Open
Description
Enhancement Description
-
One-line enhancement description (can be used as a release note): Structured Authentication Config
-
Kubernetes Enhancement Proposal: KEP
-
Discussion Link:
-
Primary contact (assignee): @aramase @enj @nabokihms
-
Responsible SIGs: sig-auth
-
Enhancement target (which target equals to which milestone):
- Alpha release target (x.y): v1.29
- Beta release target (x.y): v1.30
- Stable release target (x.y): v1.34
-
Alpha
- KEP (
k/enhancements
) update PR(s): KEP-3331: Structured Authentication Config #3332 - Code (
k/k
) update PR(s):- [StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it kubernetes#118984
- [StructuredAuthenticationConfig] Add feature flag and wire up
--authentication-config
flag kubernetes#119142 - [StructuredAuthnConfig] use local variables in oidc pkg kubernetes#120183
- Implement CEL for StructuredAuthenticationConfig kubernetes#121078
- [StructuredAuthn] Ensure empty fields of user object are accessible by CEL kubernetes#121709
- Docs (
k/website
) update PR(s): add docs for StructuredAuthenticationConfig v1alpha1 website#43397
- KEP (
-
Beta
- KEP (
k/enhancements
) update PR(s): - Code (
k/k
) update PR(s):- add
StructuredAuthenticationConfiguration
feature to kube feature gates file kubernetes#121622 - [StructuredAuthnConfig] add comment for extra keys unique requirement kubernetes#122560
- cleanup structured authn/authz error logic kubernetes#122975
- Add
AudienceMatchPolicy
and support multiple audiences in AuthenticationConfiguration kubernetes#123165 - Add
apiserver_authentication_jwt_authenticator_latency_seconds
metric kubernetes#123225 - Support all key algs with structured authn config kubernetes#123282
- Add integration test for multiple audience in structured authn kubernetes#123305
- Support multiple JWT authenticators with structured authn config kubernetes#123431
- add min valid jwt payload to API docs for structured authn config kubernetes#123458
- Add dynamic reload support for authentication configuration kubernetes#123525
- Add
DiscoveryURL
to Authentication Configuration kubernetes#123527 - Prevent conflicts between service account and jwt issuers kubernetes#123561
- jwt: fail on empty username via CEL expression kubernetes#123568
- Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 kubernetes#123696
- Mark StructuredAuthenticationConfiguration feature gate as beta kubernetes#123719
- Fix AuthenticationConfiguration docs around nested claims via CEL kubernetes#123721
- Require email_verified to be used when email is set as username via CEL kubernetes#123737
- Add metrics for authentication config reload kubernetes#123793
- fix test flake in TestStructuredAuthenticationConfigReload kubernetes#123856
- Set credential-id in userinfo.extra for jwt authenticators if jti claim present kubernetes#127010
- Disallow
k8s.io
andkubernetes.io
namespaced extra key in structured authn config kubernetes#126553
- add
- Docs (
k/website
) update(s):
- KEP (
-
Stable - 1.34
- KEP (
k/enhancements
) update PR(s): - Code (
k/k
) update PR(s):- Add JWKS fetch metrics for jwt authenticator kubernetes#123642
- jwt: refactor CEL eval to drop
unstructured
andmap[string]any
kubernetes#131536 - jwt: add unit tests for using CEL with deeply nested claims kubernetes#131573
- jwt: support CEL expressions with escaped names kubernetes#131574
- Duplicate v1beta1 AuthenticationConfiguration to v1 kubernetes#131752
- Promote automatic_reloads of authn config metrics to BETA kubernetes#131798
- Mark StructuredAuthenticationConfiguration feature gate as GA kubernetes#131916
- KEP-3331: Add test to simulate revocation via user validation rule using unique identifier (jti) kubernetes#132082
- Add egress selector support to JWT authenticator kubernetes#132768
- Docs (
k/website
) update(s):
- KEP (
Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.