Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[StructuredAuthorizationConfiguration] Add --authorization-config flag and guard it using a Feature Gate #120154

Merged
merged 3 commits into from Oct 18, 2023
Merged

[StructuredAuthorizationConfiguration] Add --authorization-config flag and guard it using a Feature Gate #120154

merged 3 commits into from Oct 18, 2023

Conversation

palnabarun
Copy link
Member

@palnabarun palnabarun commented Aug 24, 2023
edited by liggitt

What type of PR is this?

/kind feature
/area apiserver

What this PR does / why we need it:

This is follow-up on #119099 and implements the following:

  • kube-apiserver flag (--authorization-config) for authorization configuration file
  • feature gate (StructuredAuthorizationConfiguration) for gating changes
  • adds an integration test for reading authorizers from the configuration file

Which issue(s) this PR fixes:

Fixes #118872

Special notes for your reviewer:

None

Does this PR introduce a user-facing change?

kube-apiserver: adds --authorization-config flag for reading a configuration file containing an apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration object. --authorization-config flag is mutually exclusive with --authorization-modes and --authorization-webhook-* flags. The alpha StructuredAuthorizationConfiguration feature flag must be enabled for --authorization-config to be specified.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://kep.k8s.io/3221
- [Usage]: TBD
- [Other doc]: TBD

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 24, 2023
This was referenced Aug 24, 2023
Merged
Open
@jiahuif
Copy link
Member

jiahuif commented Aug 24, 2023

/retitle [WIP][StructuredAuthorizationConfiguration] Add --authorization-config flag and guard it using a Feature Gate
Please unmark WIP when it is ready to review. Thank you

@k8s-ci-robot k8s-ci-robot changed the title [StructuredAuthorizationConfiguration] Add --authorization-config flag and guard it using a Feature Gate [WIP][StructuredAuthorizationConfiguration] Add --authorization-config flag and guard it using a Feature Gate Aug 24, 2023
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 24, 2023
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 7, 2023
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Sep 25, 2023
@palnabarun palnabarun mentioned this pull request Sep 27, 2023
Closed
3 tasks
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 27, 2023
@palnabarun palnabarun force-pushed the authz-config-external-changes branch from cea51aa to 813c109 Compare October 4, 2023 09:02
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 4, 2023
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 17, 2023
@liggitt
Copy link
Member

liggitt commented Oct 17, 2023

/retest
(infra pod scheduling errors)

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 17, 2023
@palnabarun
Copy link
Member Author

/test pull-kubernetes-conformance-kind-ipv6-parallel

@liggitt
Copy link
Member

liggitt commented Oct 17, 2023

/retest
unrelated etcd error in integration test

@liggitt
Copy link
Member

liggitt commented Oct 17, 2023

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 17, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: fbf75ab708c6782fc7a62056a119ae4ef9e17660

@liggitt
Copy link
Member

liggitt commented Oct 18, 2023
edited

Hmm, the bot thinks this needs a rebase… does it?

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 18, 2023
@palnabarun
Copy link
Member Author

This PR shouldn't have the needs-rebase label anymore after changes were made hours ago.

@palnabarun
Copy link
Member Author

What are the guidelines for manually removing the needs-rebase label?

@liggitt liggitt removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 18, 2023
@liggitt
Copy link
Member

liggitt commented Oct 18, 2023

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 18, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 55df05d89553e3bd868b03a3b31333ead8ab6674

@k8s-ci-robot k8s-ci-robot merged commit ca43bf0 into kubernetes:master Oct 18, 2023
17 checks passed
@palnabarun palnabarun deleted the authz-config-external-changes branch October 19, 2023 03:30
@sftim
Copy link
Contributor

sftim commented Oct 25, 2023

Changelog suggestion

kube-apiserver: added `--authorization-config` command line argument for reading a configuration file containing a serialized apiserver.config.k8s.io/v1alpha1 AuthorizationConfiguration. The `--authorization-config` argument is mutually exclusive with `--authorization-modes` and the `--authorization-webhook-*` arguments. The (alpha) `StructuredAuthorizationConfiguration` feature gate must be enabled for `--authorization-config` to be specified.
  • most of the IT world uses “flag” to refer to a boolean. In Golang a command line flag can be anything, but this confuses people used to the more widely used convention.
  • we call feature gates feature gates; these are actually booleans but we still should be using the term that end users see

@acumino acumino mentioned this pull request Dec 21, 2023
Open
16 tasks
@LiorLieberman LiorLieberman mentioned this pull request Mar 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritazh ritazh ritazh left review comments

@deads2k deads2k Awaiting requested review from deads2k

@dims dims Awaiting requested review from dims

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
Structured Authz Enhancement
Status: ✅ Done
[sig-release] Bug Triage
Archived in project
Milestone
v1.29
Development

Successfully merging this pull request may close these issues.

[StructuredAuthorizationConfig] - Implement AuthorizationConfiguration
7 participants
@palnabarun @jiahuif @k8s-ci-robot @ritazh @hailkomputer @liggitt @sftim