Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

switch delegated authnz to v1 APIs #84768

Merged
merged 3 commits into from Nov 12, 2019
Merged

switch delegated authnz to v1 APIs #84768

merged 3 commits into from Nov 12, 2019

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Nov 5, 2019
edited

What type of PR is this?
/kind cleanup

What this PR does / why we need it:

  • Switches delegated authentication/authorization (used by the kubelet and aggregated API servers) to use v1 (needed so kubernetes components don't depend on kube-apiserver serving beta-level APIs)
  • kube-apiserver can now specify --authentication-token-webhook-version=v1 or --authorization-webhook-version=v1 to use v1 TokenReview and SubjectAccessReview API objects when communicating with authentication and authorization webhooks.
  • Adds unit tests for v1 that are clones of the v1beta1 unit tests with API types and expected apiVersions adjusted
  • Adds fuzzing round-trip tests to ensure all v1/v1beta1 fields in TokenReviews/SubjectAccessReviews spec/status are round-tripped

Related to flushing out beta APIs required by core components

Does this PR introduce a user-facing change?:

* kubelet and aggregated API servers now use v1 TokenReview and SubjectAccessReview endpoints to check authentication/authorization.
* kube-apiserver can now specify `--authentication-token-webhook-version=v1` or `--authorization-webhook-version=v1` to use `v1` TokenReview and SubjectAccessReview API objects when communicating with authentication and authorization webhooks.

/cc @deads2k @enj @mikedanese
/sig auth

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesn't merit a release note. labels Nov 5, 2019
@k8s-ci-robot k8s-ci-robot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/auth Categorizes an issue or PR as relevant to SIG Auth. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/kubelet sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 5, 2019
@k8s-ci-robot k8s-ci-robot added area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Nov 5, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Nov 8, 2019
@mikedanese mikedanese self-assigned this Nov 8, 2019
@liggitt liggitt changed the title WIP - switch delegated authnz to v1 switch delegated authnz to v1 Nov 9, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 9, 2019
@liggitt liggitt added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Nov 9, 2019
@k8s-ci-robot k8s-ci-robot removed the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Nov 9, 2019
@liggitt liggitt added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 9, 2019
@k8s-ci-robot k8s-ci-robot removed the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 10, 2019
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Nov 10, 2019
@liggitt
Copy link
Member Author

liggitt commented Nov 10, 2019

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 10, 2019
@liggitt liggitt added this to the v1.17 milestone Nov 10, 2019
@liggitt liggitt changed the title switch delegated authnz to v1 switch delegated authnz to v1 APIs Nov 10, 2019
liggitt
liggitt commented Nov 10, 2019
View reviewed changes
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook/webhook_v1beta1_test.go
@@ -0,0 +1,686 @@
/*
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file was a rename of webhook_test.go with V1beta1 added to type/function names

liggitt
liggitt commented Nov 10, 2019
View reviewed changes
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_v1beta1_test.go
@@ -0,0 +1,647 @@
/*
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this file was a rename of webhook_test.go with V1beta1 added to type/function names

@liggitt
Copy link
Member Author

liggitt commented Nov 10, 2019

This is ready for review. All the existing v1beta1 tests are still in place, and are duplicated as v1 tests, and the kubelet -> apiserver checks now run using v1.

@liggitt
Copy link
Member Author

liggitt commented Nov 11, 2019

dropped unused NewFromV1beta1Interface methods (diff at https://github.com/kubernetes/kubernetes/compare/0649889..7349a82)

@enj
Copy link
Member

enj commented Nov 11, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 11, 2019
@k8s-ci-robot k8s-ci-robot merged commit 681d224 into kubernetes:master Nov 12, 2019
@liggitt liggitt deleted the delegated-authnz-v1 branch November 12, 2019 13:20
@ramineni ramineni mentioned this pull request Nov 15, 2019
Merged
@liggitt liggitt mentioned this pull request Nov 19, 2019
Merged
@timuthy timuthy mentioned this pull request Feb 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@enj enj Awaiting requested review from enj

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@mikedanese mikedanese

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/kubelet area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@liggitt @k8s-ci-robot @enj @mikedanese