
* add user stories, fixed metadata
bridgetkromhout pushed a commit to bridgetkromhout/kubernetes-enhancements that referenced this issue Feb 8, 2021
k8s-ci-robot pushed a commit that referenced this issue May 13, 2021
Minor formatting/typo fixes and disambiguate explanation of smtaware policy
cici37 pushed a commit to cici37/enhancements that referenced this issue Aug 10, 2021
astoycos pushed a commit to astoycos/enhancements-1 that referenced this issue Sep 27, 2021
Add precedence and Namespaces examples
k8s-ci-robot pushed a commit that referenced this issue Jun 17, 2022
chore: use snake case for non-generated proto API
justinsb pushed a commit to justinsb/features that referenced this issue Jan 26, 2023
k8s-ci-robot pushed a commit that referenced this issue Feb 9, 2023
…ategy (#3661)

* Initial KEP for improving pruning in kubectl apply

* Add design details

Co-authored-by: Katrina Verey <[email protected]>

* Add another open question

* Links, clarifications, ownerRef and GKNN explanations

* Follow-on to initial feedback, address some unresolved blocks

* Fix lint errors

* Add more detail about reference implementation (#2)

* Apply prune jan25 (#3)

* More clearly delineate specification vs kubectl details

* Move design details of spec to Design Details section

* Updates from synchronous conversation

* Remove leftover paragraph (#5)

Not an alternative rejected any more, given applyset.k8s.io/inventory

* Justin has always been coauthor

* KEP-3659: production readiness etc (#4)

Fill in the testing/ PRR sections.

* Fix test failures

* Prune: document confused deputy attack and mitigations

Likely pushes us to GKNN-derived IDs.

* Constrain applyset id

We just choose the constrained applyset id to prevent "applyset ID
impersonation".

* Update KEP and PRR metadata

* Enhance testing description

* ID vs name fixes

* Fixes from soltysh's review

---------

Co-authored-by: Justin Santa Barbara <[email protected]>
k8s-ci-robot pushed a commit that referenced this issue Jun 13, 2023
address API review comments for extra mappings
stlaz added a commit to stlaz/kube-enhancements that referenced this issue Sep 26, 2023
stlaz added a commit to stlaz/kube-enhancements that referenced this issue Sep 26, 2023
k8s-ci-robot pushed a commit that referenced this issue Jun 12, 2024
* Add draft of CSI CBT KEP

Signed-off-by: Ivan Sim <[email protected]>

* Update KEP status

Signed-off-by: Ivan Sim <[email protected]>

* Initial structure.
Filled in the Proposal, Caveats and Risks.
Put in the CSI spec in the Details section.

* Removed distracting links to common K8s definitions.
Clarified the proposal.

* More caveats.  Better grammar.

* Use "snapshot access session".

* addressed most of the feedback in the PR.

* Updated role figure.

* More refinements.

* Session figure. Renamed figure files.

* Fix background of session figure.

* Updated figures and roles.

* Propose a new role for session data.

* GRPC spec

* Don't propose roles.

* Add user stories in the proposal (#2)

* Add user stories in the proposal

Signed-off-by: Prasad Ghangal <[email protected]>

* Remove acceptance criteria for the user stories

* Make changes suggested by Carl

---------

Signed-off-by: Prasad Ghangal <[email protected]>

* Added details to the manager, sidecar and SP service sections.
Fixed session figure errors and rewrote the client gRPC
description in the risks section.

* Called out UNRESOLVED issues.
More on the SP service and sidecar.

* Resolved issues with expiry and advertising.

* Updated TOC

* Fixed typo and svg space rendering.

* Fixed typo in perms figure.

* Typo in session figure. More detail in user stories.

* Add SnapshotSession CRDs (#5)

* Add SnapshotSession CRDs

* Add CR descriptions

* Address review comments

* Address review comments

* Remove typo

* Remove unnecessary new line

* Added image of the flow when the TokenRequest and TokenReview APIs are used.

* Fixed figure spacing

* Updated permissions svg; removed session.

* Updated figures. Removed session figure.

* Added explanation of permissions.

* Updated overview and risks.

* Updated RPC and components.

* Completed remaining rewrite.

* Updated to CSI spec to reflect container-storage-interface/spec#551

* Removed the security_token and namespace from the gRPC spec.
Pass the security token via the metadata authorization key.
Pass the namespace as part of the K8s snapshot id string.

* Update sections on test plan, PRR and graduation criteria

Signed-off-by: Ivan Sim <[email protected]>

* More neutral language on passing the auth token.

* Updated to reflect changes in the CSI spec PR.

* Use a separate gRPC API for the sidecar.

* Replaced authorization gRPC metadata with a security_token field in request messages.

* Fixed typo.

* Updated CSI spec; downplayed similarity between the K8s and CSI gRPC services.

* Add beta and GA graduation criteria

Signed-off-by: Ivan Sim <[email protected]>

* Updated CSI spec again - no unsigned numbers used.

* Update KEP milestone to v1.30

Signed-off-by: Ivan Sim <[email protected]>

* Update 'Scalability' section

Signed-off-by: Ivan Sim <[email protected]>

* Add sig-auth as participating sigs

Signed-off-by: Ivan Sim <[email protected]>

* Require that the CR be named for the driver.

* Removed the label requirement for the CR.

* Replaced johnbelamaric with soltysh for PRR approver.

* Bump up milestone to v1.31

* Change KEP status to implementable

---------

Signed-off-by: Ivan Sim <[email protected]>
Signed-off-by: Prasad Ghangal <[email protected]>
Signed-off-by: Ivan Sim <[email protected]>
Co-authored-by: Carl Braganza <[email protected]>
Co-authored-by: Prasad Ghangal <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
None yet
Development

No branches or pull requests