Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Access Review APIs #37

Closed
7 of 22 tasks
deads2k opened this issue Jul 20, 2016 · 13 comments
Closed
7 of 22 tasks

Access Review APIs #37

deads2k opened this issue Jul 20, 2016 · 13 comments
Assignees
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Milestone

Comments

@deads2k
Copy link
Contributor

deads2k commented Jul 20, 2016

Description

The API server should provide endpoints to allow access control checks and subject access checks without direct knowledge of the backing authorization engine. This allows delegation of authorization.

Progress Tracker

  • Before Alpha
    • Write and maintain draft quality doc
      • During development keep a doc up-to-date about the desired experience of the feature and how someone can try the feature in its current state. Think of it as the README of your new feature and a skeleton for the docs to be written before the Kubernetes release. Paste link to Google Doc: DOC-LINK
    • Design Approval
    • Write (code + tests + docs) then get them merged. ALL-PR-NUMBERS
      • Code needs to be disabled by default. Verified by code OWNERS
      • Minimal testing
      • Minimal docs
        • cc @kubernetes/docs on docs PR
        • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
        • New apis: Glossary Section Item in the docs repo: kubernetes/kubernetes.github.io
      • Update release notes
  • Before Beta
    • Testing is sufficient for beta
    • User docs with tutorials
      • Updated walkthrough / tutorial in the docs repo: kubernetes/kubernetes.github.io
      • cc @kubernetes/docs on docs PR
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • Thorough API review
      • cc @kubernetes/api
  • Before Stable
    • docs/proposals/foo.md moved to docs/design/foo.md
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off
    • Soak, load testing
    • detailed user docs and examples
      • cc @kubernetes/docs
      • cc @kubernetes/feature-reviewers on this issue to get approval before checking this off

FEATURE_STATUS is used for feature tracking and to be updated by @kubernetes/feature-reviewers.
FEATURE_STATUS: IN_DEVELOPMENT

More advice:

Design

  • Once you get LGTM from a @kubernetes/feature-reviewers member, you can check this checkbox, and the reviewer will apply the "design-complete" label.

Coding

  • Use as many PRs as you need. Write tests in the same or different PRs, as is convenient for you.
  • As each PR is merged, add a comment to this issue referencing the PRs. Code goes in the http://github.com/kubernetes/kubernetes repository,
    and sometimes http://github.com/kubernetes/contrib, or other repos.
  • When you are done with the code, apply the "code-complete" label.
  • When the feature has user docs, please add a comment mentioning @kubernetes/feature-reviewers and they will
    check that the code matches the proposed feature and design, and that everything is done, and that there is adequate
    testing. They won't do detailed code review: that already happened when your PRs were reviewed.
    When that is done, you can check this box and the reviewer will apply the "code-complete" label.

Docs

  • Write user docs and get them merged in.
  • User docs go into http://github.com/kubernetes/kubernetes.github.io.
  • When the feature has user docs, please add a comment mentioning @kubernetes/docs.
  • When you get LGTM, you can check this checkbox, and the reviewer will apply the "docs-complete" label.
@deads2k
Copy link
Contributor Author

deads2k commented Jul 20, 2016

@kubernetes/sig-auth @erictune @smarterclayton

We've talked about doing this for some time. The API objects were actually approved and merged, but we've had trouble getting review attention on the PRs that provide the REST endpoints.

I'd really like to focus on getting this in for 1.4. I think providing a complete authorization delegation API is important for things like server federation.

@erictune
Copy link
Member

David and I are both SIG leads and we both approve of this initiative.

On Wed, Jul 20, 2016 at 12:44 PM, David Eads notifications@github.com
wrote:

@kubernetes/sig-auth https://github.com/orgs/kubernetes/teams/sig-auth
@erictune https://github.com/erictune @smarterclayton
https://github.com/smarterclayton

We've talked about doing this for some time. The API objects were actually
approved and merged, but we've had trouble getting review attention on the
PRs that provide the REST endpoints.

I'd really like to focus on getting this in for 1.4. I think providing a
complete authorization delegation API is important for things like server
federation.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#37 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHuudmdyce9Dhlry6gkO0f4MxwEv-OEvks5qXnqEgaJpZM4JRIlO
.

@idvoretskyi idvoretskyi added this to the v1.4 milestone Jul 21, 2016
@philips philips added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jul 27, 2016
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Aug 5, 2016
Automatic merge from submit-queue

add subjectaccessreviews resource

Adds a subjectaccessreviews endpoint that uses the API server's authorizer to determine if a subject is allowed to perform an action.

Part of kubernetes/enhancements#37
@deads2k
Copy link
Contributor Author

deads2k commented Aug 23, 2016

kubernetes/kubernetes#31271 adds the SelfSubjectAccessReview API.

dims pushed a commit to dims/go2idl that referenced this issue Aug 29, 2016
Automatic merge from submit-queue

add subjectaccessreviews resource

Adds a subjectaccessreviews endpoint that uses the API server's authorizer to determine if a subject is allowed to perform an action.

Part of kubernetes/enhancements#37
@janetkuo
Copy link
Member

janetkuo commented Sep 2, 2016

@deads2k Are the docs ready? Please update the docs in https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and check the docs box in the issue description

@jaredbhatti
Copy link

Ping. Any update on docs?

@deads2k
Copy link
Contributor Author

deads2k commented Sep 7, 2016

Ping. Any update on docs?

Right now, its API only, but swagger is complete. CLI integration should come in 1.5 and then there will be something more substantive to doc for end users.

@erictune
Copy link
Member

erictune commented Sep 8, 2016

How about one sentence that says that the API exists, so that people know
to go look at the swagger? Nobody is going to study the swagger to find
new APIs.

On Wed, Sep 7, 2016 at 3:39 PM, David Eads notifications@github.com wrote:

Ping. Any update on docs?

Right now, its API only, but swagger is complete. CLI integration should
come in 1.5 and then there will be something more substantive to doc for
end users.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#37 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHuudohBEVPn9ma6PJpHKQWaQI8rH5Nwks5qnz0qgaJpZM4JRIlO
.

@deads2k
Copy link
Contributor Author

deads2k commented Sep 8, 2016

How about one sentence that says that the API exists, so that people know
to go look at the swagger? Nobody is going to study the swagger to find
new APIs.

Fair. I'll find a spot tomorrow or early next week.

@jaredbhatti
Copy link

@deads2k @erictune Another ping on docs. Any PRs you can point me to?

@deads2k
Copy link
Contributor Author

deads2k commented Sep 13, 2016

@deads2k @erictune Another ping on docs. Any PRs you can point me to?

I've written a brief description here: kubernetes/website#1219 . As we continue to fill out the API, it will become easier to use and have more capability.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 7, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

ingvagabund pushed a commit to ingvagabund/enhancements that referenced this issue Apr 2, 2020
…kargs-day-1

Add enhancements proposal for kernel args day 1 support in the MCO
howardjohn pushed a commit to howardjohn/enhancements that referenced this issue Oct 21, 2022
…netes#37)

* Address comments regarding alpha for gateway topology features

* Add features.yaml
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Development

No branches or pull requests

9 participants