Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose user info to admission controllers #8203

Merged
merged 1 commit into from
May 18, 2015
Merged

Expose user info to admission controllers #8203

merged 1 commit into from
May 18, 2015
+61 −48

Conversation

pweil-
Copy link
Contributor

@pweil- pweil- commented May 13, 2015

Expose the context to admission controllers via the Attributes record

Use case: For systems built on top of Kubernetes that have authorizers admission controllers have the ability to make decisions based on the user.Info object available from the context. https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/api/context.go#L100

@derekwaynecarr @smarterclayton @erictune @pmorie @liggitt @deads2k

@derekwaynecarr
Copy link
Member

I have no issue adding this, but I think we need to make careful usage of it.

I will refer to:
#3585

Your scenario is not fully captured in this PR, but it appears that at the moment, if an admission decision is tied to the user.Info, but is not able to be expressed via Policy, then the only choice right now is to use admission control.

Moving forward, I would like to know how we can log the necessary information to allow the same pattern to be supported as an initializer post Kube 1.0 that can run prior to scheduling. For example, if we had access to an audit log of who did what to what resource, could that be coupled to do the right thing in a latent initializer for the future scenario.

@smarterclayton
Copy link
Contributor

Yeah, or how can context be passed remotely. Can we not just add explicit user info to the admission context?

On May 13, 2015, at 5:23 PM, Derek Carr notifications@github.com wrote:

I have no issue adding this, but I think we need to make careful usage of it.

I will refer to:
#3585

Your scenario is not fully captured in this PR, but it appears that at the moment, if an admission decision is tied to the user.Info, but is not able to be expressed via Policy, then the only choice right now is to use admission control.

Moving forward, I would like to know how we can log the necessary information to allow the same pattern to be supported as an initializer post Kube 1.0 that can run prior to scheduling. For example, if we had access to an audit log of who did what to what resource, could that be coupled to do the right thing in a latent initializer for the future scenario.


Reply to this email directly or view it on GitHub.

@derekwaynecarr
Copy link
Member

Agree with Clayton, add what you explicitly need rather than full context so we know what on the context is actually used as we move scenario to some type of controller post 1.0

Sent from my iPhone

On May 13, 2015, at 9:06 PM, Clayton Coleman notifications@github.com wrote:

Yeah, or how can context be passed remotely. Can we not just add explicit user info to the admission context?

On May 13, 2015, at 5:23 PM, Derek Carr notifications@github.com wrote:

I have no issue adding this, but I think we need to make careful usage of it.

I will refer to:
#3585

Your scenario is not fully captured in this PR, but it appears that at the moment, if an admission decision is tied to the user.Info, but is not able to be expressed via Policy, then the only choice right now is to use admission control.

Moving forward, I would like to know how we can log the necessary information to allow the same pattern to be supported as an initializer post Kube 1.0 that can run prior to scheduling. For example, if we had access to an audit log of who did what to what resource, could that be coupled to do the right thing in a latent initializer for the future scenario.


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub.

@pweil-
Copy link
Contributor Author

pweil- commented May 14, 2015

Sure, will update to only pass UserInfo rather than the whole context.

@pweil- pweil- mentioned this pull request May 14, 2015
Closed
9 tasks
@pweil- pweil- force-pushed the expose-context-to-admission branch from 73c9050 to aaeb1da Compare May 14, 2015 01:36
@pweil- pweil- changed the title Expose context to admission controllers Expose user info to admission controllers May 14, 2015
@deads2k
Copy link
Contributor

deads2k commented May 15, 2015

I like this change and I need it in OpenShift to support securing access to service accounts.

@derekwaynecarr derekwaynecarr self-assigned this May 15, 2015
@derekwaynecarr
Copy link
Member

LGTM, will give the day before merging for any other comments.

@derekwaynecarr
Copy link
Member

Merging

derekwaynecarr added a commit that referenced this pull request May 18, 2015
@derekwaynecarr
Merge pull request #8203 from pweil-/expose-context-to-admission
eb12565 
Expose user info to admission controllers
@derekwaynecarr derekwaynecarr merged commit eb12565 into kubernetes:master May 18, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@derekwaynecarr derekwaynecarr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pweil- @derekwaynecarr @smarterclayton @deads2k @googlebot