Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include extra attributes in SubjectAccessReview #13170

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

multimac
Copy link
Contributor

Kubernetes authorization plugins can rely on extra attributes on a user, and these are provided via X-Remote-Extra- headers. Currently the Linkerd Viz tap API doesn't include these attributes when making the SubjectAccessReview request which means the Tap API cannot be used by end-users who's clusters use such authz plugins.

This change updates the tap controller to parse the X-Remote-Extra- headers and include them in the SubjectAccessReview request.

Fixed #13169

Kubernetes authorization plugins can rely on extra attributes on a user, and these are provided via `X-Remote-Extra-` headers. Currently the Linkerd Viz `tap` API doesn't include these attributes when making the `SubjectAccessReview` request which means the Tap API cannot be used by end-users who's clusters use such authz plugins.

This change updates the `tap` controller to parse the `X-Remote-Extra-` headers and include them in the SubjectAccessReview request.
Fixed linkerd#13169

Signed-off-by: David Symons <david.symons@onemodel.co>
@multimac multimac requested a review from a team as a code owner October 11, 2024 04:20
@kflynn
Copy link
Member

kflynn commented Oct 31, 2024

Hey @multimac, just a quick check-in -- we're heads-down to ship Linkerd 2.17 but will be coming back to this as soon as we can. Sorry for the delay!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Linkerd Tap doesn't seem to work with EKS Access Entries authentication
3 participants