kube-rbac-proxy icon indicating copy to clipboard operation
kube-rbac-proxy copied to clipboard

Published 20 hours ago verified publisher icon brancz

(41) Is a massive mutation of the `authorizer.Attributes` intended? Why?

Open ibihim opened this issue 10 months ago • 1 comments

What

Why do we, by default, only care about those Resource Attributes:

  • User
  • Verb
  • Path

And ignore:

  • Namespace
  • APIGroup
  • APIVersion
  • Resource
  • SubResource
  • Name

Why

Most probably, we assume that there must be a specific authorization to the path we are protecting with kube-rbac-proxy. Speak, is the: User allowed to Verb at Path.

But worth to investigate the behavior of the SAR request created in such a situation, if not trimmed and compare the results.

Notes

ibihim avatar Jan 27 '25 12:01 ibihim

It is intended, but not necessary as the attributes for a path request only fill User, Verb and Path. If we nil all the other values, we could create a loophole? Maybe? Passing all values makes more sense, but could be a breaking change.

ibihim avatar Mar 13 '25 10:03 ibihim