Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-3325: Promote SelfSubjectReview to Stable #3971

Merged
merged 1 commit into from May 1, 2023
Merged

KEP-3325: Promote SelfSubjectReview to Stable #3971

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions keps/prod-readiness/sig-auth/3325.yaml
View file
Open in desktop
Expand Up @@ -3,3 +3,5 @@ alpha:
approver: "@deads2k"
beta:
approver: "@deads2k"
stable:
approver: "@deads2k"
9 changes: 5 additions & 4 deletions keps/sig-auth/3325-self-subject-attributes-review-api/README.md
View file
Open in desktop
Expand Up @@ -71,7 +71,7 @@ The motivation for this KEP is to reduce obscurity and help users with debugging
### Goals

- Add the API endpoint to get user attributes
- Add a corresponding kubectl command - `kubectl auth who-am-i`
- Add a corresponding kubectl command - `kubectl auth whoami`

### Non-Goals

Expand Down Expand Up @@ -236,6 +236,7 @@ We expect no non-infra related flakes in the last month as a GA graduation crite
-->

- `k8s.io/kubernetes/test/e2e/auth/selfsubjectreview.go`
- `k8s.io/kubernetes/test/cmd/auth_whoami.sh`

### Graduation Criteria

Expand All @@ -254,7 +255,8 @@ We expect no non-infra related flakes in the last month as a GA graduation crite
- `SelfSubjectReview` is promoted to `authentication.k8s.io/v1beta1` API (Beta APIs are not enabled by default, [see](https://github.com/kubernetes/enhancements/blob/master/keps/sig-architecture/3136-beta-apis-off-by-default/README.md)).
- Promote feature gate to Beta and make it enabled by default
- Unit tests coverage improved
- `kubectl alpha auth whoami` command uses `authentication.k8s.io/v1beta1` API, falls back to `authentication.k8s.io/v1alpha1` API
- `kubectl alpha auth whoami` replaced with `kubectl auth whoami`
- `kubectl auth whoami` command uses `authentication.k8s.io/v1beta1` API, falls back to `authentication.k8s.io/v1alpha1` API
- Fix [documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#self-subject-review):
- Change API version
- Rewrite conditions to enable the feature
Expand All @@ -263,13 +265,12 @@ We expect no non-infra related flakes in the last month as a GA graduation crite

- `SelfSubjectReview` is promoted to `authentication.k8s.io/v1` API and enable by default
- Promote feature gate to Stable
- `kubectl alpha auth whoami` replaced with `kubectl auth whoami`
- `kubectl auth whoami` command prefers `authentication.k8s.io/v1` API over `authentication.k8s.io/v1beta1` and `authentication.k8s.io/v1alpha1`
- More integration and e2e tests cases
- Add `test/cmd` test
- Fix [documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#self-subject-review):
- Change API version
- Rewrite conditions to enable the feature
- Change kubectl command

NOTE: Should not be a part of [conformance tests](https://git.k8s.io/community/contributors/devel/sig-architecture/conformance-tests.md).
The fact that a user possesses a token does not necessarily imply the power to know to whom that token belongs.
Expand Down
4 changes: 2 additions & 2 deletions keps/sig-auth/3325-self-subject-attributes-review-api/kep.yaml
View file
Open in desktop
Expand Up @@ -16,8 +16,8 @@ approvers:
- "@liggitt"
creation-date: "2022-05-30"
status: implementable
stage: beta
latest-milestone: "v1.27"
stage: stable
latest-milestone: "v1.28"
milestone:
alpha: "v1.26"
beta: "v1.27"
Expand Down