From 32aad9dd3feeac1978269d607ba58e8d2755f6f7 Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Fri, 18 Oct 2024 15:31:26 -0400 Subject: [PATCH] KEP-3221: Promote StructuredAuthorizationConfiguration to GA --- .../access-authn-authz/authorization.md | 6 +++--- .../docs/reference/access-authn-authz/node.md | 19 ++++++++++++++++++- .../docs/reference/access-authn-authz/rbac.md | 16 ++++++++++++++-- .../structured-authorization-configuration.md | 8 ++++++-- .../setup/production-environment/_index.md | 2 +- 5 files changed, 42 insertions(+), 9 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md index 6d4ebb0b60150..384ec1f2c0b1b 100644 --- a/content/en/docs/reference/access-authn-authz/authorization.md +++ b/content/en/docs/reference/access-authn-authz/authorization.md @@ -177,7 +177,7 @@ You can use the following modes: * `--authorization-mode=AlwaysDeny` (always denies requests) You can choose more than one authorization mode; for example: -`--authorization-mode=Node,Webhook` +`--authorization-mode=Node,RBAC,Webhook` Kubernetes checks authorization modules based on the order that you specify them on the API server's command line, so an earlier module has higher priority to allow @@ -197,7 +197,7 @@ For more information on command line arguments to the API server, read the {{< feature-state feature_gate_name="StructuredAuthorizationConfiguration" >}} -As a beta feature, Kubernetes lets you configure authorization chains that can include multiple +Kubernetes lets you configure authorization chains that can include multiple webhooks. The authorization items in that chain can have well-defined parameters that validate requests in a particular order, offering you fine-grained control, such as explicit Deny on failures. @@ -220,7 +220,7 @@ are only available if you use an authorization configuration file. # # DO NOT USE THE CONFIG AS IS. THIS IS AN EXAMPLE. # -apiVersion: apiserver.config.k8s.io/v1beta1 +apiVersion: apiserver.config.k8s.io/v1 kind: AuthorizationConfiguration authorizers: - type: Webhook diff --git a/content/en/docs/reference/access-authn-authz/node.md b/content/en/docs/reference/access-authn-authz/node.md index d39b404c0c80b..dd144d7fa1403 100644 --- a/content/en/docs/reference/access-authn-authz/node.md +++ b/content/en/docs/reference/access-authn-authz/node.md @@ -69,7 +69,24 @@ the local `hostname` and the `--hostname-override` option. For specifics about how the kubelet determines the hostname, see the [kubelet options reference](/docs/reference/command-line-tools-reference/kubelet/). -To enable the Node authorizer, start the apiserver with `--authorization-mode=Node`. +To enable the Node authorizer, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} +with the `--authorization-config` flag set to a file that includes the `Node` authorizer; for example: + +```yaml +apiVersion: apiserver.config.k8s.io/v1 +kind: AuthorizationConfiguration +authorizers: + ... + - type: Node + ... +``` + +Or, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} with +the `--authorization-mode` flag set to a comma-separated list that includes `Node`; +for example: +```shell +kube-apiserver --authorization-mode=...,Node --other-options --more-options +``` To limit the API objects kubelets are able to write, enable the [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers#noderestriction) diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md index a18903db4cb2e..2608ba32284f2 100644 --- a/content/en/docs/reference/access-authn-authz/rbac.md +++ b/content/en/docs/reference/access-authn-authz/rbac.md @@ -20,10 +20,22 @@ RBAC authorization uses the `rbac.authorization.k8s.io` decisions, allowing you to dynamically configure policies through the Kubernetes API. To enable RBAC, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} -with the `--authorization-mode` flag set to a comma-separated list that includes `RBAC`; +with the `--authorization-config` flag set to a file that includes the `RBAC` authorizer; for example: + +```yaml +apiVersion: apiserver.config.k8s.io/v1 +kind: AuthorizationConfiguration +authorizers: + ... + - type: RBAC + ... +``` + +Or, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} with +the `--authorization-mode` flag set to a comma-separated list that includes `RBAC`; for example: ```shell -kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options +kube-apiserver --authorization-mode=...,RBAC --other-options --more-options ``` ## API objects {#api-overview} diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/structured-authorization-configuration.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/structured-authorization-configuration.md index d2f1a47283c6a..b40c8193298d0 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates/structured-authorization-configuration.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/structured-authorization-configuration.md @@ -6,13 +6,17 @@ _build: render: false stages: - - stage: alpha + - stage: alpha defaultValue: false fromVersion: "1.29" toVersion: "1.29" - - stage: beta + - stage: beta defaultValue: true fromVersion: "1.30" + toVersion: "1.31" + - stage: stable + defaultValue: true + fromVersion: "1.32" --- Enable structured authorization configuration, so that cluster administrators can specify more than one [authorization webhook](/docs/reference/access-authn-authz/webhook/) diff --git a/content/en/docs/setup/production-environment/_index.md b/content/en/docs/setup/production-environment/_index.md index a7972e093091f..775c1d21dba23 100644 --- a/content/en/docs/setup/production-environment/_index.md +++ b/content/en/docs/setup/production-environment/_index.md @@ -232,7 +232,7 @@ As someone setting up authentication and authorization on your production Kubern - *Set the authorization mode*: When the Kubernetes API server ([kube-apiserver](/docs/reference/command-line-tools-reference/kube-apiserver/)) - starts, the supported authentication modes must be set using the *--authorization-mode* + starts, supported authorization modes must be set using an *--authorization-config* file or the *--authorization-mode* flag. For example, that flag in the *kube-adminserver.yaml* file (in */etc/kubernetes/manifests*) could be set to Node,RBAC. This would allow Node and RBAC authorization for authenticated requests. - *Create user certificates and role bindings (RBAC)*: If you are using RBAC