Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update the kubelet authorizer to allow system:masters access without a SAR #99611

Closed
wants to merge 1 commit into from
Closed

update the kubelet authorizer to allow system:masters access without a SAR #99611

wants to merge 1 commit into from

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Mar 1, 2021

system:masters group is defined in kube-apiserver to always have access. Because of this, we know that every delegated authorization check for this group on every kubernetes cluster, will always return allowed. We can add the system:masters authorizer first.

/kind cleanup
/priority important-soon
@kubernetes/sig-auth-bugs @kubernetes/sig-node-pr-reviews

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. sig/auth Categorizes an issue or PR as relevant to SIG Auth. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. sig/node Categorizes an issue or PR as relevant to SIG Node. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 1, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: deads2k
To complete the pull request process, please assign dchen1107 after the PR has been reviewed.
You can assign the PR to them by writing /assign @dchen1107 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@enj
Copy link
Member

enj commented Mar 2, 2021

Can we migrate the Kubelet to NewDelegatingAuthorizationOptions (just the struct, not the flag set)? The Kubelet is a bit of a unicorn in regards to its authn and authz stack. It would be nice to normalize it to what the API server uses.

@enj
Copy link
Member

enj commented Mar 2, 2021

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 2, 2021
@yangjunmyfm192085
Copy link
Contributor

/test pull-kubernetes-unit

@deads2k
Copy link
Contributor Author

deads2k commented Mar 2, 2021

Can we migrate the Kubelet to NewDelegatingAuthorizationOptions (just the struct, not the flag set)? The Kubelet is a bit of a unicorn in regards to its authn and authz stack. It would be nice to normalize it to what the API server uses.

I looked at that first, but doing so requires disconnecting the way they build the client. It's a significantly more invasive change.

@ehashman ehashman added this to Needs Reviewer in SIG Node PR Triage Mar 2, 2021
@enj
Copy link
Member

enj commented Mar 3, 2021

I looked at that first, but doing so requires disconnecting the way they build the client. It's a significantly more invasive change.

Right, but it is also the correct change. If the Kubelet was already using the API server code, #98325 would have already fixed its defaulting to include system:masters.

@SergeyKanzhelev SergeyKanzhelev moved this from Needs Reviewer to Waiting on Author in SIG Node PR Triage Mar 3, 2021
@enj enj added this to In Progress in SIG Auth Old Apr 9, 2021
@enj enj moved this from Needs Triage PRs to Backlog in SIG Auth Old Apr 19, 2021
@liggitt liggitt moved this from Backlog to In Progress (v1.22) in SIG Auth Old May 7, 2021
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 1, 2021
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 1, 2021
@k8s-ci-robot k8s-ci-robot added the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jul 1, 2021
@enj enj moved this from In Progress (v1.22) to Changes Requested (v1.22) in SIG Auth Old Jul 12, 2021
@k8s-triage-robot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

SIG Node PR Triage automation moved this from Waiting on Author to Done Jul 31, 2021
@ritazh ritazh removed this from Changes Requested in SIG Auth Old Nov 1, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehashman ehashman Awaiting requested review from ehashman

@yifan-gu yifan-gu Awaiting requested review from yifan-gu

Assignees
No one assigned
Labels
area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Node PR Triage
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@deads2k @k8s-ci-robot @enj @yangjunmyfm192085 @fejta-bot @k8s-triage-robot