Enhancement of Authentication and Authorization Filters to Allow Custom Configurations and Stability Improvements #2781
Comments
|
HI @deads2k, First of all, thank you very much for your assistance with this issue. Your expertise and deep knowledge are invaluable here, and I/and the community for sure greatly appreciate your involvement. Please feel free to add any additional insights or correct any points I might have missed or misunderstood. |
|
Thx for opening this issue and the feedback. In general makes sense to improve the feature where necessary. One question. Are the issues identified above from the kube-rbac-proxy audit or from an audit of the current implementation in controller-runtime? I'm not sure if they all apply in CR, as we only implement a subset of the kube-rbac-features and we only use them specifically for the metrics endpoint (e.g. |
|
Hi @sbueringer, IHMO all seems to apply because the feedback here in my understand is mainly keep the things configurable for properly inform the certs. Regards the |
|
We don't even have a /healthz endpoint on the metrics server. But I get the point for metrics |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
hi @sbueringer Could we frozen this one? |
|
/lifecycle frozen |
k8s-ci-robot
added
the
lifecycle/frozen
Enhancement Proposal: Authentication and Authorization Filters
Context: Following the implementation introduced in PR #2407, several issues regarding configurability and robustness were identified.
Issues Identified
Configurability: Current settings such as cache TTL, timeouts, and anonymous access are hardcoded and cannot be adjusted.
Certificate Authentication: The implementation disrupts normal certificate authentication processes. See that it shows like to have the same security issue identified by auth-sig which is a breaking change in kube-rbac-proxy over
The ability to run kube-rbac-proxy without TLS certificates will be removed.shows be applied here. Users should provide their certificates and/or use solutions as cert-manager to manage them accordingly. It seems that is not a good practice to manage them. More info.Authorization Flexibility: Lack of support for
alwaysAllowconfigurations for critical paths like/healthzandalwaysAllowGroupslikesystem:masters.Network Resilience: Heavy dependency on stable connectivity to kube-apiserver can lead to metrics outages under network instability.
Proposed Changes
Enhance the filters by introducing configurations for previously hardcoded settings, and by allowing the injection of custom authorizers, similar to the approach in kube-rbac-proxy PR #43 and the see the PR: https://github.com/brancz/kube-rbac-proxy/pull/125/files
Impact
These changes would enhance the flexibility and reliability of the authentication and authorization processes in controller-runtime, aligning with the needs of robust Kubernetes deployments.
c/c @deads2k @sbueringer
The text was updated successfully, but these errors were encountered: