Skip to content

Issue-356: Drop unnecessary Authorizer#364

Open
ibihim wants to merge 4 commits intobrancz:sig-auth-acceptancefrom
ibihim:ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs
Open

Issue-356: Drop unnecessary Authorizer#364
ibihim wants to merge 4 commits intobrancz:sig-auth-acceptancefrom
ibihim:ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs

Conversation

@ibihim
Copy link
Collaborator

@ibihim ibihim commented Mar 13, 2025
edited
Loading

What

  • Remove non resource attributes generator.

Why

  • We might not need it. Normal requests already have the given form of only "path", "verb" and "user".
  • It might be more secure, as we don't mask other attributes.

Notes

@ibihim ibihim changed the title [wip] issue 356 drop or not to drop attrs issue 356 drop or not to drop attrs Mar 20, 2025
@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch 2 times, most recently from 0da710f to 640a6f0 Compare March 20, 2025 11:09
@ibihim
Copy link
Collaborator Author

ibihim commented Apr 4, 2025
edited
Loading

@ibihim add log output before change, to show an exemplary resource attribute for that case.

Make a (manual) test for what would happen, if you have a resource request.

@stlaz stlaz added the sig-auth-acceptance issues created during review for sig-auth-acceptance label Apr 8, 2025
@ibihim ibihim changed the title issue 356 drop or not to drop attrs Issue-356: Drop unnecessary Authorizer Apr 23, 2025
stlaz
stlaz requested changes Apr 29, 2025
View reviewed changes
cmd/kube-rbac-proxy/app/kube-rbac-proxy.go Outdated
Copy link
Collaborator

@stlaz stlaz Apr 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an odd change. Can you please write full unit test coverage of the original code (so a unit tests commit comes first) and then start moving authorizers around?

@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch 5 times, most recently from 6e27005 to 075d874 Compare May 6, 2025 10:08
@stlaz stlaz mentioned this pull request Sep 23, 2025
Merged
@ibihim
app: mv authzer into its own file and add tests
a7e04c0
@ibihim
app: reorder authorizers
1b11aec
@ibihim
app,rewrite: remove non-resource attrs
c2b5a9f 
Masking the resource attributes value to "just" path, verb and user is
potentially suboptimal, as it ignores other fields that would be of
interest for a SAR request.
This use-case makes sense for regular HTTP request (non kubernetes
resource request), but those kind of requests, don't populate the other
fields in the resource attributes anyway.
Is theoretically a regression, which we should keep in mind.
@ibihim
app: add tests
7a64375
@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch from 075d874 to 7a64375 Compare November 26, 2025 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stlaz stlaz stlaz requested changes

Assignees

No one assigned

Labels

sig-auth-acceptance issues created during review for sig-auth-acceptance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ibihim @stlaz

Comments