New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update delegated authorization options default to eliminate unnecessary SARs #98325
Update delegated authorization options default to eliminate unnecessary SARs #98325
Conversation
/hold don't want to merge until there has been a good amount of time for comment. |
@@ -78,6 +78,14 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { | |||
DenyCacheTTL: 10 * time.Second, | |||
ClientTimeout: 10 * time.Second, | |||
WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(), | |||
// This allows the kubelet to always get health and readiness without causing an authorization check. | |||
// This field can be cleared by callers if they don't want this behavior. | |||
AlwaysAllowPaths: []string{"/healthz", "readyz", "/livez"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should at least require membership in the authenticated group for something like this. Does it? How?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Assuming you have anonymous auth enabled on your cluster, we already allow this for unauthenticated users:
kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
Lines 228 to 236 in 7b3f0cd
{ | |
// a role which provides just enough power read insensitive cluster information | |
ObjectMeta: metav1.ObjectMeta{Name: "system:public-info-viewer"}, | |
Rules: []rbacv1.PolicyRule{ | |
rbacv1helpers.NewRule("get").URLs( | |
"/livez", "/readyz", "/healthz", "/version", "/version/", | |
).RuleOrDie(), | |
}, | |
}, |
rbacv1helpers.NewClusterBinding("system:public-info-viewer").Groups(user.AllAuthenticated, user.AllUnauthenticated).BindingOrDie(), |
This change just makes it so that the SAR checks are skipped.
uh I like the specific optimization, but I'm kinda terrified in general of optimizing away authz checks. Like will this change how calls show up in the audit log? |
LGTM and matches my personal experience. I have done the following before to make node health checks against aggregated API servers less wasteful: authorizationOptions := genericapiserveroptions.NewDelegatingAuthorizationOptions().
WithAlwaysAllowPaths("/healthz").
WithAlwaysAllowGroups(user.SystemPrivilegedGroup) |
@@ -78,6 +78,14 @@ func NewDelegatingAuthorizationOptions() *DelegatingAuthorizationOptions { | |||
DenyCacheTTL: 10 * time.Second, | |||
ClientTimeout: 10 * time.Second, | |||
WebhookRetryBackoff: DefaultAuthWebhookRetryBackoff(), | |||
// This allows the kubelet to always get health and readiness without causing an authorization check. | |||
// This field can be cleared by callers if they don't want this behavior. | |||
AlwaysAllowPaths: []string{"/healthz", "readyz", "/livez"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/readyz
(missing leading slash)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/readyz
(missing leading slash)
updated
The audit log will show a different authorizer as allowing the connection instead of RBAC (this is built in a layered way). The authentication pieces in the audit log will match exactly. |
SARs healthz, readyz, and livez are canonical names for checks that the kubelet does. By default, allow access to them in the options. Callers can adjust the defaults if they have a reason to require checks. system:masters has full power, so the authorization check is unnecessary and just uses an extra call for in-cluster access. Callers can adjust the defaults if they have a reason to require checks.
c46e32a
to
cebce29
Compare
OK LGTM then. Will let someone from SIG auth do the official LGTM. |
Failing test on
Do we want to update |
pushing update to use the defaults now. |
/triage accepted |
/hold cancel I think we closed on this and are ok moving forward with this one. |
/lgtm |
/lgtm |
/approve |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheftako, damemi, deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
healthz, readyz, and livez are canonical names for checks that the kubelet does. By default, allow access to them in the options. Callers can adjust the defaults if they have a reason to require checks.
system:masters has full power, so the authorization check is unnecessary and just uses an extra call for in-cluster access. Callers can adjust the defaults if they have a reason to require checks.
This directly impacts kube-controller-manager, kube-scheduler, and cloud-controller-manager in tree. I think these values are reasonable, but am happy to hear from @kubernetes/sig-auth-pr-reviews on the subject. And I'm willing to wire a configuration option if we think cluster-admins should be able to twiddle these knobs.
/kind cleanup
/priority important-soon
@kubernetes/sig-auth-pr-reviews @kubernetes/sig-api-machinery-pr-reviews