rbac: add information on unauthenticated discovery roles #10212
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit c505442 https://deploy-preview-10212--kubernetes-io-master-staging.netlify.com |
| @@ -452,6 +452,14 @@ Auto-reconciliation is enabled in Kubernetes version 1.6+ when the RBAC authoriz | |||
|
|
|||
| ### Discovery Roles | |||
|
|
|||
| Discovery roles, by default, enable unauthenticated and authenticaed users to read API information that is deemed safe to be publicly accessible. To disable unauthenticated access via these roles add `--anonymous-auth=false` to the API sever configuration or edit the roles. | |||
There was a problem hiding this comment.
Might be more accurate to say the default bindings authorize all users, and this includes anonymous requests unless the apiserver is started with --anonymous-auth=false (which disables unauthenticated access completely, not just to these roles)
There was a problem hiding this comment.
Editing the role is not recommended (and will get re-updated automatically on next apiserver start unless you opt out by flipping the reconcile annotation to false). Disabling anonymous requests is more likely the right thing to recommend to someone who wants no access to unauthenticated users
There was a problem hiding this comment.
Thanks for the fast review. Great points. PTAL and new updates.
philips
force-pushed
the
add-more-information-on-discovery-roles
branch
from
c505442 to
e9b89df
Compare
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit e9b89df https://deploy-preview-10212--kubernetes-io-master-staging.netlify.com |
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit 582e192 https://deploy-preview-10212--kubernetes-io-master-staging.netlify.com |
philips
force-pushed
the
add-more-information-on-discovery-roles
branch
from
e9b89df to
21bc495
Compare
| @@ -462,12 +472,12 @@ Auto-reconciliation is enabled in Kubernetes version 1.6+ when the RBAC authoriz | |||
| <tr> | |||
| <td><b>system:basic-user</b></td> | |||
| <td><b>system:authenticated</b> and <b>system:unauthenticated</b> groups</td> | |||
| <td>Allows a user read-only access to basic information about themselves.</td> | |||
| <td>Allows a user read-only access to basic information about themselves. As of 1.12 that role is [implemented here](https://github.com/kubernetes/kubernetes/blob/c3062bae218928b3ec94fa9bde84ead528604c75/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L211).</td> | |||
There was a problem hiding this comment.
What's the purpose of referencing the implementation? Do we intend to keep that link updated?
There was a problem hiding this comment.
It is a permalink to the implementation as of 1.12. I don't know how else to show people what "discovery endpoints" means besides this or copy/pasting the URLs.
With my "ops" hat on I need to make a call whether to flip the anonymous auth flag and before I do that I would like to know which APIs are exposed.
I guess we can just say run kubectl get clusterorles
There was a problem hiding this comment.
the kubectl command seems more evergreen. I don't feel that strongly, but immediately stale links raise an eyebrow
The Product Security Team got a report about these unauthenticated discovery roles. The reporter was surprised about getting 200 requests when unauthenticated. And given the light documentation on the intention of these roles it is justifiable. Increase documentation on these roles.
philips
force-pushed
the
add-more-information-on-discovery-roles
branch
from
21bc495 to
582e192
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tengqm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
…10212) The Product Security Team got a report about these unauthenticated discovery roles. The reporter was surprised about getting 200 requests when unauthenticated. And given the light documentation on the intention of these roles it is justifiable. Increase documentation on these roles.
The Product Security Team got a report about these unauthenticated
discovery roles. The reporter was surprised about getting 200 requests
when unauthenticated. And given the light documentation on the intention
of these roles it is justifiable.
Increase documentation on these roles.