-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement of Authentication and Authorization Filters to Allow Custom Configurations and Stability Improvements #2781
Comments
HI @deads2k, First of all, thank you very much for your assistance with this issue. Your expertise and deep knowledge are invaluable here, and I/and the community for sure greatly appreciate your involvement. Please feel free to add any additional insights or correct any points I might have missed or misunderstood. |
Thx for opening this issue and the feedback. In general makes sense to improve the feature where necessary. One question. Are the issues identified above from the kube-rbac-proxy audit or from an audit of the current implementation in controller-runtime? I'm not sure if they all apply in CR, as we only implement a subset of the kube-rbac-features and we only use them specifically for the metrics endpoint (e.g. |
Hi @sbueringer, IHMO all seems to apply because the feedback here in my understand is mainly keep the things configurable for properly inform the certs. Regards the |
We don't even have a /healthz endpoint on the metrics server. But I get the point for metrics |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
hi @sbueringer Could we frozen this one? |
/lifecycle frozen |
Enhancement Proposal: Authentication and Authorization Filters
Context: Following the implementation introduced in PR #2407, several issues regarding configurability and robustness were identified.
Issues Identified
Configurability: Current settings such as cache TTL, timeouts, and anonymous access are hardcoded and cannot be adjusted.
Certificate Authentication: The implementation disrupts normal certificate authentication processes. See that it shows like to have the same security issue identified by auth-sig which is a breaking change in kube-rbac-proxy over
The ability to run kube-rbac-proxy without TLS certificates will be removed.
shows be applied here. Users should provide their certificates and/or use solutions as cert-manager to manage them accordingly. It seems that is not a good practice to manage them. More info.Authorization Flexibility: Lack of support for
alwaysAllow
configurations for critical paths like/healthz
andalwaysAllowGroups
likesystem:masters
.Network Resilience: Heavy dependency on stable connectivity to kube-apiserver can lead to metrics outages under network instability.
Proposed Changes
Enhance the filters by introducing configurations for previously hardcoded settings, and by allowing the injection of custom authorizers, similar to the approach in kube-rbac-proxy PR #43 and the see the PR: https://github.com/brancz/kube-rbac-proxy/pull/125/files
Impact
These changes would enhance the flexibility and reliability of the authentication and authorization processes in controller-runtime, aligning with the needs of robust Kubernetes deployments.
c/c @deads2k @sbueringer
The text was updated successfully, but these errors were encountered: