New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let AuditSink could share web config via configmap/secret #71733

WanLinghao opened this Issue Dec 5, 2018 · 3 comments


None yet
3 participants

WanLinghao commented Dec 5, 2018

Currently, user must fill the CABundle field in web config of AuditSink. It looks like:

kind: AuditSink
  name: auditsink1
    level: RequestResponse
    - ResponseComplete
      qps: 10
      burst: 15
      url: https://localhost:8080

The CABundle is very long in most case, which is pretty hard to modify. especially when it comes to a bunch of AuditSink. What's more, the usual case is a bunch of AuditSink share same webhook configuration, obviously we need fill it with same long CABundle one by one. And I am a bit worry about the security risk since each AuditSink object holds a CA bundle.
I think maybe we could make AuditSink extract data from configmap/secret to solve the problems above. So the new AuditSink looks like:

type AuditSinkSpec struct {
	Policy Policy
	Webhook Webhook
type Webhook struct {
	Throttle *WebhookThrottleConfig
	ClientConfig WebhookClientConfig
type WebhookClientConfig struct {
	URL *string
	Service *ServiceReference
	CABundle []byte

/kind feature


This comment has been minimized.


k8s-ci-robot commented Dec 5, 2018

@WanLinghao: There are no sig labels on this issue. Please add a sig label by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.


This comment has been minimized.


WanLinghao commented Dec 5, 2018

@pbarker WDYT


This comment has been minimized.


pbarker commented Dec 5, 2018

@WanLinghao interesting idea, we discussed something similar in the last sig-auth meeting around storing authentication information in a secret. One of the issues with this model is the aggregate servers live in different namespaces, and would either need to their own configmap or would need permission to access a shared one. We would need to draw up a reasonable way of doing this. In the case we find a path forward it may make sense to merge this with the auth secret effort.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment