New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Impersonate-UID header #99961
Conversation
Welcome @margocrawf! |
Hi @margocrawf. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
/assign @deads2k |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly minor stuff.
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
Outdated
Show resolved
Hide resolved
@@ -67,6 +67,7 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime. | |||
username := "" | |||
groups := []string{} | |||
userExtra := map[string][]string{} | |||
uid := "" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe in a separate PR, can you move groupsSpecified
to its single point of use and update the comment to note that it only applies to service accounts (the newer group logic below has superseded this comment).
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
Outdated
Show resolved
Hide resolved
t.Errorf("body should contain a uid, but it didn't.") | ||
} | ||
}() | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation_test.go
Show resolved
Hide resolved
/ok-to-test
|
/retest |
UserInfo contains a uid field alongside groups, username and extra. This change makes it possible to pass a UID through as an impersonation header like you can with Impersonate-Group, Impersonate-User and Impersonate-Extra. This PR contains: * Changes to impersonation.go to parse the Impersonate-Uid header and authorize uid impersonation * Unit tests for allowed and disallowed impersonation cases * An integration test that creates a CertificateSigningRequest using impersonation, and ensures that the API server populates the correct impersonated spec.uid upon creation.
This change goes with kubernetes/kubernetes#99961 in the Kubernetes repo.
/lgtm |
/retest |
1 similar comment
/retest |
/approve |
/retest |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj, liggitt, margocrawf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Unrelated quota integration test flake. |
This change goes with kubernetes/kubernetes#99961 in the Kubernetes repo.
This corresponds to previous work to allow impersonating UIDs: * Introduce Impersonate-UID header: kubernetes#99961 * Add UID to client-go impersonation config kubernetes#104483 Signed-off-by: Margo Crawford <margaretc@vmware.com>
What type of PR is this?
/kind-bug
What this PR does / why we need it:
This introduces an
Impersonate-Uid
header to server side code.While
UserInfo
contains auid
field alongsidegroups
,username
andextra
, it was not possible to pass aUID
through as an impersonation header like you can withImpersonate-Group
,Impersonate-User
andImpersonate-Extra
.This PR contains:
impersonation.go
to parse theImpersonate-Uid
header and authorize uid impersonationCertificateSigningRequest
using impersonation, and ensures that the API server populates the correct impersonatedspec.uid
upon creation.Which issue(s) this PR fixes:
This PR is a step towards fixing #93699.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: