enhancements icon indicating copy to clipboard operation
enhancements copied to clipboard

Published 20 hours ago β€’ verified publisher icon kubernetes

Only allow anonymous auth for configured endpoints.

Open vinayakankugoyal opened this issue 1 year ago β€’ 41 comments
trafficstars

Enhancement Description

Allow users to specify which endpoints are allowed for anonymous requests. This allows the admin to only allow access to health endpoints like healthz, livez and readyz anonymously while making sure other cluster endpoints or resources cannot be access anonymously even if a user misconfigures RBAC.

  • One-line enhancement description (can be used as a release note): Only allow anonymous auth for health endpoints.

  • Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4633-anonymous-auth-configurable-endpoints/README.md

  • Discussion Link: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit#bookmark=id.ehlt47tezzsk

  • Primary contact (assignee): @vinayakankugoyal

  • Responsible SIGs: sig-auth

  • Enhancement target (which target equals to which milestone):

    • Alpha release target (x.y): 1.31
    • Beta release target (x.y): 1.32
    • Stable release target (x.y): 1.34

  • [x] Alpha

    • [x] KEP (k/enhancements) update PR(s):
      • [x] https://github.com/kubernetes/enhancements/pull/4634
    • [x] Code (k/k) update PR(s):
      • [x] https://github.com/kubernetes/kubernetes/pull/124917
      • [x] https://github.com/kubernetes/kubernetes/pull/125986
      • [x] https://github.com/kubernetes/kubernetes/pull/125967
    • [x] Docs (k/website) update PR(s):
      • [x] https://github.com/kubernetes/website/pull/46988

  • [x] Beta

    • [x] KEP (k/enhancements) update PR(s):
      • [x] https://github.com/kubernetes/enhancements/pull/4798
    • [x] Code (k/k) update PR(s):
      • [x] https://github.com/kubernetes/kubernetes/pull/127009
    • [x] Docs (k/website) update(s):
      • [x] https://github.com/kubernetes/website/pull/47787

  • [ ] Stable

    • [x] KEP (k/enhancements) update PR(s):
      • [x] https://github.com/kubernetes/enhancements/pull/5279
    • [x] Code (k/k) update PR(s):
      • [x] https://github.com/kubernetes/kubernetes/pull/131654
    • [ ] Docs (k/website) update(s):
      • [ ] https://github.com/kubernetes/website/pull/50838

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

vinayakankugoyal avatar May 13 '24 21:05 vinayakankugoyal

/sig auth

vinayakankugoyal avatar May 13 '24 23:05 vinayakankugoyal

/cc @liggitt @destijl

vinayakankugoyal avatar May 13 '24 23:05 vinayakankugoyal

/milestone v1.31

vinayakankugoyal avatar May 14 '24 00:05 vinayakankugoyal

@vinayakankugoyal: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone v1.31

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar May 14 '24 00:05 k8s-ci-robot

/milestone v1.31 /label lead-opted-in

liggitt avatar May 15 '24 15:05 liggitt

PRR Approver

/assign @jpbetz

vinayakankugoyal avatar May 16 '24 20:05 vinayakankugoyal

/retitle Only allow anonymous auth for health endpoints

sftim avatar May 24 '24 08:05 sftim

Hello @vinayakankugoyal πŸ‘‹, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 14th June 2024 / 19:00 PDT Thursday 13th June 2024.

This enhancement is targeting stage alpha for v1.31 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • [ ] KEP readme using the latest template has been merged into the k/enhancements repo.
  • [ ] KEP status is marked as implementable for latest-milestone: v1.31. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
  • [x] KEP readme has up-to-date graduation criteria
  • [ ] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline of Thursday 6th June 2024 so that the PRR team has enough time to review your KEP.

For this KEP, it looks like we still need to do the following:

  • [ ] Merge https://github.com/kubernetes/enhancements/pull/4634 before the enhancement freeze date and update KEP status to implementable, looks like we need review from one more approver.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

prianna avatar Jun 04 '24 21:06 prianna

Hi @prianna - thanks a lot for the heads up. We were granted the PRR approval https://github.com/kubernetes/enhancements/pull/4634#issuecomment-2153530157 and the reviewers have agreed that we can set the status to implementable. I am expecting this to be merged this week.

vinayakankugoyal avatar Jun 06 '24 23:06 vinayakankugoyal

@prianna - The KEP was merged as implementable in milestone 1.31 with a PRR approval. Are we all good on the KEP freeze front?

vinayakankugoyal avatar Jun 07 '24 19:06 vinayakankugoyal

Hello @jpbetz @liggitt @vinayakankugoyal πŸ‘‹, 1.31 Docs Shadow here. Does this enhancement work planned for 1.31 require any new docs or modifications to existing docs? If so, please follow the steps here to open a PR against the dev-1.31 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, June 27, 2024, 18:00 PDT. Also, take a look at Documenting for a release to get yourself familiarised with the docs requirement for the release. Thank you!

MaryamTavakkoli avatar Jun 10 '24 12:06 MaryamTavakkoli

Hey folks, with the merge of https://github.com/kubernetes/enhancements/pull/4634, here's where this KEP currently stands:

  • [x] KEP readme using the latest template has been merged into the k/enhancements repo.
  • [x] KEP status is marked as implementable for latest-milestone: v1.31. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
  • [x] KEP readme has up-to-date graduation criteria
  • [X] KEP has submitted a production readiness review request for approval and has a reviewer assigned.
  • [X] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. πŸš€ The status of this enhancement is marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

prianna avatar Jun 12 '24 15:06 prianna

Hi @jpbetz @liggitt @vinayakankugoyal πŸ‘‹ from the v1.31 Communications Team! We'd love for you to opt in to write a feature blog about your enhancement! Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and is graduating.

To opt in, let us know and open a Feature Blog placeholder PR against the website repository by 3rd July, 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

a-mccarthy avatar Jun 18 '24 02:06 a-mccarthy

Hello @jpbetz @liggitt @vinayakankugoyal πŸ‘‹, 1.31 Docs Shadow here. Does this enhancement work planned for 1.31 require any new docs or modifications to existing docs? If so, please follow the steps here to open a PR against the dev-1.31 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, June 27, 2024, 18:00 PDT. Also, take a look at Documenting for a release to get yourself familiarised with the docs requirement for the release. Thank you!

Hi @jpbetz @liggitt @vinayakankugoyal, gentle reminder to raise a draft doc PR before the Placeholder PR deadline, scheduled for June 27, 2024.

Princesso avatar Jun 23 '24 16:06 Princesso

Hi @jpbetz @liggitt @vinayakankugoyal, This is a friendly reminder that the deadline for the draft Doc PR is tomorrow, Thursday, June 27, 2024, 18:00 PDT.

MaryamTavakkoli avatar Jun 26 '24 18:06 MaryamTavakkoli

@MaryamTavakkoli - thanks opened a draft PR here: https://github.com/kubernetes/website/pull/46988

vinayakankugoyal avatar Jun 26 '24 21:06 vinayakankugoyal

Hello @vinayakankugoyal @jpbetz @liggitt, friendly reminder about the upcoming blog opt-in and placeholder deadline on July 3rd. Please open a blog placeholder PR if you are interested in contributing a blog.

a-mccarthy avatar Jun 27 '24 16:06 a-mccarthy

Hey again @vinayakankugoyal πŸ‘‹ Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024.

Here's where this enhancement currently stands:

  • [x] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • [ ] All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs are open and need to be merged before code freeze:

  • https://github.com/kubernetes/kubernetes/pull/125967

If you anticipate missing code freeze, you can file an exception request in advance.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. As always, we are here to help if any questions come up. Thanks!

prianna avatar Jul 09 '24 03:07 prianna

Thanks @prianna! https://github.com/kubernetes/kubernetes/pull/125967 is the only remaining action item for this KEP. I am just waiting for someone from sig-auth to Approve.

Other than that the docs PR https://github.com/kubernetes/website/pull/46988 is also waiting for review and approval.

vinayakankugoyal avatar Jul 10 '24 17:07 vinayakankugoyal

Looks like this was merged. With the merge of https://github.com/kubernetes/kubernetes/pull/125967 as per the issue, this enhancement is now marked as tracked for code freeze for the 1.31 Code Freeze!

prianna avatar Jul 17 '24 16:07 prianna

opting in for beta for 1.32

liggitt avatar Aug 20 '24 12:08 liggitt

Hello @vinayakankugoyal πŸ‘‹, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 11th October 2024 / 19:00 PDT Thursday 10th October 2024.

This enhancement is targeting for stage beta for v.132 (correct me, if otherwise)

Here’s where this enhancement currently stands:

  • [X] KEP readme using the latest template has been merged into the k/enhancements repo.
  • [X] KEP status is marked as implementable for latest-milestone: 1.32. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
  • [X] KEP readme has up-to-date graduation criteria.
  • [X] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

Please consider asnwering What are other known failure modes? in Troubleshooting section of the KEP readme.

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. πŸš€

The status of this enhancement is marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

shecodesmagic avatar Sep 28 '24 19:09 shecodesmagic

Hi @vinayakankugoyal :wave:, I'm James Spurin, a 1.32 Docs Shadow. Great to meet you.

Does this enhancement work planned for 1.32 require any new docs or modifications to the existing docs?

If so, please follows the steps here to open a PR against dev-1.32 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday October 24th 2024 18:00 PDT.

Also, take a look at Documenting for a release to familiarise with the docs requirement for the release.

Thank you!

spurin avatar Oct 14 '24 11:10 spurin

Hey @vinayakankugoyal πŸ‘‹ from the v1.32 Communications Team!

We'd love for you to consider writing a feature blog about your enhancement. Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and it is graduating.

To opt-in, let us know by opening a Feature Blog placeholder PR against the website repository by 30th Oct 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we finalize the blog schedule.

mbianchidev avatar Oct 14 '24 17:10 mbianchidev

@spurin - the docs PR is already opened since 2024-09-04. I am still waiting for review on that. Thanks! https://github.com/kubernetes/website/pull/47787

vinayakankugoyal avatar Oct 14 '24 17:10 vinayakankugoyal

Thanks for confirming @vinayakankugoyal.

@sftim, it appears that @vinayakankugoyal has attempted to address the feedback that you provided. Do you have any cycles to review these changes and move this along please? πŸ™

Also tagging @dipesh-rawat and @drewhagen, listed as reviewers for PR #47787.

spurin avatar Oct 18 '24 11:10 spurin

Hey @vinayakankugoyal πŸ‘‹ from the v1.32 Communications Team!

We'd love for you to consider writing a feature blog about your enhancement. Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and it is graduating.

To opt-in, let us know by opening a Feature Blog placeholder PR against the website repository by 30th Oct 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we finalize the blog schedule.

Just a reminder since the blog opt-in deadline is close!

mbianchidev avatar Oct 28 '24 09:10 mbianchidev

Hello @vinayakankugoyal :wave:, Enhancements team here (again 😁 )

With all the implementation(code related) PRs merged as per the issue description:

  • https://github.com/kubernetes/kubernetes/pull/127009

This enhancement is now marked as tracked for code freeze for the v1.32 Code Freeze!

Please note that KEPs targeting stable need to have the status field marked as implemented in the kep.yaml file after code PRs are merged and the feature gates are removed.

shecodesmagic avatar Oct 30 '24 00:10 shecodesmagic