Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow enabling/disabling anonymous auth for the kapi server #4072

Merged
merged 1 commit into from
May 21, 2021
Merged

Allow enabling/disabling anonymous auth for the kapi server #4072

merged 1 commit into from
May 21, 2021

Conversation

dimityrmirchev
Copy link
Member

@dimityrmirchev dimityrmirchev commented May 18, 2021
edited by rfranzke

How to categorize this PR?

/area control-plane
/area security
/kind enhancement

What this PR does / why we need it:
This PR adds the ability for a cluster admin to explicitly set the --anonymous-auth flag via the apiserver configuration. The default value will remain false. This change is needed because most of the OIDC metadata discovery clients do not support authentication as they expect unprotected access to the endpoint https://{kube-apiserver-hostname}/.well-known/openid-configuration.

Which issue(s) this PR fixes:
Fixes #4063

Special notes for your reviewer:
More information about the flag can be read here.

Release note:

It is now possible to enable anonymous authentication on the kube-apiserver for shoots by setting `.spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication=true`. Anonymous authentication will be disabled by default.

@dimityrmirchev dimityrmirchev requested a review from a team as a code owner May 18, 2021 09:14
@gardener-robot gardener-robot added kind/api-change API change with impact on API users needs/second-opinion area/control-plane Control plane related area/security Security related kind/enhancement Enhancement, improvement, extension size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels May 18, 2021
@dimityrmirchev
Copy link
Member Author

/assign @mvladev

vpnachev
vpnachev reviewed May 18, 2021
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

pkg/apis/core/types_shoot.go Outdated Show resolved Hide resolved
pkg/apis/core/v1alpha1/defaults_test.go Show resolved Hide resolved
pkg/apis/core/v1alpha1/defaults.go Show resolved Hide resolved
@rfranzke
Copy link
Member

Please extend

gardener/example/90-shoot.yaml

Lines 130 to 172 in 28234df

# kubeAPIServer:
# featureGates:
# SomeKubernetesFeature: true
# runtimeConfig:
# scheduling.k8s.io/v1alpha1: true
# oidcConfig:
# caBundle: |
# -----BEGIN CERTIFICATE-----
# Li4u
# -----END CERTIFICATE-----
# clientID: client-id
# groupsClaim: groups-claim
# groupsPrefix: groups-prefix
# issuerURL: https://identity.example.com
# usernameClaim: username-claim
# usernamePrefix: username-prefix
# signingAlgs:
# - RS256
# - some-other-algorithm
# requiredClaims:
# key: value
# admissionPlugins:
# - name: PodNodeSelector
# config:
# podNodeSelectorPluginConfig:
# clusterDefaultNodeSelector: <node-selectors-labels>
# namespace1: <node-selectors-labels>
# namespace2: <node-selectors-labels>
# auditConfig:
# auditPolicy:
# configMapRef:
# name: auditpolicy
# watchCacheSizes: # See: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
# default: 100
# resources:
# - resource: secrets
# size: 500
# - apiGroup: apps
# resource: deployments
# size: 500
# requests:
# maxNonMutatingInflight: 400
# maxMutatingInflight: 200

@dimityrmirchev
Copy link
Member Author

Please extend

gardener/example/90-shoot.yaml

Lines 130 to 172 in 28234df

# kubeAPIServer:
# featureGates:
# SomeKubernetesFeature: true
# runtimeConfig:
# scheduling.k8s.io/v1alpha1: true
# oidcConfig:
# caBundle: |
# -----BEGIN CERTIFICATE-----
# Li4u
# -----END CERTIFICATE-----
# clientID: client-id
# groupsClaim: groups-claim
# groupsPrefix: groups-prefix
# issuerURL: https://identity.example.com
# usernameClaim: username-claim
# usernamePrefix: username-prefix
# signingAlgs:
# - RS256
# - some-other-algorithm
# requiredClaims:
# key: value
# admissionPlugins:
# - name: PodNodeSelector
# config:
# podNodeSelectorPluginConfig:
# clusterDefaultNodeSelector: <node-selectors-labels>
# namespace1: <node-selectors-labels>
# namespace2: <node-selectors-labels>
# auditConfig:
# auditPolicy:
# configMapRef:
# name: auditpolicy
# watchCacheSizes: # See: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
# default: 100
# resources:
# - resource: secrets
# size: 500
# - apiGroup: apps
# resource: deployments
# size: 500
# requests:
# maxNonMutatingInflight: 400
# maxMutatingInflight: 200

Done.

@dimityrmirchev
Copy link
Member Author

/reviewed ok-to-test

@rfranzke
Copy link
Member

/rebase

rfranzke
rfranzke reviewed May 21, 2021
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, can you please provide a release note?

rfranzke
rfranzke previously approved these changes May 21, 2021
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rfranzke rfranzke requested a review from vpnachev May 21, 2021 06:57
@gardener-robot
Copy link

@dimityrmirchev You need rebase this pull request with latest master branch. Please check.

vpnachev
vpnachev approved these changes May 21, 2021
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@vpnachev vpnachev merged commit 92320d7 into gardener:master May 21, 2021
krgostev pushed a commit to krgostev/gardener that referenced this pull request Apr 21, 2022
@dimityrmirchev
Allow enabling/disabling anonymous auth for the kapi server (gardener…
1a21079 
…#4072)
krgostev pushed a commit to krgostev/gardener that referenced this pull request Jul 5, 2022
@dimityrmirchev
Allow enabling/disabling anonymous auth for the kapi server (gardener…
1ea1bcb 
…#4072)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vpnachev vpnachev vpnachev approved these changes

@rfranzke rfranzke rfranzke left review comments

Assignees

@mvladev mvladev

Labels
area/control-plane Control plane related area/security Security related kind/api-change API change with impact on API users kind/enhancement Enhancement, improvement, extension size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add option to enable / disable anonymous authentication of the kube-apiserver
8 participants
@dimityrmirchev @rfranzke @gardener-robot @vpnachev @mvladev @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3