Access Review APIs

[deads2k]

Description

The API server should provide endpoints to allow access control checks and subject access checks without direct knowledge of the backing authorization engine. This allows delegation of authorization.

Progress Tracker

• Before Alpha
  • Write and maintain draft quality doc
    • During development keep a doc up-to-date about the desired experience of the feature and how someone can try the feature in its current state. Think of it as the README of your new feature and a skeleton for the docs to be written before the Kubernetes release. Paste link to Google Doc: DOC-LINK
  • Design Approval
    • Design Proposal. Upstreaming *AccessReview checks from https://github.com/openshift/origin/blob/master/docs/proposals/policy.md#apiversionnsnamespaceresourceaccessreview was agreed to some time ago in @kubernetes/sig-auth
    • Initial API review (if API). Maybe same PR as design doc. add subject access review types kubernetes#18722 introduced the objects
      • Any code that changes an API (/pkg/apis/...)
      • cc @kubernetes/api
    • Identify shepherd (your SIG lead and/or kubernetes-pm@googlegroups.com will be able to help you). @deads2k @erictune
      • A shepherd is an individual who will help acquaint you with the process of getting your feature into the repo, identify reviewers and provide feedback on the feature. They are not (necessarily) the code reviewer of the feature, or tech lead for the area.
      • The shepherd is not responsible for showing up to Kubernetes-PM meetings and/or communicating if the feature is on-track to make the release goals. That is still your responsibility.
    • Identify secondary/backup contact point. @liggitt
  • Write (code + tests + docs) then get them merged. ALL-PR-NUMBERS
    • Code needs to be disabled by default. Verified by code OWNERS
    • Minimal testing
    • Minimal docs
      • cc @kubernetes/docs on docs PR
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
      • New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
    • Update release notes
• Before Beta
  • Testing is sufficient for beta
  • User docs with tutorials
    • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
    • cc @kubernetes/docs on docs PR
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  • Thorough API review
    • cc @kubernetes/api
• Before Stable
  • docs/proposals/foo.md moved to docs/design/foo.md
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
  • Soak, load testing
  • detailed user docs and examples
    • cc @kubernetes/docs
    • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

• Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

• Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
• As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
  and sometimes http://github.com/kubernetes/contrib, or other repos.
• When you are done with the code, apply the "code-complete" label.
• When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
  check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
  testing. They won't do detailed code review: that already happened when your PRs were reviewed.
  When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

• Write user docs and get them merged in.
• User docs go into http://github.com/kubernetes/kubernetes.github.io.
• When the feature has user docs, please add a comment mentioning @kubernetes/docs.
• When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.

[deads2k]

@kubernetes/sig-auth @erictune @smarterclayton

We've talked about doing this for some time. The API objects were actually approved and merged, but we've had trouble getting review attention on the PRs that provide the REST endpoints.

I'd really like to focus on getting this in for 1.4. I think providing a complete authorization delegation API is important for things like server federation.

[erictune]

David and I are both SIG leads and we both approve of this initiative.

On Wed, Jul 20, 2016 at 12:44 PM, David Eads notifications@github.com
wrote:

@kubernetes/sig-auth https://github.com/orgs/kubernetes/teams/sig-auth
@erictune https://github.com/erictune @smarterclayton
https://github.com/smarterclayton

We've talked about doing this for some time. The API objects were actually
approved and merged, but we've had trouble getting review attention on the
PRs that provide the REST endpoints.

I'd really like to focus on getting this in for 1.4. I think providing a
complete authorization delegation API is important for things like server
federation.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#37 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHuudmdyce9Dhlry6gkO0f4MxwEv-OEvks5qXnqEgaJpZM4JRIlO
.

[deads2k]

kubernetes/kubernetes#31271 adds the SelfSubjectAccessReview API.

[janetkuo]

@deads2k Are the docs ready? Please update the docs in https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and check the docs box in the issue description

[jaredbhatti]

Ping. Any update on docs?

[deads2k]

Ping. Any update on docs?

Right now, its API only, but swagger is complete. CLI integration should come in 1.5 and then there will be something more substantive to doc for end users.

[erictune]

How about one sentence that says that the API exists, so that people know
to go look at the swagger? Nobody is going to study the swagger to find
new APIs.

On Wed, Sep 7, 2016 at 3:39 PM, David Eads notifications@github.com wrote:

Ping. Any update on docs?

Right now, its API only, but swagger is complete. CLI integration should
come in 1.5 and then there will be something more substantive to doc for
end users.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#37 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHuudohBEVPn9ma6PJpHKQWaQI8rH5Nwks5qnz0qgaJpZM4JRIlO
.

[deads2k]

How about one sentence that says that the API exists, so that people know
to go look at the swagger? Nobody is going to study the swagger to find
new APIs.

Fair. I'll find a spot tomorrow or early next week.

[jaredbhatti]

@deads2k @erictune Another ping on docs. Any PRs you can point me to?

[deads2k]

@deads2k @erictune Another ping on docs. Any PRs you can point me to?

I've written a brief description here: kubernetes/website#1219 . As we continue to fill out the API, it will become easier to use and have more capability.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close