Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UPSTREAM: <carry>: include cluster name in authz SubjectAccessReview in webhooks #151

Merged
merged 1 commit into from
Nov 13, 2024
Merged

UPSTREAM: <carry>: include cluster name in authz SubjectAccessReview in webhooks #151

merged 1 commit into from
Nov 13, 2024

Conversation

xrstf
Copy link

@xrstf xrstf commented Nov 13, 2024
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

I am working on enabling the authorization webhook feature in kcp, allowing to send authz requests to an external URL. To make this useful, the SubjectAccessReview (SAR) needs to also include the cluster name. Sadly there is no good way to override the way the webhook plugin constructs a SAR and it's also not trivial to just construct a different, custom webhook implementation (because it is wrapped in a reloadableAuthorizer, which would also need to be copied and adjusted to make it work).

This PR therefore represents the simplest possible approach: Take the cluster name from the context, stuff it into the Extra field, done. The key name is authentication.kubernetes.io/cluster-name based on kcp-dev/kcp#3156, even though it's kinda misleading (authentication vs. authorization).

Does this PR introduce a user-facing change?

NB: This includes the fixup in #152

The authz webhook plugin will include the cluster name as an extra field in the SubjectAccessReview, called `authorization.kubernetes.io/cluster-name`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

NONE

@xrstf xrstf force-pushed the include-cluster-in-authz-webhooks branch from 2ec0f78 to 233d40c Compare November 13, 2024 14:00
embik
embik approved these changes Nov 13, 2024
View reviewed changes
Copy link
Member

@embik embik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@embik embik changed the title include cluster name in authz SubjectAccessReview in webhooks UPSTREAM: <carry>: include cluster name in authz SubjectAccessReview in webhooks Nov 13, 2024
@embik embik merged commit 071651d into kcp-1.31.0 Nov 13, 2024
This was referenced Nov 13, 2024
Draft
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@embik embik embik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xrstf @embik