Skip to content

Commit d998b0e

Browse files
palnabarunpalnabarun
committed
fixup! KEP-3221: update kep
Signed-off-by: Nabarun Pal <[email protected]>
1 parent f425f4b commit d998b0e

File tree

1 file changed

+14
-2
lines changed
  • keps/sig-auth/3221-structured-authorization-configuration

1 file changed

+14
-2
lines changed

keps/sig-auth/3221-structured-authorization-configuration/README.md

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@ authorizers:
124124
kubeConfigFile: /kube-system-authz-webhook.yaml
125125
matchConditions:
126126
- expression: |
127-
request.resourceAttributes.namespace == 'kube-system'
127+
has(request.resourceAttributes) && (request.resourceAttributes.namespace == 'kube-system')
128128
- expression: |
129129
!('system:serviceaccounts:kube-system' in request.user.groups)
130130
- type: Node
@@ -214,6 +214,15 @@ path to a file on the disk. Setting both `--authorization-config-file` and
214214
configuring an authorization webhook will not be allowed. If the user does that,
215215
there will be an error and API Server would exit right away.
216216

217+
The configuration would be validated at startup and the API server will fail to
218+
start if the configuration is invalid.
219+
220+
The API server will periodically reload the configuration. If it changes, the
221+
new configuration will be used for the Authorizer chain. If the new configuration
222+
is invalid, the last known valid configuration will be used. Logging and metrics
223+
would be used to signal success/failure of a config reload so that cluster admins
224+
can have observability over this process.
225+
217226
The proposed structure is illustrated below:
218227

219228
> The sample configuration describes all the fields, their defaults and possible
@@ -290,7 +299,7 @@ authorizers:
290299
# in the version specified by subjectAccessReviewVersion in the request variable.
291300
# Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
292301
- expression: |
293-
request.resourceAttributes.namespace == 'kube-system'
302+
has(request.resourceAttributes) && (request.resourceAttributes.namespace == 'kube-system')
294303
- expression: |
295304
!('system:serviceaccounts:kube-system' in request.user.groups)
296305
- type: Node
@@ -372,6 +381,9 @@ Labels {along with possible values}:
372381
- `code` {4xx, 5xx}
373382
- `decision` {Deny, NoOpinion}
374383

384+
5. `apiserver_authorization_step_configuration_reload_failure_count`
385+
386+
This metric would track the number of times the configuration has been reloaded.
375387

376388
### Test Plan
377389

0 commit comments

Comments
 (0)