Skip to content

KEP-3331: update for beta in v1.30 #4461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 7, 2024
Merged

KEP-3331: update for beta in v1.30 #4461

merged 3 commits into from
Feb 7, 2024

Conversation

aramase
Copy link
Member

@aramase aramase commented Jan 31, 2024

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory labels Jan 31, 2024
@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jan 31, 2024
@aramase aramase changed the title KEP-3331: update for beta in v1.30 [WIP] KEP-3331: update for beta in v1.30 Jan 31, 2024
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Jan 31, 2024
@aramase aramase force-pushed the aramase/c/kep_3331_beta_update branch from a770bad to 6366dd0 Compare February 1, 2024 01:57
@aramase aramase changed the title [WIP] KEP-3331: update for beta in v1.30 KEP-3331: update for beta in v1.30 Feb 1, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 1, 2024
enj
enj reviewed Feb 1, 2024
View reviewed changes
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 2, 2024
@aramase aramase force-pushed the aramase/c/kep_3331_beta_update branch from 6366dd0 to 65d5f4e Compare February 5, 2024 08:56
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 5, 2024
@aramase aramase force-pushed the aramase/c/kep_3331_beta_update branch from 65d5f4e to 86bdeb8 Compare February 5, 2024 17:02
@aramase
Copy link
Member Author

aramase commented Feb 5, 2024

/uncc kikisdeliveryservice
/cc liggitt
/assign enj deads2k

@k8s-ci-robot k8s-ci-robot requested review from liggitt and removed request for kikisdeliveryservice February 5, 2024 17:44
@aramase aramase force-pushed the aramase/c/kep_3331_beta_update branch 3 times, most recently from 5e0a514 to 85700d9 Compare February 6, 2024 00:06
@aramase aramase requested a review from enj February 6, 2024 00:07
@jpbetz jpbetz mentioned this pull request Feb 6, 2024
Open
51 tasks
jpbetz
jpbetz reviewed Feb 6, 2024
View reviewed changes
keps/sig-auth/3331-structured-authentication-configuration/README.md

[supported limits]: https://git.k8s.io/community//sig-scalability/configs-and-limits/thresholds.md
-->
No. There would be very minimal addition to the memory used by the API Server and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note the "Maybe" response to this question in #4456. Does the same logic apply here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "Maybe" response in #4456 is for Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?. Are you referring to that response for this KEP?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My mistake, I was comparing answers between these KEPs because they have similar behavior, but got mis-aligned here.

@aramase
KEP-3331: update for beta in v1.30
151cfff 
Signed-off-by: Anish Ramasekar <[email protected]>
@aramase aramase force-pushed the aramase/c/kep_3331_beta_update branch from 85700d9 to 151cfff Compare February 6, 2024 04:01
aramase
aramase commented Feb 6, 2024
View reviewed changes
keps/sig-auth/3331-structured-authentication-configuration/README.md
Comment on lines -622 to -623
* Benchmarks are required to see how different CEL expressions affects authentication time.
* There will be a upper bound of 5s for the CEL expression evaluation.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been moved down to beta graduation criteria.

keps/sig-auth/3331-structured-authentication-configuration/README.md

[supported limits]: https://git.k8s.io/community//sig-scalability/configs-and-limits/thresholds.md
-->
No. There would be very minimal addition to the memory used by the API Server and
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "Maybe" response in #4456 is for Will enabling / using this feature result in increasing time taken by any operations covered by existing SLIs/SLOs?. Are you referring to that response for this KEP?

stlaz
stlaz suggested changes Feb 6, 2024
View reviewed changes
Copy link
Member

@stlaz stlaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe there are way too many TODOs: in the "Design details" section for this to be moved to beta. The enhancement feels unfinished.

If you don't have answers for these items, group them in an "Open questions" subsection and remove the TODOs: from the text.

@enj
Copy link
Member

enj commented Feb 6, 2024

I believe there are way too many TODOs: in the "Design details" section for this to be moved to beta. The enhancement feels unfinished.

If you don't have answers for these items, group them in an "Open questions" subsection and remove the TODOs: from the text.

While I agree that the TODOs can be organized in a better way, they are focused around pushing this feature to the limits of what is possible with the new config/CEL/reload/etc. Even if we never address those items, we would still make progress over what is possible today.

The actual community needs are:

  • Support multiple ClientIDs
  • Identify user by more JWT claims than just a single one
  • Allow any claim from an ID token to be mapped to user info extra attributes
  • Fail authentication unless user is a member of a specific set of groups
  • Required claims does not support arrays
  • Forward audiences to authorization via user info extra attributes

All of these are easily addressed by the KEP as-is, and the vast majority of code is shared with the existing OIDC flags with good integration test coverage.

aramase
aramase commented Feb 6, 2024
View reviewed changes
keps/sig-auth/3331-structured-authentication-configuration/README.md
@@ -454,7 +379,6 @@ type JWTAuthenticator struct {
// Claim must be a string or string array claim.
// Expression must produce a string or string array value.
// "", [], missing, and null values are treated as having no groups.
// TODO: investigate if you could make a single expression to construct groups from multiple claims. If not, maybe []PrefixedClaimOrExpression?
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a unit test for this: https://github.com/kubernetes/kubernetes/blob/b693f09d544b17c82af4437bd93ea0b165e2622e/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc/oidc_test.go#L2268

@aramase
Copy link
Member Author

aramase commented Feb 6, 2024

/assign jpbetz

(for PRR)

enj
enj reviewed Feb 6, 2024
View reviewed changes
@aramase aramase requested a review from enj February 6, 2024 21:15
@aramase aramase force-pushed the aramase/c/kep_3331_beta_update branch from e0d1604 to ef7d879 Compare February 6, 2024 21:24
@aramase
review feedback
1e2e95b 
Signed-off-by: Anish Ramasekar <[email protected]>
@aramase aramase force-pushed the aramase/c/kep_3331_beta_update branch from ef7d879 to 1e2e95b Compare February 6, 2024 22:11
@jpbetz
Copy link
Contributor

jpbetz commented Feb 7, 2024

/approve
For PRR

@AnaMMedina21 AnaMMedina21 mentioned this pull request Feb 7, 2024
Closed
29 tasks
stlaz
stlaz reviewed Feb 7, 2024
View reviewed changes
keps/sig-auth/3331-structured-authentication-configuration/README.md
<<[UNRESOLVED open questions that don't clearly fit elsewhere ]>>
## Open Questions

The following questions are still open and need to be addressed or rejected or deferred before the KEP is marked as GA.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is much better, thank you 👍

@enj enj added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Feb 7, 2024
@enj
Copy link
Member

enj commented Feb 7, 2024

/lgtm
/approve

(Jordan is too busy to do a review pass, and IMO this is more than ready)

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, enj, jpbetz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 7, 2024
@k8s-ci-robot k8s-ci-robot merged commit cd86e44 into kubernetes:master Feb 7, 2024
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Feb 7, 2024
@aramase aramase deleted the aramase/c/kep_3331_beta_update branch February 7, 2024 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpbetz jpbetz jpbetz left review comments

@stlaz stlaz stlaz requested changes

@sgaist sgaist sgaist left review comments

@liggitt liggitt Awaiting requested review from liggitt

@enj enj Awaiting requested review from enj

Assignees

@jpbetz jpbetz

@enj enj

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
SIG Auth
Archived in project
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.
7 participants
@aramase @enj @jpbetz @k8s-ci-robot @stlaz @sgaist @deads2k