-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-3488: Implement secondary authz for ValidatingAdmissionPolicy #116054
Conversation
/triage accepted |
df9b366
to
341ca8b
Compare
/retest |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
Changelog suggestion: Added authorization check support to the CEL expressions of ValidatingAdmissionPolicy via a `authorizer`
variable with expressions. The new variable provides a builder that allows expressions such as `authorizer.group('').resource('pods').check('create').allowed()`. |
It's not obvious to me how this works. Does this have any interaction with SubjectAccessReview - perhaps via How many HTTP requests to the authz backend does
? You might like to sketch out the docs for this before we merge the code change @jpbetz, to make sure that we know what we need to explain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fell out very nicely. I think the last big question is whether we need to offer a means to specify the username to check the authorizer against. We've used serviceaccounts in the past and doing so using a method .forServiceAccount(namespace, name string) or some-such that restricts specifying any username could encourage patterns that have worked out well in the past without opening up for behavior we want to discourage.
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/validator_test.go
Outdated
Show resolved
Hide resolved
Good call @sftim , I've added docs for the Kubernetes CEL libraries, including this one, to kubernetes/website#39642. I've attempted to answer the questions you asked there. |
@deads2k Feedback addressed and this is ready for another pass when you are ready. Most importantly, service accounts are supported. Thanks for the review! |
/label api-review API changes: Adds an authorization variable and CEL functions available to ValidationAdmissionPolicy. Updates api docs to highlight the availability. No API types or fields are changed. |
/retest |
a370e49
to
bdfff33
Compare
Rebased and API review feedback applied |
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission.go
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/admission.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/initializer.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy/interface.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/compile.go
Outdated
Show resolved
Hide resolved
API bits lgtm, just a few questions on wiring / interfaces / exposed surface area |
/lgtm |
LGTM label has been added. Git tree hash: 5036f589367fbbe8f1f1e9803645263ee475e6ca
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jpbetz, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold might make sense to squash in review commits? |
/hold cancel |
Rebased to a reasonable minimum set of commits (keeping codegen separate) |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implements the Secondary Authz section of CEL for Admission Control.
Example CEL expressions:
Special notes for your reviewer:
This accounts for a few things missed in the KEP, namely:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig api-machinery
/priority important-soon