New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GenericAdmissionWebhook cannot use tokens #53827

Closed
deads2k opened this Issue Oct 12, 2017 · 3 comments

Comments

@deads2k
Contributor

deads2k commented Oct 12, 2017

Most generic API servers do not have a client certificate they can use for authentication. They will all have SA tokens though. The admission webhooks are checked by CAs and they are already highly privileged. We should allow tokens like we do for other webhooks.

@kubernetes/sig-api-machinery-bugs

@caesarxuchao

This comment has been minimized.

Show comment
Hide comment
@caesarxuchao
Member

caesarxuchao commented Oct 12, 2017

/assign @cheftako

@deads2k

This comment has been minimized.

Show comment
Hide comment
@deads2k

deads2k Oct 13, 2017

Contributor

/priority important-soon

Needed for beta to make it possible wire to UASs and to achieve parity with other webhooks.

Contributor

deads2k commented Oct 13, 2017

/priority important-soon

Needed for beta to make it possible wire to UASs and to achieve parity with other webhooks.

@k8s-merge-robot

This comment has been minimized.

Show comment
Hide comment
@k8s-merge-robot

k8s-merge-robot Oct 13, 2017

Contributor

[MILESTONENOTIFIER] Milestone Issue Current

@caesarxuchao @cheftako @deads2k

Issue Labels
  • sig/api-machinery: Issue will be escalated to these SIGs if needed.
  • priority/important-soon: Escalate to the issue owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
  • kind/bug: Fixes a bug discovered during the current release.
Help
Contributor

k8s-merge-robot commented Oct 13, 2017

[MILESTONENOTIFIER] Milestone Issue Current

@caesarxuchao @cheftako @deads2k

Issue Labels
  • sig/api-machinery: Issue will be escalated to these SIGs if needed.
  • priority/important-soon: Escalate to the issue owners and SIG owner; move out of milestone after several unsuccessful escalation attempts.
  • kind/bug: Fixes a bug discovered during the current release.
Help

k8s-merge-robot added a commit that referenced this issue Oct 19, 2017

Merge pull request #54156 from deads2k/admission-06-restclient
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

update admission webhook to accept client config

Fixes #53827

This plumbs a complete client through the plugin initializer for admission webhooks.  It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different.  Easy things are easy, hard things are possible.  This does not change behavior for kube-apiserver.

@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs

sttts pushed a commit to sttts/client-go that referenced this issue Oct 20, 2017

Merge pull request #54156 from deads2k/admission-06-restclient
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

update admission webhook to accept client config

Fixes kubernetes/kubernetes#53827

This plumbs a complete client through the plugin initializer for admission webhooks.  It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different.  Easy things are easy, hard things are possible.  This does not change behavior for kube-apiserver.

@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs

Kubernetes-commit: f07b359e5bd5af8947b32309865dada7043d59e3

sttts pushed a commit to sttts/apiserver that referenced this issue Oct 20, 2017

Merge pull request #54156 from deads2k/admission-06-restclient
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

update admission webhook to accept client config

Fixes kubernetes/kubernetes#53827

This plumbs a complete client through the plugin initializer for admission webhooks.  It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different.  Easy things are easy, hard things are possible.  This does not change behavior for kube-apiserver.

@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs

Kubernetes-commit: f07b359e5bd5af8947b32309865dada7043d59e3

sttts pushed a commit to sttts/sample-apiserver that referenced this issue Oct 20, 2017

Merge pull request #54156 from deads2k/admission-06-restclient
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

update admission webhook to accept client config

Fixes kubernetes/kubernetes#53827

This plumbs a complete client through the plugin initializer for admission webhooks.  It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different.  Easy things are easy, hard things are possible.  This does not change behavior for kube-apiserver.

@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs

Kubernetes-commit: f07b359e5bd5af8947b32309865dada7043d59e3

sttts pushed a commit to sttts/client-go that referenced this issue Oct 26, 2017

Merge pull request #54156 from deads2k/admission-06-restclient
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

update admission webhook to accept client config

Fixes kubernetes/kubernetes#53827

This plumbs a complete client through the plugin initializer for admission webhooks.  It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different.  Easy things are easy, hard things are possible.  This does not change behavior for kube-apiserver.

@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs

Kubernetes-commit: f07b359e5bd5af8947b32309865dada7043d59e3

sttts pushed a commit to sttts/apiserver that referenced this issue Oct 26, 2017

Merge pull request #54156 from deads2k/admission-06-restclient
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

update admission webhook to accept client config

Fixes kubernetes/kubernetes#53827

This plumbs a complete client through the plugin initializer for admission webhooks.  It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different.  Easy things are easy, hard things are possible.  This does not change behavior for kube-apiserver.

@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs

Kubernetes-commit: f07b359e5bd5af8947b32309865dada7043d59e3

sttts pushed a commit to sttts/sample-apiserver that referenced this issue Oct 26, 2017

Merge pull request #54156 from deads2k/admission-06-restclient
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

update admission webhook to accept client config

Fixes kubernetes/kubernetes#53827

This plumbs a complete client through the plugin initializer for admission webhooks.  It achieves parity with our existing webhooks and provides flexibility if people want to do something special or different.  Easy things are easy, hard things are possible.  This does not change behavior for kube-apiserver.

@kubernetes/sig-auth-api-reviews @kubernetes/sig-api-machinery-bugs

Kubernetes-commit: f07b359e5bd5af8947b32309865dada7043d59e3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment