-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use proxied trusted request header to filter namespaces list in multi-tenant clusters #8526
base: master
Are you sure you want to change the base?
Use proxied trusted request header to filter namespaces list in multi-tenant clusters #8526
Conversation
Welcome @mecampbellsoup! |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: mecampbellsoup The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
db5b619
to
fe81d96
Compare
// If Impersonate* header(s) provided, but Authorization token is missing, | ||
// fallback to in-cluster config by reading the serviceaccount token from the filesystem | ||
var dat, _ = os.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token") | ||
token = string(dat) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@floreks is there a way to activate Impersonation when no explicit Authorization: Bearer
token has been included in the request, i.e. "fallback" to using in-cluster config if the reverse proxy has added Impersonation headers only?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: would also like to cache the result of os.ReadFile
so as to not read from the filesystem on every request.
authInfo.Impersonate = impersonationHeader | ||
|
||
//Check for impersonated groups | ||
if groupsImpersonationHeader := req.Request.Header["Impersonate-Group"]; len(groupsImpersonationHeader) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this to support both of the following formats:
Impersonate-Group: one,two,three
-- as well as...
Impersonate-Group:one
Impersonate-Group:two
Impersonate-Group:three
@desaintmartin @maciaszczykm do you guys expect to have a chance to review this in the near future? Thanks 😄 |
… request header Also renames `apiServerHost` to `apiserverHost` as apiserver is one word typically in k8s contexts.
…ate* headers in request
f6833e8
to
95c8d0d
Compare
Hey guys! Just following up - what can I do to get some 👀 and feedback on this?! Thank you 🙏 |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
Resolves #8496.
Also modifies the behavior of Impersonation such that a request header
Authorization: Bearer foo
token is not required. We need this change because we want to combine in-cluster configuration with trustedImpersonate*
headers set by our authenticating reverse proxy which sits in front of dashboard api, and it seemed silly to have to hardcode inside my ingress the value of the dashboard api service account's token.