KEP-3221: Promote StructuredAuthorizationConfiguration to GA

Author: liggitt

pkg/features/versioned_kube_features.go

@@ -308,6 +308,7 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
 	genericfeatures.StructuredAuthorizationConfiguration: {
 		{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
 		{Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta},
+		{Version: version.MustParse("1.32"), Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	},
 
 	genericfeatures.UnauthenticatedHTTP2DOSMitigation: {

staging/src/k8s.io/apiserver/pkg/apis/apiserver/load/load_test.go

@@ -265,6 +265,45 @@ apiVersion: apiserver.config.k8s.io/v1beta1
 kind: AuthorizationConfiguration
 authorizers:
 - type: Webhook
+`),
+			expectConfig: &api.AuthorizationConfiguration{
+				Authorizers: []api.AuthorizerConfiguration{{Type: "Webhook"}},
+			},
+		},
+		{
+			name: "v1 - json",
+			data: []byte(`{
+"apiVersion":"apiserver.config.k8s.io/v1",
+"kind":"AuthorizationConfiguration",
+"authorizers":[{"type":"Webhook"}]}`),
+			expectConfig: &api.AuthorizationConfiguration{
+				Authorizers: []api.AuthorizerConfiguration{{Type: "Webhook"}},
+			},
+		},
+		{
+			name: "v1 - defaults",
+			data: []byte(`{
+"apiVersion":"apiserver.config.k8s.io/v1",
+"kind":"AuthorizationConfiguration",
+"authorizers":[{"type":"Webhook","name":"default","webhook":{}}]}`),
+			expectConfig: &api.AuthorizationConfiguration{
+				Authorizers: []api.AuthorizerConfiguration{{
+					Type: "Webhook",
+					Name: "default",
+					Webhook: &api.WebhookConfiguration{
+						AuthorizedTTL:   metav1.Duration{Duration: 5 * time.Minute},
+						UnauthorizedTTL: metav1.Duration{Duration: 30 * time.Second},
+					},
+				}},
+			},
+		},
+		{
+			name: "v1 - yaml",
+			data: []byte(`
+apiVersion: apiserver.config.k8s.io/v1
+kind: AuthorizationConfiguration
+authorizers:
+- type: Webhook
 `),
 			expectConfig: &api.AuthorizationConfiguration{
 				Authorizers: []api.AuthorizerConfiguration{{Type: "Webhook"}},

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/defaults.go

@@ -48,3 +48,12 @@ func SetDefaults_KMSConfiguration(obj *KMSConfiguration) {
 		obj.CacheSize = &defaultCacheSize
 	}
 }
+
+func SetDefaults_WebhookConfiguration(obj *WebhookConfiguration) {
+	if obj.AuthorizedTTL.Duration == 0 {
+		obj.AuthorizedTTL.Duration = 5 * time.Minute
+	}
+	if obj.UnauthorizedTTL.Duration == 0 {
+		obj.UnauthorizedTTL.Duration = 30 * time.Second
+	}
+}

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/register.go

@@ -47,6 +47,7 @@ func init() {
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&AdmissionConfiguration{},
+		&AuthorizationConfiguration{},
 		&EncryptionConfiguration{},
 	)
 	// also register into the v1 group as EncryptionConfig (due to a docs bug)

staging/src/k8s.io/apiserver/pkg/apis/apiserver/v1/types.go

@@ -48,3 +48,122 @@ type AdmissionPluginConfiguration struct {
 	// +optional
 	Configuration *runtime.Unknown `json:"configuration"`
 }
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type AuthorizationConfiguration struct {
+	metav1.TypeMeta
+
+	// Authorizers is an ordered list of authorizers to
+	// authorize requests against.
+	// This is similar to the --authorization-modes kube-apiserver flag
+	// Must be at least one.
+	Authorizers []AuthorizerConfiguration `json:"authorizers"`
+}
+
+const (
+	TypeWebhook                                          AuthorizerType = "Webhook"
+	FailurePolicyNoOpinion                               string         = "NoOpinion"
+	FailurePolicyDeny                                    string         = "Deny"
+	AuthorizationWebhookConnectionInfoTypeKubeConfigFile string         = "KubeConfigFile"
+	AuthorizationWebhookConnectionInfoTypeInCluster      string         = "InClusterConfig"
+)
+
+type AuthorizerType string
+
+type AuthorizerConfiguration struct {
+	// Type refers to the type of the authorizer
+	// "Webhook" is supported in the generic API server
+	// Other API servers may support additional authorizer
+	// types like Node, RBAC, ABAC, etc.
+	Type string `json:"type"`
+
+	// Name used to describe the webhook
+	// This is explicitly used in monitoring machinery for metrics
+	// Note: Names must be DNS1123 labels like `myauthorizername` or
+	//		 subdomains like `myauthorizer.example.domain`
+	// Required, with no default
+	Name string `json:"name"`
+
+	// Webhook defines the configuration for a Webhook authorizer
+	// Must be defined when Type=Webhook
+	// Must not be defined when Type!=Webhook
+	Webhook *WebhookConfiguration `json:"webhook,omitempty"`
+}
+
+type WebhookConfiguration struct {
+	// The duration to cache 'authorized' responses from the webhook
+	// authorizer.
+	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
+	// Default: 5m0s
+	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
+	// The duration to cache 'unauthorized' responses from the webhook
+	// authorizer.
+	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
+	// Default: 30s
+	UnauthorizedTTL metav1.Duration `json:"unauthorizedTTL"`
+	// Timeout for the webhook request
+	// Maximum allowed value is 30s.
+	// Required, no default value.
+	Timeout metav1.Duration `json:"timeout"`
+	// The API version of the authorization.k8s.io SubjectAccessReview to
+	// send to and expect from the webhook.
+	// Same as setting `--authorization-webhook-version` flag
+	// Valid values: v1beta1, v1
+	// Required, no default value
+	SubjectAccessReviewVersion string `json:"subjectAccessReviewVersion"`
+	// MatchConditionSubjectAccessReviewVersion specifies the SubjectAccessReview
+	// version the CEL expressions are evaluated against
+	// Valid values: v1
+	// Required, no default value
+	MatchConditionSubjectAccessReviewVersion string `json:"matchConditionSubjectAccessReviewVersion"`
+	// Controls the authorization decision when a webhook request fails to
+	// complete or returns a malformed response or errors evaluating
+	// matchConditions.
+	// Valid values:
+	//   - NoOpinion: continue to subsequent authorizers to see if one of
+	//     them allows the request
+	//   - Deny: reject the request without consulting subsequent authorizers
+	// Required, with no default.
+	FailurePolicy string `json:"failurePolicy"`
+
+	// ConnectionInfo defines how we talk to the webhook
+	ConnectionInfo WebhookConnectionInfo `json:"connectionInfo"`
+
+	// matchConditions is a list of conditions that must be met for a request to be sent to this
+	// webhook. An empty list of matchConditions matches all requests.
+	// There are a maximum of 64 match conditions allowed.
+	//
+	// The exact matching logic is (in order):
+	//   1. If at least one matchCondition evaluates to FALSE, then the webhook is skipped.
+	//   2. If ALL matchConditions evaluate to TRUE, then the webhook is called.
+	//   3. If at least one matchCondition evaluates to an error (but none are FALSE):
+	//      - If failurePolicy=Deny, then the webhook rejects the request
+	//      - If failurePolicy=NoOpinion, then the error is ignored and the webhook is skipped
+	MatchConditions []WebhookMatchCondition `json:"matchConditions"`
+}
+
+type WebhookConnectionInfo struct {
+	// Controls how the webhook should communicate with the server.
+	// Valid values:
+	// - KubeConfigFile: use the file specified in kubeConfigFile to locate the
+	//   server.
+	// - InClusterConfig: use the in-cluster configuration to call the
+	//   SubjectAccessReview API hosted by kube-apiserver. This mode is not
+	//   allowed for kube-apiserver.
+	Type string `json:"type"`
+
+	// Path to KubeConfigFile for connection info
+	// Required, if connectionInfo.Type is KubeConfig
+	KubeConfigFile *string `json:"kubeConfigFile"`
+}
+
+type WebhookMatchCondition struct {
+	// expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+	// CEL expressions have access to the contents of the SubjectAccessReview in v1 version.
+	// If version specified by subjectAccessReviewVersion in the request variable is v1beta1,
+	// the contents would be converted to the v1 version before evaluating the CEL expression.
+	//
+	// Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+	Expression string `json:"expression"`
+}