-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Role-based access control (RBAC) #2
Comments
it’s astonishing how much checklists on github make me want to do whatever it takes to complete them |
An update on this issue for alpha.
TODO before alpha release
|
@erictune As we can't update this issue I think you have to check the boxes based on @ericchiang's comment #2 (comment) |
Ping @erictune cc @ericchiang |
Integration tests here: kubernetes/kubernetes#26753 Docs here: kubernetes/website#631 Also there were a couple small fixes that need lgtms: |
The API group name "rbac.authorization.k8s.io/v1alpha1" is really long. Perhaps for Beta or GA we can shorten it somehow. |
For beta, we need to:
|
A couple other notes (not necessarily for beta)
|
Not sure I'd consider choosing a default role for service accounts in rbac a breaking change. Authorizer settings have always been able to limit service account permissions. |
Hi @erictune will RBAC in 1.3 have the ability to make policy decisions based on the attributes in the requested API object? Such as specifying what secrets can a pod mount as a volume? Looking over the code seems the answer is no, but I'd like to confirm. Thanks! |
@guoshimin no. For alpha RBAC will only deal with top level objects. No field level authorization. @olegshaldybin has a large proposal in kubernetes/kubernetes#27330. You may want to take a look at the discussion there. |
no, RBAC is object-level, not field-level. |
Also realized that we don't have garbage collection (cleaning up role bindings to deleted roles). This would probably be something good to add to the beta release. |
I'd like to see an intent-based, idempotent API for binding roles to subjects. Something where I can post: "bind role/foo to user/bar" or "delete role/foo from group/bar" and not have to worry about the details of exactly which named binding needs to be mutated. I think we should also consider a way to select which roles and subjects a given subject is allowed to bind. Right now, Jane in namespace J can forcibly add David to her namespace and there's nothing he can do about it. In addition, a permission granting role has value since the person handing out permissions may not want to have all the powers he's granting. |
An intent-based API for managing policy sounds great. Just out of curiosity - Are there existing intent-based APIs in K8s? |
The existing bindings endpoint comes to mind. I can't actually think of other resources where the primary usage is through mutation of existing resources instead of creation of new ones. Maintaining individual tuples doesn't seem like it would be a good idea though. |
Request for a non-flag way to turn off bootstrapping mode (kubernetes/kubernetes#25634 (comment)) @jimmycuadra |
I'm a little confused by that comment. @jimmycuadra why do you need to turn this off the bootstrapping flag in the first place? I don't actually see anything in that post which explained that. |
In our setup, the systemd unit file that starts apiserver is immutable, so we don't necessarily want the user specified by |
@jimmycuadra And you couldn't use systemd's EnvironmentFile pointing to a file that is mutable to change the flags? That achieves the immutable systemd unit file with the flags without changing the scope of this feature. Could that work? |
Add initial enhancement templates
…/kargs-day-1 Update Proposal Method 2 for Day1 kargs
The bracketed openshift/docs is from 881dbb7 (Add initial enhancement templates, 2019-08-23, kubernetes#2). But a link makes it easy for folks to see where changes should go, and is something that can be updated by enhancements to link specific PRs as they check off this box.
* add user stories, fixed metadata
* add user stories, fixed metadata
Additional updates
Minor formatting/typo fixes and disambiguate explanation of smtaware policy
Update the KEP for validation
Add precedence and Namespaces examples
chore: use snake case for non-generated proto API
…ategy (#3661) * Initial KEP for improving pruning in kubectl apply * Add design details Co-authored-by: Katrina Verey <[email protected]> * Add another open question * Links, clarifications, ownerRef and GKNN explanations * Follow-on to initial feedback, address some unresolved blocks * Fix lint errors * Add more detail about reference implementation (#2) * Apply prune jan25 (#3) * More clearly delineate specification vs kubectl details * Move design details of spec to Design Details section * Updates from synchronous conversation * Remove leftover paragraph (#5) Not an alternative rejected any more, given applyset.k8s.io/inventory * Justin has always been coauthor * KEP-3659: production readiness etc (#4) Fill in the testing/ PRR sections. * Fix test failures * Prune: document confused deputy attack and mitigations Likely pushes us to GKNN-derived IDs. * Constrain applyset id We just choose the constrained applyset id to prevent "applyset ID impersonation". * Update KEP and PRR metadata * Enhance testing description * ID vs name fixes * Fixes from soltysh's review --------- Co-authored-by: Justin Santa Barbara <[email protected]>
address API review comments for extra mappings
* Add draft of CSI CBT KEP Signed-off-by: Ivan Sim <[email protected]> * Update KEP status Signed-off-by: Ivan Sim <[email protected]> * Initial structure. Filled in the Proposal, Caveats and Risks. Put in the CSI spec in the Details section. * Removed distracting links to common K8s definitions. Clarified the proposal. * More caveats. Better grammar. * Use "snapshot access session". * addressed most of the feedback in the PR. * Updated role figure. * More refinements. * Session figure. Renamed figure files. * Fix background of session figure. * Updated figures and roles. * Propose a new role for session data. * GRPC spec * Don't propose roles. * Add user stories in the proposal (#2) * Add user stories in the proposal Signed-off-by: Prasad Ghangal <[email protected]> * Remove acceptance criteria for the user stories * Make changes suggested by Carl --------- Signed-off-by: Prasad Ghangal <[email protected]> * Added details to the manager, sidecar and SP service sections. Fixed session figure errors and rewrote the client gRPC description in the risks section. * Called out UNRESOLVED issues. More on the SP service and sidecar. * Resolved issues with expiry and advertising. * Updated TOC * Fixed typo and svg space rendering. * Fixed typo in perms figure. * Typo in session figure. More detail in user stories. * Add SnapshotSession CRDs (#5) * Add SnapshotSession CRDs * Add CR descriptions * Address review comments * Address review comments * Remove typo * Remove unnecessary new line * Added image of the flow when the TokenRequest and TokenReview APIs are used. * Fixed figure spacing * Updated permissions svg; removed session. * Updated figures. Removed session figure. * Added explanation of permissions. * Updated overview and risks. * Updated RPC and components. * Completed remaining rewrite. * Updated to CSI spec to reflect container-storage-interface/spec#551 * Removed the security_token and namespace from the gRPC spec. Pass the security token via the metadata authorization key. Pass the namespace as part of the K8s snapshot id string. * Update sections on test plan, PRR and graduation criteria Signed-off-by: Ivan Sim <[email protected]> * More neutral language on passing the auth token. * Updated to reflect changes in the CSI spec PR. * Use a separate gRPC API for the sidecar. * Replaced authorization gRPC metadata with a security_token field in request messages. * Fixed typo. * Updated CSI spec; downplayed similarity between the K8s and CSI gRPC services. * Add beta and GA graduation criteria Signed-off-by: Ivan Sim <[email protected]> * Updated CSI spec again - no unsigned numbers used. * Update KEP milestone to v1.30 Signed-off-by: Ivan Sim <[email protected]> * Update 'Scalability' section Signed-off-by: Ivan Sim <[email protected]> * Add sig-auth as participating sigs Signed-off-by: Ivan Sim <[email protected]> * Require that the CR be named for the driver. * Removed the label requirement for the CR. * Replaced johnbelamaric with soltysh for PRR approver. * Bump up milestone to v1.31 * Change KEP status to implementable --------- Signed-off-by: Ivan Sim <[email protected]> Signed-off-by: Prasad Ghangal <[email protected]> Signed-off-by: Ivan Sim <[email protected]> Co-authored-by: Carl Braganza <[email protected]> Co-authored-by: Prasad Ghangal <[email protected]>
Feature Description
kubernetes/kubernetes#25634
kubernetes/kubernetes#26753
kubernetes/website#643
The text was updated successfully, but these errors were encountered: