Skip to content

Disallow k8s.io and kubernetes.io namespaced extra info in structured authentication configuration #126495

New issue
New issue
Closed
#126553
Closed
Disallow k8s.io and kubernetes.io namespaced extra info in structured authentication configuration#126495
#126553
Assignees
enjaramase
Labels
sig/authCategorizes an issue or PR as relevant to SIG Auth.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@aramase

Description

@aramase
aramase
opened on Jul 31, 2024

Disallow setting all k8s.io and kubernetes.io namespaced extra info in custom ways for now.

kubernetes/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go

Lines 342 to 346 in eb729d1

// Key should be namespaced to the authenticator or authenticator/authorizer pair making use of them.
// For instance: "example.org/foo" instead of "foo".
// xref: https://github.com/kubernetes/kubernetes/blob/3825e206cb162a7ad7431a5bdf6a065ae8422cf7/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go#L31-L41
// IsDomainPrefixedPath checks for non-empty key and that the key is prefixed with a domain name.
allErrs = append(allErrs, utilvalidation.IsDomainPrefixedPath(fldPath.Child("key"), mapping.Key)...)

/assign aramase enj
/sig auth

Activity

k8s-ci-robot
assigned
aramase
and
enj
on Jul 31, 2024
k8s-ci-robot
added
sig/authCategorizes an issue or PR as relevant to SIG Auth.
on Jul 31, 2024
github-project-automation
added this to SIG Authon Jul 31, 2024
github-project-automation
moved this to Needs Triage in SIG Authon Jul 31, 2024
k8s-ci-robot
added
needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
on Jul 31, 2024
aramase

aramase commented on Jul 31, 2024

@aramase
aramase
on Jul 31, 2024
MemberAuthor

/triage accepted

k8s-ci-robot
added
triage/acceptedIndicates an issue or PR is ready to be actively worked on.
and removed
needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
on Jul 31, 2024
aramase
moved this from Needs Triage to Backlog in SIG Authon Jul 31, 2024
aramase
changed the title Disallow `k8s.io` and `kubernetes.io` namespaced exta info in structured authentication configuration Disallow `k8s.io` and `kubernetes.io` namespaced extra info in structured authentication configuration on Aug 5, 2024
aramase
mentioned this on Aug 5, 2024
aramase
moved this from Backlog to In Review in SIG Authon Aug 5, 2024
k8s-ci-robot
closed this as completedin #126553on Aug 15, 2024
github-project-automation
moved this from In Review to Closed / Done in SIG Authon Aug 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

sig/authCategorizes an issue or PR as relevant to SIG Auth.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

SIG Auth

  • Status

    Closed / Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    Disallow `k8s.io` and `kubernetes.io` namespaced extra info in structured authentication configuration · Issue #126495 · kubernetes/kubernetes