KEP-2510: Request Bearer Token for Outgoing Webhook Requests

[benhxy]

This is a proposal to add an authentication source to webhook client config to simplify authentication setup.

Original proposal: #658
Updated proposal: #2510

[k8s-ci-robot]

Welcome @benhxy!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @benhxy. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: benhxy
To complete the pull request process, please assign enj after the PR has been reviewed.
You can assign the PR to them by writing /assign @enj in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-auth/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yliaog]

/cc

[costinm]

To confirm ( and please update the docs to make it explicit ): the TokenRequest will be made for an audience == base URL of the webhook server, for external address ? And I assume serviceName.namespace.svc for the in-cluster webhooks ? Important to be very precise about this, so validation can be properly implemented.

Also I assume this is dependent on the APIserver exposing the OIDC discovery, which I believe is merged - would be good to have a link to that in the docs and use it in any sample code / test.

Thanks a lot for moving this forward, looking forward to use it in Istio !

[sftim]

Some (very informal) feedback

[sftim]

Perhaps it should instead be an error to define the token here when tokenRequest source is configured.

[sftim]

nit:

Suggested change

	A new field `authenticationSource` will be added to WebhookClientConfig. In this proposal, user can use `tokenRequest` source for requesting a bearer token. By doing this, users no longer have to mint token or ceritificate/key, or to create kubeconfig files.
	A new field `authenticationSource` will be added to WebhookClientConfig. In this proposal, user can use `tokenRequest` source for requesting a bearer token. By doing this, users no longer have to mint token or certificate/key, or to create kubeconfig files.

[sftim]

These'd be creates, right?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[benhxy]

Discussed with my team. This feature is not seeing much demand. The token injection point between aggregate layer and custom API server is also unclear. Closing this KEP.