Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add a custom authorizer to ensure kube-apiserver can always access tokenreviews webhook #41

Merged
merged 1 commit into from Feb 23, 2021
Merged

add a custom authorizer to ensure kube-apiserver can always access tokenreviews webhook #41

merged 1 commit into from Feb 23, 2021

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Feb 11, 2021

Adds a hardcoded authorizer to avoid unnecessary SAR calls. This could be made generic. We could also add one for handling /metrics

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 11, 2021
@deads2k
Copy link
Contributor Author

deads2k commented Feb 11, 2021

/hold

This demonstrates the how. It would need unit tests at least.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 11, 2021
p0lyn0mial
p0lyn0mial reviewed Feb 12, 2021
View reviewed changes
pkg/authorization/tokenreviewauthorizer/tokenreviewauthorizer.go Outdated
type tokenReviewAuthorizer struct{}

func (tokenReviewAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
if a.GetUser().GetName() != "system:serviceaccount:openshift-authentication:tokenreviewer"{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alright, so this is a service account token used by the KAS, right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

alright, so this is a service account token used by the KAS, right?

In @stlaz's PR, yes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. This is just an example. Thanks for sharing it with me.

lgtm

@openshift-ci-robot openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 16, 2021
@openshift-ci-robot openshift-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 23, 2021
@stlaz
Copy link
Member

stlaz commented Feb 23, 2021

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 23, 2021
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deads2k
Copy link
Contributor Author

deads2k commented Feb 23, 2021

/hold cancel

@openshift-ci-robot openshift-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 23, 2021
@openshift-merge-robot openshift-merge-robot merged commit 44c67e1 into openshift:master Feb 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p0lyn0mial p0lyn0mial p0lyn0mial left review comments

@sttts sttts Awaiting requested review from sttts

Assignees

@stlaz stlaz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@deads2k @stlaz @openshift-ci-robot @p0lyn0mial @openshift-merge-robot