-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Remove RBAC UserAll #38981
Remove RBAC UserAll #38981
Conversation
41622ef
to
0d31f63
Compare
cc @kubernetes/sig-auth-misc |
A non-backward-compatible change? Was it previously deprecated? |
rbac is still in alpha, would like to cut a beta version in 1.6. If there's significant concern about the compatibility aspect from v1alpha1, we can convert a binding to User |
I feel like users have to be relatively advanced to understand the exactly when to use |
I don't think there's a clear "just do the right thing". Allowing both authenticated and unauthenticated users to read discovery docs seems ok. Allowing all authenticated to read certain API objects in some clusters could be ok. But I would want people to grant to the group they mean, not just hope the platform turns "*" into what they mean |
sgtm |
modified this to convert User * v1alpha1 role bindings to Group system:authenticated bindings and documented deprecation targeted for the v1beta1 release |
a052180
to
7637741
Compare
// User * in v1alpha1 will only match all authenticated users | ||
// This is only for compatibility with old RBAC bindings | ||
// Special treatment for * should not be included in v1beta1 | ||
if out.Kind == UserKind && out.Name == "*" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll bet this does good things with kubectl apply
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
happens in conversion, so no matter how many times it's submitted as User *, it'll always persist as Group system:authenticated. A little odd, but I think it works
lgtm |
After this we're ready for #38706, correct? |
yes |
@k8s-bot test this |
7637741
to
cc07cb6
Compare
… system:authenticated
cc07cb6
to
b8c2ad6
Compare
rebased |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue (batch tested with PRs 39408, 38981) |
User *
subjects toGroup system:authenticated
subjects for backwards compatibility