-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) #67543
delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) #67543
Conversation
d117940
to
a8bfd3b
Compare
RequestHeaderConfig *RequestHeaderConfig | ||
} | ||
|
||
func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.SecurityDefinitions, error) { | ||
authenticators := []authenticator.Request{} | ||
securityDefinitions := spec.SecurityDefinitions{} | ||
|
||
if len(c.SkippedPaths) > 0 { | ||
authenticators = append(authenticators, path.NewAuthenticator(c.SkippedPaths)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't expect this to be required for authentication... if you allow anonymous requests, a request with no client cert or token will already be authenticated as the anonymous user (for all paths, not just /healthz)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even if authenticated, we want to exclude certain paths in case the kube-apiserver is down. Otherwise, with a client cert you can't query /healthz
in that case.
Maybe for authn this would be fine. Authz still needs the skipped paths mechanism.
a8bfd3b
to
f306ab0
Compare
Removed the authn part for now. @liggitt ptal |
751f3ed
to
2dc09f7
Compare
/retest |
298de28
to
6142e2f
Compare
/retest |
@awly @liggitt @mikedanese anything left here? |
/remove-area custom-resources |
/lgtm |
Only change in /staging/ is for bazel and Godeps.json. @liggitt approved? |
/uncc |
/approve structure looks good. looks like the /hold |
Yes, that was the idea. Have moved it into the components. /hold cancel |
Overriding approval as only staging/BUILD blocks it. |
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: awly, liggitt, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Add
AlwaysAllowPaths
field to delegated authz. These http paths are excluded from the authz chain.Prerequisite for #64149 and #67069.