Skip to content

Commit 2da201d

Browse files
palnabarunpalnabarun
committed
Address review comments
Signed-off-by: Nabarun Pal <[email protected]>
1 parent dedb0c8 commit 2da201d

File tree

1 file changed

+9
-5
lines changed
  • keps/sig-auth/3221-structured-authorization-configuration

1 file changed

+9
-5
lines changed

keps/sig-auth/3221-structured-authorization-configuration/README.md

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -88,8 +88,8 @@ is unreachable.
8888
- Define a configuration file format for configuring Kubernetes API Server
8989
Authorization chain.
9090
- Allow ordered definition of authorization modes.
91-
- Allow definition of multiple webhooks in the authorization chain while all
92-
other types of authorizers should only be specified once.
91+
- Allow definition of multiple webhooks in the authorization chain while all
92+
other types of authorizers should only be specified once.
9393
- Allow resource/user based pre-filtering of webhooks using CEL to prevent unnecessary
9494
invocations.
9595
- Enable user to define the policy when a webhook can't be reached due to
@@ -354,7 +354,7 @@ authorizers:
354354
# - NoOpinion: continue to subsequent authorizers to see if one of
355355
# them allows the request
356356
# - Deny: reject the request without consulting subsequent authorizers
357-
# Default: NoOpinion
357+
# Required, with no default.
358358
failurePolicy: Deny
359359
connectionInfo:
360360
# Controls how the webhook should communicate with the server.
@@ -446,8 +446,8 @@ Labels {along with possible values}:
446446

447447
**Note:** Some examples of <authorizer_name>: `RBAC`, `Node`, `ABAC`, `webhook{,_<name>}`.
448448
If there is only one webhook and no name specified, there would be no `_<name>` suffix.
449-
If the webhook has a named specified, even if there is only one webhook, then the name
450-
should be in the metrics and exposed via the metrics endpoint.
449+
If the webhook has a name specified, even if there is only one webhook, then the name
450+
would be in the metrics and exposed via the metrics endpoint.
451451

452452
2. `apiserver_authorization_webhook_evaluations_total`
453453

@@ -756,6 +756,10 @@ the small impact will be measured and rationalized to keep the addition
756756
minimal. The addition would be well within the scalability limits and
757757
thresholds.
758758

759+
For use-cases where the CEL filters would pre-filter requests even before the need to
760+
be dispatched to a webhook, there would be a performance improvement due to lower
761+
number of network calls.
762+
759763
### Troubleshooting
760764

761765
<!--

0 commit comments

Comments
 (0)