-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow anonymous API server access, decorate authenticated users with system:authenticated group #32386
Allow anonymous API server access, decorate authenticated users with system:authenticated group #32386
Conversation
cc @kubernetes/sig-auth |
lgtm |
You'll want a doc pull too. |
7d0f953
to
85d1288
Compare
@cjcullen I can't tell if the gke smoke test failures are flakes, or related to the |
Very useful, thanks! |
@@ -258,6 +259,11 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { | |||
"If specified, a username which avoids RBAC authorization checks and role binding "+ | |||
"privilege escalation checks, to be used with --authorization-mode=RBAC.") | |||
|
|||
fs.BoolVar(&s.AnonymousAuth, "anonymous-auth", s.AnonymousAuth, ""+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's make this flag be called "forbid-anonymous-auth", and default to false.
That is because we expect most people to enable it going forward, and we don't want a flag that is expected to be required to be specified.
The release note can have a warning that: people who are relying on authentication alone to authorize access should add authorization or set --forbid-anonymous-auth
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to avoid a negative in the flag name if possible. Just updated the default to true.
Please change flag default. Other than that, LGTM. |
@k8s-bot gke test this issue: #IGNORE |
(kicking the GKE tests to confirm that the unknown user thing is fixed). |
Tracked down the GKE failure to SubjectAccessReview serializing groups as |
85d1288
to
c3f37a1
Compare
GCE e2e build/test passed for commit c3f37a1345b1d3af5a45a73ceaf561f6b1374cac. |
c3f37a1
to
41746f1
Compare
41746f1
to
5599ca3
Compare
Jenkins GCI Kubemark GCE e2e failed for commit 5599ca3. Full PR test history. The magic incantation to run this job again is |
Jenkins GCI GKE smoke e2e failed for commit 5599ca3. Full PR test history. The magic incantation to run this job again is |
Jenkins GCI GCE e2e failed for commit 5599ca3. Full PR test history. The magic incantation to run this job again is |
flag default, help text, and release note updated, GKE smoke test passing |
doc PR at kubernetes/website#1342 |
@liggitt can you confirm that this: https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/32386/kubernetes-pull-build-test-gci-e2e-gce/188/ is a flake, not a result of this change? |
@liggitt once you've confirmed, this lgtm. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
When writing authorization policy, it is often necessary to allow certain actions to any authenticated user. For example, creating a service or configmap, and granting read access to all users
It is also frequently necessary to allow actions to any unauthenticated user. For example, fetching discovery APIs might be part of an authentication process, and therefore need to be able to be read without access to authentication credentials.
This PR:
system:anonymous
and a group ofsystem:unauthenticated
. Note: this should only be used with an--authorization-mode
other thanAlwaysAllow
system:authenticated
.This is related to defining a default set of roles and bindings for RBAC (kubernetes/enhancements#2). The bootstrap policy should allow all users (anonymous or authenticated) to request the discovery APIs.
c.f. #29177 (comment)
This change is