New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

harden the default RBAC discovery clusterrolebindings #789

Open
dekkagaijin opened this Issue Jan 30, 2019 · 6 comments

Comments

@dekkagaijin
Copy link
Contributor

dekkagaijin commented Jan 30, 2019

Enhancement Description

  • One-line enhancement description (can be used as a release note): Remove discovery from the set of APIs which allow for unauthenticated access by default, improving privacy for CRDs and the default security posture of default clusters in general.
  • Primary contact (assignee): @dekkagaijin
  • Responsible SIGs: sig-auth, sig-api-machinery
  • Design proposal link (community repo): https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/0034-20190123-harden-default-discovery-bindings.md
  • Link to e2e and/or unit tests: TBD
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred: @liggitt, @deads2k
  • Approver (likely from SIG/area to which enhancement belongs): @liggitt
  • Enhancement target (which target equals to which milestone):
    • Alpha, Beta, Stable release target (1.14)
@dekkagaijin

This comment has been minimized.

Copy link
Contributor Author

dekkagaijin commented Jan 30, 2019

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth and removed needs-sig labels Jan 30, 2019

@liggitt liggitt added this to the v1.14 milestone Feb 4, 2019

@liggitt liggitt added the stage/stable label Feb 4, 2019

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 4, 2019

dotting i's, crossing t's

@ameukam

This comment has been minimized.

Copy link
Contributor

ameukam commented Feb 6, 2019

/kind feature

@spiffxp

This comment has been minimized.

Copy link
Member

spiffxp commented Feb 7, 2019

Adding tracked/yes label to reconcile against https://bit.ly/k8s114-enhancements
FYI @claurence @lachie83 @lledru @ameukam

@dekkagaijin

This comment has been minimized.

Copy link
Contributor Author

dekkagaijin commented Feb 7, 2019

thanks!

@claurence

This comment has been minimized.

Copy link

claurence commented Feb 11, 2019

@dekkagaijin are there any open PRs in k/k that need to be merged (in addition to the one referenced above) for this to be in 1.14? Code freeze is 3/7 and if the PRs are not able to merge by then this issue will be removed from the milestone.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment