Skip to content

Commit 8cac6ff

Browse files
palnabarunpalnabarun
committed
fixup! KEP-3221: update kep
Signed-off-by: Nabarun Pal <[email protected]>
1 parent 5d96814 commit 8cac6ff

File tree

1 file changed

+7
-9
lines changed
  • keps/sig-auth/3221-structured-authorization-configuration

1 file changed

+7
-9
lines changed

keps/sig-auth/3221-structured-authorization-configuration/README.md

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -212,8 +212,12 @@ We would like to introduce a structured file format which allows authorization
212212
to be configured using a flag (`--authorization-config-file`) which accepts a
213213
path to a file on the disk. This feature can be enabled or disabled by the
214214
explicit feature flag `AuthorizationConfigFromFile`.
215+
215216
The proposed structure is illustrated below:
216217

218+
> The sample configuration describes all the fields, their defaults and possible
219+
values.
220+
217221
```yaml
218222
apiVersion: apiserver.config.k8s.io/v1alpha1
219223
kind: AuthorizationConfiguration
@@ -312,26 +316,20 @@ The keys `kubeConfigFile`, `authorizedTTL`, `unauthorizedTTL` and
312316
`--authorization-webhook-cache-unauthorized-ttl` and `--authorization-webhook-version`
313317
respectively.
314318

315-
The `failurePolicy` will be a required field which allow users to specify whether
316-
or not request is denied if the webhook errors out or is unreachable. This allows
317-
`SubjectAccessReviews` to be more definitive.
318-
319319
Today, the `SubjectAccessReview` version defaults to `v1beta1` if the corresponding
320320
flag is not supplied. While configuring authorization modes using the file config,
321321
the version supported by a webhook has to be mentioned using a required field
322322
`subjectAccessReviewVersion`.
323323

324-
The new structure introduces a configurable timeout (with appropriate defaults) that
325-
allows administrators to define a timeout for webhooks in case they are unreachable.
326-
327324
The code path for enabling the above will only be triggered if the feature flag will
328325
be enabled until the time the feature flag is removed and configuring authorizer
329326
through a file becomes GA.
330327

331328
The user can define a CEL expression to determine whether a request needs to dispatched
332-
to the authz webhook for which the expression has been defined.
329+
to the authz webhook for which the expression has been defined. The user would have access
330+
to a `request` variable containing a `SubjectAccessReview` object in the version specified
331+
by `subjectAccessReviewVersion`.
333332

334-
> TODO: More details on the implementation will be charted once the goals, non-goal and proposal is approved.
335333

336334
### Monitoring
337335

0 commit comments

Comments
 (0)