New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

return reason for allowed rbac authorizations #58531

Merged
merged 1 commit into from Jan 20, 2018

Conversation

Projects
None yet
5 participants
@liggitt
Copy link
Member

liggitt commented Jan 19, 2018

includes the binding, role, and subject that allowed a request so audit can make use of it

xref #56209 #58083

example reasons

allowed by ClusterRoleBinding "system:controller:cronjob-controller" of ClusterRole "system:controller:cronjob-controller" to ServiceAccount "cronjob-controller/kube-system"

allowed by RoleBinding "bob-viewer/default" of ClusterRole "view" to User "bob"

perf impact

go test ./plugin/pkg/auth/authorizer/rbac/ -run foo -bench . -benchmem

on master:

BenchmarkAuthorize/allow_list_pods-8         	  500000	      2674 ns/op	    1632 B/op	      27 allocs/op
BenchmarkAuthorize/allow_update_pods/status-8         	  500000	      2858 ns/op	    1632 B/op	      27 allocs/op
BenchmarkAuthorize/forbid_educate_dolphins-8          	  500000	      2654 ns/op	    1632 B/op	      27 allocs/op

with this PR:

BenchmarkAuthorize/allow_list_pods-8         	  500000	      2697 ns/op	    1664 B/op	      28 allocs/op
BenchmarkAuthorize/allow_update_pods/status-8         	  500000	      2873 ns/op	    1680 B/op	      29 allocs/op
BenchmarkAuthorize/forbid_educate_dolphins-8          	  500000	      2687 ns/op	    1664 B/op	      28 allocs/op
NONE
@deads2k

This comment has been minimized.

Copy link
Contributor

deads2k commented Jan 19, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jan 19, 2018

@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Jan 19, 2018

/hold

cleaning up the subject printing a little

@liggitt liggitt force-pushed the liggitt:rbac-reason branch from 7b29e08 to 1165dbb Jan 19, 2018

@k8s-merge-robot k8s-merge-robot removed the lgtm label Jan 19, 2018

@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Jan 19, 2018

/hold cancel

@@ -258,7 +258,7 @@ func TestAppliesTo(t *testing.T) {
}

for _, tc := range tests {
got := appliesTo(tc.user, tc.subjects, tc.namespace)
_, got := appliesTo(tc.user, tc.subjects, tc.namespace)

This comment has been minimized.

@enj

enj Jan 19, 2018

Member

Check the idx in tests?

@enj

This comment has been minimized.

Copy link
Member

enj commented Jan 19, 2018

@liggitt why not use more structured output instead of a giant string?

return reason for allowed rbac authorizations
includes the binding, role, and subject that allowed a request so audit can make use of it

@liggitt liggitt force-pushed the liggitt:rbac-reason branch from 1165dbb to b4fb252 Jan 19, 2018

@k8s-ci-robot k8s-ci-robot added size/L and removed size/M labels Jan 19, 2018

@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Jan 19, 2018

@liggitt why not use more structured output instead of a giant string?

  • we already have plumbing for a string reason
  • putting structure inside a string is fragile and makes the interface misleading
  • the same interface needs to be remoteable (via subject access review)
  • the intended consumer of this (audit) is unlikely to nest structured data from arbitrary authorizers. see #58143 for discussion of a way for authorizers/admission plugins to contribute unstructured attributes to an audit event
@enj

This comment has been minimized.

Copy link
Member

enj commented Jan 19, 2018

@liggitt 👍

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jan 19, 2018

@liggitt

This comment has been minimized.

Copy link
Member Author

liggitt commented Jan 19, 2018

/retest

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Jan 19, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj, liggitt

Associated issue: #56209

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-merge-robot

This comment has been minimized.

Copy link
Contributor

k8s-merge-robot commented Jan 20, 2018

Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-merge-robot k8s-merge-robot merged commit c1d8f71 into kubernetes:master Jan 20, 2018

13 checks passed

Submit Queue Queued to run github e2e tests a second time.
Details
cla/linuxfoundation liggitt authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke-gci Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-unit Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details

@liggitt liggitt deleted the liggitt:rbac-reason branch Jan 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment