-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic Audit Configuration #600
Comments
/cc @tallclair |
/milestone v1.12 |
/kind feature |
/assign @pbarker |
Hey there! @pbarker I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it? |
@zparnold will do 👍 to be clear, do I write the docs there or is that something the docs folks do? |
You'll be writing the docs, and we'll be making sure that it matches our style and clarity. (Mostly because we may not understand the feature as well as you do at present.) If you need help, please just let me or @jimangel know |
ok here is the starter issue kubernetes/website#9947 |
Thank you! I'll mark it on the FT spreadsheet!
…On Mon, Aug 20, 2018 at 9:07 PM Patrick Barker ***@***.***> wrote:
ok here is the starter issue kubernetes/website#9947
<kubernetes/website#9947>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#600 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AE81SELfIzplzIG3Xh8nq44M3EhHtsZDks5uS2t1gaJpZM4VnCpV>
.
|
@pbarker -- |
@justaugustus unfortunately this one has gotten caught up in the review process and will not be making 1.12 |
/milestone v1.13 |
@justaugustus I don't have the power to change the milestone, but we'll be targeting 1.13 |
/milestone v1.13 |
1 similar comment
/milestone v1.13 |
(btw, pretty sure you have milestone powers here, @liggitt, but we hadn't turned the bot on until kubernetes/test-infra#9252 merged) |
@kacole2 , I believe @liggitt is the right person to contact on this feature. Please see his recent response kubernetes/kubernetes#71230 (comment) My reading of @liggitt's comment is that this features is back to KEP phase. |
Hey there @liggitt @pbarker -- 1.17 Enhancements shadow here 👋 . I wanted to check in and see if you think this Enhancement will be graduating to beta or new features will land in 1.17? The current release schedule is:
If you do, I'll add it to the 1.17 tracking sheet (https://bit.ly/k8s117-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍 Thanks! |
@pbarker @tallclair @liggitt what is status of this Enhancement? If I read previous comments it makes me feel is this feature going to beta at all? I see this feature very useful and would like to see it in beta. Could we push this forward and get this to 1.18? There was already PR to make this enhancement to beta in 1.15 but it was closed. So could we just reopen it (and rebase)? |
I agree this feature needs a roadmap. I would say that at the moment, it's future is unknown. Can you share a little more about why you think it's useful, and how you plan to to use it? |
VMware bought Heptio and this got put on the back burner as we integrated. We are now coming back around to it with more resources and will probably begin work on it early next year. |
I have been quietly (well, I pinged pbarker a few times since he was working on it earlier this year.) following and waiting for this feature. We build a few k8s operators and we need this feature to do reliable and trusted usage-based-billing. @tallclair , I thought you were working on it https://groups.google.com/forum/#!msg/kubernetes-sig-auth/Ha0C4cladCQ/JhAaOKBhFAAJ . We don't have the resources to contribute to push code to upstream. But I would more than happy to contribute by reading design docs / KEPs . How can I do that? |
More eyes on designs & KEPs is definitely helpful. Watching this issue, attending sig-auth and the mailing list is probably the best way to keep up. Unfortunately I don't have time to be actively working on this outside of design reviews. |
My interest in seeing this go to beta is to get parity with the ability to update the config dynamically, as is supported today for admission webhooks (https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/). For conformance we are currently unable to dynamically audit which components/tests are hitting which API endpoints without making a run around kubernetes, or setting the cluster up as such by default (which we're unable to do for hosted providers who don't expose alpha options). The goal would be to install a pod which registers itself as an audit webhook automagically, if installed by a user with sufficient privileges. It's unclear to me whether PR's/KEP's like #1259 imply there is more done in refining the config before enabling dynamic configuration |
@pbarker Enhancements shadow for 1.18 here. Are you targeting anything for this in 1.18? We need to track it if so. The release schedule is: Monday, January 6th - Release Cycle Begins |
Nothing planned for 1.18 per @liggitt |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
FYI, we'll be further discussing 2 potential paths forward for this feature at the next sig-auth meeting (2020-04-29): |
Hey there @pbarker, 1.19 Enhancements shadow here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19? In order to have this part of the release:
The current release schedule is:
If you do, I'll add it to the 1.19 tracking sheet (http://bit.ly/k8s-1-19-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍 Thanks! |
We're currently discussing the future of this feature in sig-auth, but no changes are planned for v1.19. |
@tallclair Thank you very much for following up. I've updated the tracking sheet accordingly. 👍 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle rotten |
This feature was removed in 1.19 (details in https://groups.google.com/g/kubernetes-sig-auth/c/aV_nXpa5uWU) |
Feature Description
Dynamic configuration of Audit facilities in the apiserver
@pbarker
sig-auth
KEP: Dynamic Audit Configuration community#2188
adds policy to dynamic audit kep community#2407
@tallclair
@liggitt
@yliaog
@caesarxuchao
@tallclair
1.15
1.xx
1.xx
API PRs:
The text was updated successfully, but these errors were encountered: