Structured Authentication Config

[nabokihms]

Enhancement Description

• One-line enhancement description (can be used as a release note): Structured Authentication Config

• Kubernetes Enhancement Proposal: KEP

• Discussion Link:

  • Slack post - https://kubernetes.slack.com/archives/C0EN96KUY/p1638208007167400
  • Google doc - https://docs.google.com/document/d/1sY8fRyRtk4eG9R439z5ao5i9bFuuxilS03XaNlqoni0/edit?disco=AAAARL1K8OE

• Primary contact (assignee): @aramase @enj @nabokihms

• Responsible SIGs: sig-auth

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): v1.29
  • Beta release target (x.y): v1.30
  • Stable release target (x.y): v1.34

• Alpha

  • KEP (k/enhancements) update PR(s): KEP-3331: Structured Authentication Config #3332
  • Code (k/k) update PR(s):
    • [StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it kubernetes#118984
    • [StructuredAuthenticationConfig] Add feature flag and wire up --authentication-config flag kubernetes#119142
    • [StructuredAuthnConfig] use local variables in oidc pkg kubernetes#120183
    • Implement CEL for StructuredAuthenticationConfig kubernetes#121078
    • [StructuredAuthn] Ensure empty fields of user object are accessible by CEL kubernetes#121709
  • Docs (k/website) update PR(s): add docs for StructuredAuthenticationConfig v1alpha1 website#43397

• Beta

  • KEP (k/enhancements) update PR(s):
    • KEP-3331: update for beta in v1.30 #4461
    • KEP-3331: update configuration reload metric #4491
    • KEP-3331: update kep latest milestone to v1.32 #4844
  • Code (k/k) update PR(s):
    • add StructuredAuthenticationConfiguration feature to kube feature gates file kubernetes#121622
    • [StructuredAuthnConfig] add comment for extra keys unique requirement kubernetes#122560
    • cleanup structured authn/authz error logic kubernetes#122975
    • Add AudienceMatchPolicy and support multiple audiences in AuthenticationConfiguration kubernetes#123165
    • Add apiserver_authentication_jwt_authenticator_latency_seconds metric kubernetes#123225
    • Support all key algs with structured authn config kubernetes#123282
    • Add integration test for multiple audience in structured authn kubernetes#123305
    • Support multiple JWT authenticators with structured authn config kubernetes#123431
    • add min valid jwt payload to API docs for structured authn config kubernetes#123458
    • Add dynamic reload support for authentication configuration kubernetes#123525
    • Add DiscoveryURL to Authentication Configuration kubernetes#123527
    • Prevent conflicts between service account and jwt issuers kubernetes#123561
    • jwt: fail on empty username via CEL expression kubernetes#123568
    • Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 kubernetes#123696
    • Mark StructuredAuthenticationConfiguration feature gate as beta kubernetes#123719
    • Fix AuthenticationConfiguration docs around nested claims via CEL kubernetes#123721
    • Require email_verified to be used when email is set as username via CEL kubernetes#123737
    • Add metrics for authentication config reload kubernetes#123793
    • fix test flake in TestStructuredAuthenticationConfigReload kubernetes#123856
    • Set credential-id in userinfo.extra for jwt authenticators if jti claim present kubernetes#127010
    • Disallow k8s.io and kubernetes.io namespaced extra key in structured authn config kubernetes#126553
  • Docs (k/website) update(s):
    • Add blog post for Structured Authn beta website#45106
    • Add docs for Structured Authn beta website#45108
    • Add note about k8s.io, kubernetes disallowed prefix for structured authn website#47821

• Stable - 1.34

  • KEP (k/enhancements) update PR(s):
    • KEP-3331: update kep for GA in v1.34 #5305
    • KEP-3331: Add note on simulating revocation via user validation rule using unique identifier #5332
  • Code (k/k) update PR(s):
    • Add JWKS fetch metrics for jwt authenticator kubernetes#123642
    • jwt: refactor CEL eval to drop unstructured and map[string]any kubernetes#131536
    • jwt: add unit tests for using CEL with deeply nested claims kubernetes#131573
    • jwt: support CEL expressions with escaped names kubernetes#131574
    • Duplicate v1beta1 AuthenticationConfiguration to v1 kubernetes#131752
    • Promote automatic_reloads of authn config metrics to BETA kubernetes#131798
    • Mark StructuredAuthenticationConfiguration feature gate as GA kubernetes#131916
    • KEP-3331: Add test to simulate revocation via user validation rule using unique identifier (jti) kubernetes#132082
    • Add egress selector support to JWT authenticator kubernetes#132768
  • Docs (k/website) update(s):
    • Add docs for Structured Authn GA website#51290

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[nabokihms]

/sig auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale