Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit public-info-viewer cluster role to oauth-authorization-server only #615

Closed
wants to merge 1 commit into from
Closed

Limit public-info-viewer cluster role to oauth-authorization-server only #615

wants to merge 1 commit into from

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Mar 11, 2021

Upstream started leveraging .well-known endpoints and does not allow
accessing them by unauthenticated groups by default. Only limit
unauthenticated access to the /.well-known/oauth-authorization-server
endpoint that is needed for authentication into OpenShift.

cc @sttts @deads2k

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Mar 11, 2021
@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@stlaz
Copy link
Member Author

stlaz commented Mar 11, 2021

/retest

1 similar comment
@stlaz
Copy link
Member Author

stlaz commented Mar 15, 2021

/retest

deads2k
deads2k reviewed Mar 15, 2021
View reviewed changes
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -223,7 +223,7 @@ func clusterRoles() []rbacv1.ClusterRole {
ObjectMeta: metav1.ObjectMeta{Name: "system:openshift:public-info-viewer"},
Rules: []rbacv1.PolicyRule{
rbacv1helpers.NewRule("get").URLs(
"/.well-known", "/.well-known/*",
"/.well-known", "/.well-known/oauth-authorization-server",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we carry a patch on kube policy today? If not (and I thought I avoided this), create a new clusterrole and clusterrolebinding in our kube-apiserver operator.

Copy link
Member Author

@stlaz stlaz Mar 18, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed, this would be the carry: f271c47

@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@stlaz stlaz changed the title UPSTREAM: <carry>: limit public-info-viewer cluster role to oauth-authorization-server only SQUASH: limit public-info-viewer cluster role to oauth-authorization-server only Mar 18, 2021
@stlaz
UPSTREAM: <carry>: SQUASH: bootstrap-rbac-policy: move over .well-kno…
a91c2ff 
…wn rules

Upstream started leveraging .well-known endpoints and does not allow
accessing them by unauthenticated groups by default. Only limit
unauthenticated access to the `/.well-known/oauth-authorization-server`
endpoint that is needed for authentication into OpenShift.
@openshift-ci-robot
Copy link

@stlaz: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

@sttts sttts changed the title SQUASH: limit public-info-viewer cluster role to oauth-authorization-server only Limit public-info-viewer cluster role to oauth-authorization-server only Mar 18, 2021
@sttts
Copy link

sttts commented Mar 18, 2021

/lgtm
/approve

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 18, 2021
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: stlaz, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 18, 2021
@sttts sttts mentioned this pull request Mar 18, 2021
Merged
@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

7 similar comments
@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

19 similar comments
@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest

Please review the full test history for this PR and help us cut down flakes.

@stlaz
Copy link
Member Author

stlaz commented Jul 8, 2021

/hold
that could've been a valid failure

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 8, 2021
@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 6, 2021
@openshift-bot
Copy link

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 5, 2021
@openshift-bot
Copy link

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci openshift-ci bot closed this Dec 5, 2021
@openshift-ci
Copy link

openshift-ci bot commented Dec 5, 2021

@openshift-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@mfojtik mfojtik Awaiting requested review from mfojtik

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@sttts sttts

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@stlaz @openshift-ci-robot @sttts @openshift-bot @deads2k