Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dynamic Audit Configuration #600

Closed
2 tasks
pbarker opened this issue Jul 30, 2018 · 76 comments
Closed
2 tasks

Dynamic Audit Configuration #600

pbarker opened this issue Jul 30, 2018 · 76 comments
Assignees
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team

Comments

@pbarker
Copy link
Contributor

pbarker commented Jul 30, 2018

Feature Description

API PRs:

@pbarker
Copy link
Contributor Author

pbarker commented Jul 30, 2018

/cc @tallclair
/sig auth

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jul 30, 2018
@pbarker
Copy link
Contributor Author

pbarker commented Jul 30, 2018

/milestone v1.12

@justaugustus justaugustus added this to the v1.12 milestone Jul 30, 2018
@justaugustus
Copy link
Member

justaugustus commented Jul 30, 2018

/kind feature
/stage alpha

@k8s-ci-robot k8s-ci-robot added stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status kind/feature Categorizes issue or PR as related to a new feature. labels Jul 30, 2018
@justaugustus
Copy link
Member

justaugustus commented Jul 30, 2018

/assign @pbarker

@justaugustus justaugustus added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jul 30, 2018
@zparnold
Copy link
Member

zparnold commented Aug 20, 2018

Hey there! @pbarker I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

@pbarker
Copy link
Contributor Author

pbarker commented Aug 20, 2018

@zparnold will do 👍 to be clear, do I write the docs there or is that something the docs folks do?

@zparnold
Copy link
Member

zparnold commented Aug 20, 2018

You'll be writing the docs, and we'll be making sure that it matches our style and clarity. (Mostly because we may not understand the feature as well as you do at present.) If you need help, please just let me or @jimangel know

@pbarker
Copy link
Contributor Author

pbarker commented Aug 21, 2018

ok here is the starter issue kubernetes/website#9947

@zparnold
Copy link
Member

zparnold commented Aug 25, 2018

@justaugustus
Copy link
Member

justaugustus commented Sep 5, 2018

@pbarker --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

@pbarker
Copy link
Contributor Author

pbarker commented Sep 5, 2018

@justaugustus unfortunately this one has gotten caught up in the review process and will not be making 1.12

@pbarker
Copy link
Contributor Author

pbarker commented Sep 5, 2018

/milestone v1.13

@pbarker
Copy link
Contributor Author

pbarker commented Sep 5, 2018

@justaugustus I don't have the power to change the milestone, but we'll be targeting 1.13

@liggitt
Copy link
Member

liggitt commented Sep 5, 2018

/milestone v1.13

1 similar comment
@justaugustus
Copy link
Member

justaugustus commented Sep 6, 2018

/milestone v1.13

@k8s-ci-robot k8s-ci-robot modified the milestones: v1.12, v1.13 Sep 6, 2018
@justaugustus justaugustus removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Sep 6, 2018
@justaugustus
Copy link
Member

justaugustus commented Sep 6, 2018

(btw, pretty sure you have milestone powers here, @liggitt, but we hadn't turned the bot on until kubernetes/test-infra#9252 merged)

@tallclair tallclair mentioned this issue Oct 5, 2018
3 tasks
@kacole2 kacole2 added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Oct 8, 2018
@k8s-ci-robot k8s-ci-robot removed this from the v1.16 milestone Jul 31, 2019
@kacole2 kacole2 added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Jul 31, 2019
@tamalsaha
Copy link
Member

tamalsaha commented Jul 31, 2019

@kacole2 , I believe @liggitt is the right person to contact on this feature. Please see his recent response kubernetes/kubernetes#71230 (comment)

My reading of @liggitt's comment is that this features is back to KEP phase.

@jeremyrickard
Copy link
Contributor

jeremyrickard commented Oct 1, 2019

Hey there @liggitt @pbarker -- 1.17 Enhancements shadow here 👋 . I wanted to check in and see if you think this Enhancement will be graduating to beta or new features will land in 1.17?

The current release schedule is:

  • Monday, September 23 - Release Cycle Begins
  • Tuesday, October 15, EOD PST - Enhancements Freeze
  • Thursday, November 14, EOD PST - Code Freeze
  • Tuesday, November 19 - Docs must be completed and reviewed
  • Monday, December 9 - Kubernetes 1.17.0 Released

If you do, I'll add it to the 1.17 tracking sheet (https://bit.ly/k8s117-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

@zetaab
Copy link
Member

zetaab commented Dec 5, 2019

@pbarker @tallclair @liggitt what is status of this Enhancement? If I read previous comments it makes me feel is this feature going to beta at all? I see this feature very useful and would like to see it in beta. Could we push this forward and get this to 1.18?

There was already PR to make this enhancement to beta in 1.15 but it was closed. So could we just reopen it (and rebase)?

@tallclair
Copy link
Member

tallclair commented Dec 5, 2019

I agree this feature needs a roadmap. I would say that at the moment, it's future is unknown. Can you share a little more about why you think it's useful, and how you plan to to use it?

@pbarker
Copy link
Contributor Author

pbarker commented Dec 5, 2019

VMware bought Heptio and this got put on the back burner as we integrated. We are now coming back around to it with more resources and will probably begin work on it early next year.

@tamalsaha
Copy link
Member

tamalsaha commented Dec 6, 2019

I have been quietly (well, I pinged pbarker a few times since he was working on it earlier this year.) following and waiting for this feature. We build a few k8s operators and we need this feature to do reliable and trusted usage-based-billing.

@tallclair , I thought you were working on it https://groups.google.com/forum/#!msg/kubernetes-sig-auth/Ha0C4cladCQ/JhAaOKBhFAAJ .

We don't have the resources to contribute to push code to upstream. But I would more than happy to contribute by reading design docs / KEPs . How can I do that?

@tallclair
Copy link
Member

tallclair commented Dec 6, 2019

More eyes on designs & KEPs is definitely helpful. Watching this issue, attending sig-auth and the mailing list is probably the best way to keep up.

Unfortunately I don't have time to be actively working on this outside of design reviews.

@spiffxp
Copy link
Member

spiffxp commented Jan 1, 2020

My interest in seeing this go to beta is to get parity with the ability to update the config dynamically, as is supported today for admission webhooks (https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).

For conformance we are currently unable to dynamically audit which components/tests are hitting which API endpoints without making a run around kubernetes, or setting the cluster up as such by default (which we're unable to do for hosted providers who don't expose alpha options). The goal would be to install a pod which registers itself as an audit webhook automagically, if installed by a user with sufficient privileges.

It's unclear to me whether PR's/KEP's like #1259 imply there is more done in refining the config before enabling dynamic configuration

@johnbelamaric
Copy link
Contributor

johnbelamaric commented Jan 14, 2020

@pbarker Enhancements shadow for 1.18 here. Are you targeting anything for this in 1.18? We need to track it if so. The release schedule is:

Monday, January 6th - Release Cycle Begins
Tuesday, January 28th EOD PST - Enhancements Freeze
Thursday, March 5th, EOD PST - Code Freeze
Monday, March 16th - Docs must be completed and reviewed
Tuesday, March 24th - Kubernetes 1.18.0 Released

@johnbelamaric
Copy link
Contributor

johnbelamaric commented Jan 22, 2020

Nothing planned for 1.18 per @liggitt

@fejta-bot
Copy link

fejta-bot commented Apr 21, 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 21, 2020
@palnabarun
Copy link
Member

palnabarun commented Apr 27, 2020

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 27, 2020
@tallclair
Copy link
Member

tallclair commented Apr 27, 2020

FYI, we'll be further discussing 2 potential paths forward for this feature at the next sig-auth meeting (2020-04-29):

  1. Dynamic audit proxy webhook design
  2. Dynamic webhook sinks with static policy

@harshanarayana
Copy link

harshanarayana commented Apr 29, 2020

Hey there @pbarker, 1.19 Enhancements shadow here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

  1. The KEP PR must be merged in an implementable state
  2. The KEP must have test plans
  3. The KEP must have graduation criteria.

The current release schedule is:

  • Monday, April 13: Week 1 - Release cycle begins
  • Tuesday, May 19: Week 6 - Enhancements Freeze
  • Thursday, June 25: Week 11 - Code Freeze
  • Thursday, July 9: Week 14 - Docs must be completed and reviewed
  • Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released

If you do, I'll add it to the 1.19 tracking sheet (http://bit.ly/k8s-1-19-enhancements). Once coding begins please list all relevant k/k PRs in this issue so they can be tracked properly. 👍

Thanks!

@tallclair
Copy link
Member

tallclair commented Apr 29, 2020

We're currently discussing the future of this feature in sig-auth, but no changes are planned for v1.19.

@harshanarayana
Copy link

harshanarayana commented Apr 30, 2020

@tallclair Thank you very much for following up. I've updated the tracking sheet accordingly. 👍

@fejta-bot
Copy link

fejta-bot commented Jul 29, 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 29, 2020
@fejta-bot
Copy link

fejta-bot commented Aug 28, 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 28, 2020
@palnabarun
Copy link
Member

palnabarun commented Sep 1, 2020

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Sep 1, 2020
@liggitt
Copy link
Member

liggitt commented Sep 1, 2020

This feature was removed in 1.19 (details in https://groups.google.com/g/kubernetes-sig-auth/c/aV_nXpa5uWU)

@liggitt liggitt closed this as completed Sep 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team
Projects
None yet
Development

No branches or pull requests