allow delegated authorization to have privileged groups #70671
Conversation
k8s-ci-robot
added
sig/api-machinery
| } | ||
|
|
||
| func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { | ||
| return &DelegatingAuthorizationOptions{ | ||
| // very low for responsiveness, but high enough to handle storms | ||
| AllowCacheTTL: 10 * time.Second, | ||
| DenyCacheTTL: 10 * time.Second, | ||
|
|
||
| // in a kube cluster, system:masters has full power. Use this as the default which could be later changed. | ||
| AlwaysAllowGroups: []string{user.SystemPrivilegedGroup}, |
There was a problem hiding this comment.
I think I'm on board with defaulting to a value that allows coasting, but I expected a flag wired to this to surface it and allow control
There was a problem hiding this comment.
I think I'm on board with defaulting to a value that allows coasting, but I expected a flag wired to this to surface it and allow control
This seems like a setting that individual binaries can choose to control how they like. I think a very small minority (if any) would want to allow an admin to control it and those binaries could choose to wire the value to whatever flag they like.
|
I'm worried that:
|
the same superuser exists in the kube-apiserver as the pinned first authorizer in the chain, independent of RBAC and prior to any configured authorizers |
|
Ahh... loopback stuff... I have similar concerns with that flow. While we couldn't make the same guarantees around preventing misconfiguration, I would strongly prefer if the loopback authorizer was appended to the authorizer chain rather than prepended. The usecase was outlined here #51862 |
|
I'm primarily concerned with introducing well known user/group strings that are capable of unilateral bypassing authorization when operators generally have little control over the users and groups of credentials (namely those provisioned by the certificates API).
Alternatively, we could enforce that the loopback authorizer could only authorize request from loopback addresses. Would this approach address the issues raised here? e.g. administrator needs port forward AND a system:master credential to bypass authorization of apiservers running in the cluster and apiservers running outside the cluster can be protected? |
|
I can make it optional, but I think that prepending is the correct default choice. This is already what the kube-apiserver does, so this is purely an optimization on asking. Again, a user of this API can wire or disable this in any way that they like and removing the default makes it purely opt-in. |
deads2k
force-pushed
the
delegated-system-master
branch
from
117f8bb
to
0b70b7a
Compare
|
Default removed. If someone requests it, then it will function as desired. |
|
/kind feature needs release note |
k8s-ci-robot
added
kind/feature
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
release-note
|
/lgtm |
In kube,
system:mastersis a special group that has full API powers. We use this group to be able to have kube-apiservers loopback with full power and to allow management of RBAC using a client cert with that group.Since DelegatedAuthorization is intended to be consistent with kube recommendations, this updates the default value to include an authorizer that lists
system:mastersas having full rights. This means that system:masters users will not have to have a remote authz call which improves performance and makes debugging very broken conditions possible.@smarterclayton
@kubernetes/sig-api-machinery-pr-reviews @kubernetes/sig-auth-pr-reviews