New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit public-info-viewer cluster role to oauth-authorization-server only #615
Conversation
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
/retest |
1 similar comment
/retest |
@@ -223,7 +223,7 @@ func clusterRoles() []rbacv1.ClusterRole { | |||
ObjectMeta: metav1.ObjectMeta{Name: "system:openshift:public-info-viewer"}, | |||
Rules: []rbacv1.PolicyRule{ | |||
rbacv1helpers.NewRule("get").URLs( | |||
"/.well-known", "/.well-known/*", | |||
"/.well-known", "/.well-known/oauth-authorization-server", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we carry a patch on kube policy today? If not (and I thought I avoided this), create a new clusterrole and clusterrolebinding in our kube-apiserver operator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
indeed, this would be the carry: f271c47
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
…wn rules Upstream started leveraging .well-known endpoints and does not allow accessing them by unauthenticated groups by default. Only limit unauthenticated access to the `/.well-known/oauth-authorization-server` endpoint that is needed for authentication into OpenShift.
@stlaz: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
7 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
19 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/hold |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Upstream started leveraging .well-known endpoints and does not allow
accessing them by unauthenticated groups by default. Only limit
unauthenticated access to the
/.well-known/oauth-authorization-server
endpoint that is needed for authentication into OpenShift.
cc @sttts @deads2k