Skip to content

Commit 3ab5ed8

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #4905 from liggitt/4601-1.32
KEP-4601: PRR test updates
2 parents c60bb21 + 687f0e1 commit 3ab5ed8

File tree

1 file changed

+29
-0
lines changed
  • keps/sig-auth/4601-authorize-with-selectors

1 file changed

+29
-0
lines changed

keps/sig-auth/4601-authorize-with-selectors/README.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -411,6 +411,17 @@ k8s.io/apiserver/pkg/endpoints/request: 65.4% of statements
411411
k8s.io/apiserver/plugin/pkg/authorizer/webhook: 86.6% of statements
412412
```
413413

414+
Unit tests exercise node authorization, CEL compilation for authorization webhook and admission `matchConditions`,
415+
and CEL compilation for authorizer use with and without the feature enabled:
416+
417+
https://github.com/kubernetes/kubernetes/blob/0b1d123fd040359da11dc772947a7908ee907910/plugin/pkg/auth/authorizer/node/node_authorizer_test.go#L75-L81
418+
419+
https://github.com/kubernetes/kubernetes/blob/0b1d123fd040359da11dc772947a7908ee907910/staging/src/k8s.io/apiserver/pkg/authorization/cel/compile_test.go#L34
420+
421+
https://github.com/kubernetes/kubernetes/blob/0b1d123fd040359da11dc772947a7908ee907910/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_v1_test.go#L806
422+
423+
https://github.com/kubernetes/kubernetes/blob/0b1d123fd040359da11dc772947a7908ee907910/staging/src/k8s.io/apiserver/pkg/admission/plugin/cel/filter_test.go#L503-L620
424+
414425
##### Integration tests
415426

416427
<!--
@@ -500,6 +511,22 @@ enhancement:
500511
cluster required to make on upgrade, in order to make use of the enhancement?
501512
-->
502513

514+
On upgrade to a version that enables the feature, no configuration changes are required
515+
to maintain previous behavior of CEL expressions and authorization webhooks.
516+
All existing CEL expressions and authorization webhook responses behave identically.
517+
518+
On upgrade to a version that enables the feature, to make use of the new feature:
519+
* authorization webhooks can inspect incoming SubjectAccessReview requests for field and label selector information
520+
* authorization webhook configuration files can include `matchConditions` that inspect field and label selector information
521+
* admission webhook API `matchConditions` can use authorizer fieldSelector / labelSelector functions
522+
* SubjectAccessReview API requests can specify fieldSelector / labelSelector fields
523+
524+
On downgrade to a version that does not enable the feature by default, or if the feature is disabled:
525+
* field and label selector information will no longer be sent to authorization webhooks
526+
* authorization webhook configuration files can no longer include `matchConditions` that inspect field and label selector information
527+
* admission webhook API `matchConditions` use authorizer fieldSelector / labelSelector functions will not error, but will no-op
528+
* SubjectAccessReview API requests that specify fieldSelector / labelSelector fields will drop those fields
529+
503530
### Version Skew Strategy
504531

505532
#### New kube-apiserver, old webhook authorizer
@@ -575,6 +602,8 @@ The kube-apiserver will send field and label selector information to authorizati
575602

576603
Yes. Integration tests exercise behavior of CEL expressions with the feature enabled and disabled.
577604

605+
https://github.com/kubernetes/kubernetes/tree/0b1d123fd040359da11dc772947a7908ee907910/test/integration/apiserver/cel/authorizerselector
606+
578607
### Rollout, Upgrade and Rollback Planning
579608

580609
<!--

0 commit comments

Comments
 (0)