Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for service accounts in user related fields/flags/headers is under documented #39720

Open
jpbetz opened this issue Feb 28, 2023 · 7 comments
Open

Support for service accounts in user related fields/flags/headers is under documented #39720

jpbetz opened this issue Feb 28, 2023 · 7 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@jpbetz
Copy link
Contributor

jpbetz commented Feb 28, 2023

This is a Feature Request

How service accounts are identified in:

  • The SubjectAccessReview API User field
  • The AdmissionReview APIs UserInfo field
  • The ImpersonateUser header
  • kubectl --as

..is under documented.

In all cases, service accounts can be referenced via system:serviceaccount:{service account username}:{service account name}.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/ is the best documentation I could fine. It points out that Service accounts authenticate with the username system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT). But it took me quite a while to find this, and it still wasn't obvious that user fields all accept

What would you like to be added

All API "user" fields/flags/headers also somehow document that service accounts are supported.

Why is this needed

It takes way to long to figure out what is supported by use fields/flags/headers without this documentation. I ended up figuring it out mostly by searching the public web and by trying things out on a cluster.

Comments
@jpbetz jpbetz added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 28, 2023
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Feb 28, 2023
@jpbetz jpbetz changed the title The proper use of serviceaccounts in user related fields is underdocumented Support for service accounts in user related fields/flags/headers is under documented Feb 28, 2023
@jpbetz
Copy link
Contributor Author

jpbetz commented Feb 28, 2023

/assign

@jpbetz jpbetz mentioned this issue Feb 28, 2023
Merged
@sftim
Copy link
Contributor

sftim commented Feb 28, 2023

/sig auth
/language en

https://kubernetes.io/docs/concepts/security/service-accounts/ should at least signpost to the right page
We could add a “users and groups” concept page that explains the nebulous way we, uh, don't really define these!

(BTW https://kubernetes.io/docs/concepts/security/service-accounts/ is a first-pass, we only added that concept page very recently and its absence had been noted for a while).

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. language/en Issues or PRs related to English language labels Feb 28, 2023
@nilekhc
Copy link
Contributor

nilekhc commented May 8, 2023

/assign

Hey @jpbetz Are you still working on this? Let us (Sig-Auth) know if you need any help.

Also, K8s RBAC has a specific way of referring SA https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects

@nilekhc
Copy link
Contributor

nilekhc commented May 8, 2023

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 8, 2023
@jpbetz
Copy link
Contributor Author

jpbetz commented May 8, 2023
edited

Is anyone in SIG-Auth interested in picking this up? I've dropped this due to workload and it might be a while before I can circle back.

@jpbetz
Copy link
Contributor Author

jpbetz commented May 8, 2023

/unassign

@k8s-triage-robot
Copy link

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

  • Confirm that this issue is still relevant with /triage accepted (org members only)
  • Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. and removed triage/accepted Indicates an issue or PR is ready to be actively worked on. labels May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. language/en Issues or PRs related to English language needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
SIG Auth
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jpbetz @nilekhc @k8s-ci-robot @sftim @k8s-triage-robot