Structured Authentication Config

[nabokihms]

Enhancement Description

• One-line enhancement description (can be used as a release note): Structured Authentication Config
• Kubernetes Enhancement Proposal: KEP
• Discussion Link:
  • Slack post - https://kubernetes.slack.com/archives/C0EN96KUY/p1638208007167400
  • Google doc - https://docs.google.com/document/d/1sY8fRyRtk4eG9R439z5ao5i9bFuuxilS03XaNlqoni0/edit?disco=AAAARL1K8OE
• Primary contact (assignee): @nabokihms
• Responsible SIGs: sig-auth
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): v1.29
  • Beta release target (x.y): v1.30
  • Stable release target (x.y): v1.34
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-3331: Structured Authentication Config #3332
  • Code (k/k) update PR(s):
    • [StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it kubernetes#118984
    • [StructuredAuthenticationConfig] Add feature flag and wire up --authentication-config flag kubernetes#119142
    • [StructuredAuthnConfig] use local variables in oidc pkg kubernetes#120183
    • Implement CEL for StructuredAuthenticationConfig kubernetes#121078
    • [StructuredAuthn] Ensure empty fields of user object are accessible by CEL kubernetes#121709
  • Docs (k/website) update PR(s): add docs for StructuredAuthenticationConfig v1alpha1 website#43397
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-3331: update for beta in v1.30 #4461
    • KEP-3331: update configuration reload metric #4491
    • KEP-3331: update kep latest milestone to v1.32 #4844
  • Code (k/k) update PR(s):
    • add StructuredAuthenticationConfiguration feature to kube feature gates file kubernetes#121622
    • [StructuredAuthnConfig] add comment for extra keys unique requirement kubernetes#122560
    • cleanup structured authn/authz error logic kubernetes#122975
    • Add AudienceMatchPolicy and support multiple audiences in AuthenticationConfiguration kubernetes#123165
    • Add apiserver_authentication_jwt_authenticator_latency_seconds metric kubernetes#123225
    • Support all key algs with structured authn config kubernetes#123282
    • Add integration test for multiple audience in structured authn kubernetes#123305
    • Support multiple JWT authenticators with structured authn config kubernetes#123431
    • add min valid jwt payload to API docs for structured authn config kubernetes#123458
    • Add dynamic reload support for authentication configuration kubernetes#123525
    • Add DiscoveryURL to Authentication Configuration kubernetes#123527
    • Prevent conflicts between service account and jwt issuers kubernetes#123561
    • jwt: fail on empty username via CEL expression kubernetes#123568
    • Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 kubernetes#123696
    • Mark StructuredAuthenticationConfiguration feature gate as beta kubernetes#123719
    • Fix AuthenticationConfiguration docs around nested claims via CEL kubernetes#123721
    • Require email_verified to be used when email is set as username via CEL kubernetes#123737
    • Add metrics for authentication config reload kubernetes#123793
    • fix test flake in TestStructuredAuthenticationConfigReload kubernetes#123856
  • Docs (k/website) update(s):
    • Add blog post for Structured Authn beta website#45106
    • Add docs for Structured Authn beta website#45108

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[nabokihms]

/sig auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[marosset]

Hello @nabokihms 👋, 1.26 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT on Thursday 6th October 2022.

This enhancement is targeting for stage alpha for 1.26 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.26
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

It looks #3332 will address most of these issues.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[enj]

/milestone v1.27

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[enj]

/remove-lifecycle stale

[npolshakova]

Hello @nabokihms 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.27
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

It looks #3332 will address most of these issues.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[sreeram-venkitesh]

Hi 👋, 1.31 Enhancements Lead here.

If you wish to progress this enhancement in v1.31, please have the SIG lead opt-in your enhancement by adding the lead-opted-in label and set the milestone to v1.31 before the Production Readiness Review Freeze.

/remove-label lead-opted-in

[mickeyboxell]

Hi @aramase 👋 v1.31 Enhancements team here.

I wanted to check in as we approach the enhancements freeze on 02:00 UTC Friday 14th June 2024 / 19:00 PDT Thursday 13th June 2024.

This enhancement is targeting stable for v1.31. Please correct me if that isn't the case.

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.31. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline so that the PRR team has enough time to review your KEP before the enhancements freeze.

For this KEP, we need to do the following:

• Cut a PR with the appropriate changes to the KEP readme and kep.yaml and ensure the PR is merged prior to the enhancements freeze.
• Please share a link to the PRR approval and if it has not yet been approved make sure to do so by the deadline mentioned above.
• Please update the issue description with the links to the PR. This was the most recent one I could find: https://github.com/kubernetes/enhancements/pull/3332/files

The status of this enhancement is marked as at risk for enhancement freeze. We can mark it as tracked as soon as the above changes are merged. Please make sure to get this done before the enhancements freeze.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Let me know if you have any questions! Thank you!

[aramase]

@mickeyboxell We have merged a PR to update the latest-milestone to v1.31 in the KEP.

FYI, this KEP is going to remain in beta in v1.31. We plan to make some code changes for metrics and refactor.

[salaxander]

@aramase any docs changes needed for the 1.31 milestone?

[mickeyboxell]

With all the requirements fulfilled this enhancement is now marked as tracked for the upcoming enhancements freeze 🚀

[aramase]

@mickeyboxell here is the PR: #4687 that updates the latest milestone for the enhancement.

@salaxander we don't have any doc changes for the v1.31 release.

[pacoxu]

kubernetes/kubernetes#123642 is a WIP PR for this KEP.

[hailkomputer]

Hi @enj, @aramase

👋 from the v1.31 Communications Team! We'd love for you to opt in to write a feature blog about your enhancement!
Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and is graduating.

To opt in, let us know and open a Feature Blog placeholder PR against the website repository by 3rd July, 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[hailkomputer]

@aramase , friendly reminder about the upcoming blog opt-in and placeholder deadline on July 3rd. Please open a blog placeholder PR if you are interested in contributing a blog.

[mickeyboxell]

Hey again @aramase 👋 Kubernetes 1.31 Enhancements team here.

Just checking in as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024.

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs are open and need to be merged before code freeze (and we need to update the Issue description to include all the related PRs of this KEP):

• Add JWKS fetch metrics for jwt authenticator kubernetes#123642

If you anticipate missing code freeze, you can file an [exception request](https://github.com/kubernetes/sig-release/blob/master/releases/EXCEPTIONS.md) in advance.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP.

As always, we are here to help if any questions come up. Thanks!

The status of this enhancement is marked as at risk for code freeze.

[mickeyboxell]

Hey @aramase 👋 Kubernetes 1.31 Enhancements team here.

Following up on the message above as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024. Please let me know if you have any questions.

[mickeyboxell]

Hello @aramase 👋 Kubernetes 1.31 Enhancements team here,

Unfortunately, the implementation (code related) PR(s) associated with this enhancement is not in the merge-ready state by code-freeze and hence this enhancement is now removed from the v1.31 milestone.

If you still wish to progress this enhancement in v1.31, please file an exception request as soon as possible, within three days. If you have any questions, you can reach out in the #release-enhancements channel on Slack and we'll be happy to help. Thanks!

[sreeram-venkitesh]

/milestone clear

[tjons]

Hi, enhancements lead here - I inadvertently added this to the 1.32 tracking board 😀. Please readd it if you wish to progress this enhancement in 1.32.

/remove-label lead-opted-in

[tjons]

Hello @aramase @enj 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 11th October 2024 / 19:00 PDT Thursday 10th October 2024.

This enhancement is targeting for stage beta for v1.32 (correct me, if otherwise).

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.32.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on Thursday, October 3rd, 2024 so that the PRR team has enough time to review your KEP.

For this KEP, we would just need to update the following:

• KEP status is marked as implementable for latest-milestone: v1.32. This should be resolved once https://github.com/kubernetes/enhancements/pull/4844/files merges.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[jpbetz]

PRR reviewer here. Is this still targeting v1.32? The PRR deadline is Thursday. Is there anything I can review?

[aramase]

PRR reviewer here. Is this still targeting v1.32? The PRR deadline is Thursday. Is there anything I can review?

@jpbetz This is going to stay beta in v1.32. We're opting it in, so we can make code changes for defaulting, validation and metrics in v1.32. There is no change in the KEP. I have #4844 open to update the latest milestone to v1.32.

[jpbetz]

This is going to stay beta in v1.32. We're opting it in, so we can make code changes for defaulting, validation and metrics in v1.32. There is no change in the KEP. I have #4844 open to update the latest milestone to v1.32.

Sounds good. No need for PRR on this one for 1.32 then. Thanks!