Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure version "*" is passed instead of "" for all authz checks #116937

Merged
merged 3 commits into from
Apr 25, 2023
Merged

Ensure version "*" is passed instead of "" for all authz checks #116937

merged 3 commits into from
Apr 25, 2023

Conversation

AxeZhan
Copy link
Member

@AxeZhan AxeZhan commented Mar 27, 2023
edited by liggitt

What type of PR is this?

/kind feature

What this PR does / why we need it:

SubjectAccessReview expects "*" (not "") if the version is unspecified.
This pr audit all authz checks to ensure that "*" is being passed everywhere.

Which issue(s) this PR fixes:

Fixes #115660

Special notes for your reviewer:

I'm not familiar with the codes in auth part. So if I'm missing something, plz give me a hint and I will dig into it.

Does this PR introduce a user-facing change?

SubjectAccessReview requests sent to webhook authorizers now default `spec.resourceAttributes.version` to `*` if unset.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 27, 2023
@k8s-ci-robot
Copy link
Contributor

Please note that we're already in Test Freeze for the release-1.27 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.27.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Mon Mar 27 04:26:09 UTC 2023.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 27, 2023
@k8s-ci-robot k8s-ci-robot added sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 27, 2023
@liggitt liggitt added this to the v1.28 milestone Mar 30, 2023
@ibihim
Copy link
Contributor

ibihim commented Apr 24, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 24, 2023
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Apr 25, 2023
edited

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 25, 2023
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Apr 25, 2023
@liggitt liggitt added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Apr 25, 2023
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Apr 25, 2023
@liggitt
Copy link
Member

liggitt commented Apr 25, 2023

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 25, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: b10d46646e388c09c5605c29764da9c6f5ca899c

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AxeZhan, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 25, 2023
@k8s-ci-robot k8s-ci-robot merged commit 892ebf2 into kubernetes:master Apr 25, 2023
12 checks passed
@bertinatto bertinatto mentioned this pull request Jun 20, 2023
Closed
rayowang pushed a commit to rayowang/kubernetes that referenced this pull request Feb 9, 2024
@AxeZhan
Ensure version "*" is passed instead of "" for all authz checks (kube…
9f7dc51 
…rnetes#116937)

* ensure version * is passed instead of  for all authz checks

* unexport match function

* remove allversion constant
@jaskaransarkaria jaskaransarkaria mentioned this pull request Jun 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@wojtek-t wojtek-t Awaiting requested review from wojtek-t

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
Milestone
v1.28
Development

Successfully merging this pull request may close these issues.

Ensure version "*" is passed instead of "" for all authz checks
4 participants
@AxeZhan @k8s-ci-robot @ibihim @liggitt