Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inaccurate logging when RBAC Authorizer returns DecisionNoOpinion #89458

Open
MikeSpreitzer opened this issue Mar 25, 2020 · 5 comments · May be fixed by #89608
Open

Inaccurate logging when RBAC Authorizer returns DecisionNoOpinion #89458

MikeSpreitzer opened this issue Mar 25, 2020 · 5 comments · May be fixed by #89608

Comments

@MikeSpreitzer
Copy link
Member

@MikeSpreitzer MikeSpreitzer commented Mar 25, 2020

What happened:
kubernetes/website#19828

I tried reading the code to figure out what the true story is. I discovered that the RBAC Authorizer never returns DecisionDeny, it uses DecisionNoOpinion instead. But I noticed that it logs "RBAC DENY".

It appears that #53273 changed the decision from binary to three-way, but did not update the log message.

The user-facing documentation only subtly implies that an Authorizer has three choices, which leads to confusing and inconsistent documentation for the careful reader. Perpetuating the muddle in the logging only makes it worse.

What you expected to happen:
I expected the logging to be consistent with what is really going on.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): master branch
  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release):
  • Kernel (e.g. uname -a):
  • Install tools:
  • Network plugin and version (if this is a network-related bug):
  • Others:
@MikeSpreitzer

This comment has been minimized.

Copy link
Member Author

@MikeSpreitzer MikeSpreitzer commented Mar 25, 2020

@sftim

This comment has been minimized.

Copy link
Contributor

@sftim sftim commented Mar 25, 2020

Feel free to add /sig docs if you think that makes sense here.

@gauravsofat

This comment has been minimized.

Copy link

@gauravsofat gauravsofat commented Mar 26, 2020

Hi, I'm new to Kubernetes and wish to contribute, can I take this up?

@MikeSpreitzer

This comment has been minimized.

Copy link
Member Author

@MikeSpreitzer MikeSpreitzer commented Mar 26, 2020

@gauravsofat : sure!

@gauravsofat

This comment has been minimized.

Copy link

@gauravsofat gauravsofat commented Mar 27, 2020

/assign @gauravsofat

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

5 participants
You can’t perform that action at this time.