Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Verb match support for ABAC #72097

Closed
lovejoy opened this issue Dec 17, 2018 · 5 comments

Comments

@lovejoy
Copy link
Contributor

commented Dec 17, 2018

What would you like to be added:
verb list match for abac
Why is this needed:
Like ReadOnly feature ,we need a CreateOnly feature to limit the delete request ,and this can be describe as a verb list, And I found https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/abac.go#L175
there still a todo here.May be we should implement this?

/kind feature

@lovejoy

This comment has been minimized.

Copy link
Contributor Author

commented Dec 17, 2018

@lovejoy

This comment has been minimized.

Copy link
Contributor Author

commented Dec 17, 2018

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth and removed needs-sig labels Dec 17, 2018

@liggitt

This comment has been minimized.

Copy link
Member

commented Dec 17, 2018

Since the stabilization of the RBAC authorizer, new features are not being added to the ABAC authorizer. We can remove that TODO.

@lovejoy lovejoy closed this Dec 18, 2018

@lovejoy

This comment has been minimized.

Copy link
Contributor Author

commented Dec 18, 2018

@liggitt Actually I want to limit user can only WriteOnly to resources of some namespaces with same prefix( the user may create many same prefix namespaces). And this can't be solved by RBAC as it 's designed for exists and known namespace.And I think it's easier to be implement in ABAC https://github.com/kubernetes/kubernetes/blob/master/pkg/auth/authorizer/abac/abac.go#L212 just change this line to support same prefix namespaces and add verb match for abac
Any advice for this ?

@liggitt

This comment has been minimized.

Copy link
Member

commented Dec 18, 2018

Authorizers do not have access to the name of the object being created (since it is not present in the API call URL). A webhook admission plugin could be used to limit creation requests to specific namespaces and resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.