Authorize with Field and Label Selectors

[deads2k]

Enhancement Description

• One-line enhancement description (can be used as a release note): allow using field and label selectors in authorization decisions

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/4601-authorize-with-selectors

• Discussion Link:

• Primary contact (assignee): @deads2k

• Responsible SIGs: sig-auth

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.31
  • Beta release target (x.y): 1.32
  • Stable release target (x.y): 1.34

• [x] Alpha

  • [x] KEP (k/enhancements) update PR(s):
    • https://github.com/kubernetes/enhancements/pull/4600
    • https://github.com/kubernetes/enhancements/pull/4730
  • [x] Code (k/k) update PR(s):
    • https://github.com/kubernetes/kubernetes/pull/125571
  • [x] Docs (k/website) update PR(s):
    • https://github.com/kubernetes/website/pull/46986

• [x] Beta

  • [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/4894
  • [x] Code (k/k) update PR(s): https://github.com/kubernetes/kubernetes/pull/128168
  • [x] Docs (k/website) update(s): https://github.com/kubernetes/website/pull/48411

• [ ] Stable

  • [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/5326
  • [ ] Code (k/k) update PR(s):
  • [ ] Docs (k/website) update(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[deads2k]

/sig auth /milestone 1.31 /stage alpha /lead opt-in

[k8s-ci-robot]

@deads2k: The provided milestone is not valid for this repository. Milestones in this repository: [v1.25, v1.27, v1.28, v1.29, v1.30, v1.31]

Use /milestone clear to clear the milestone.

In response to this:

/sig auth /milestone 1.31 /stage alpha /lead opt-in

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[deads2k]

/milestone v1.31

[deads2k]

/label lead-opted-in

[sreeram-venkitesh]

Hello @deads2k 👋, v1.31 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 14th June 2024 / 19:00 PDT Thursday 13th June 2024.

This enhancement is targeting for stage alpha for v1.31 (correct me, if otherwise)

Here's where this enhancement currently stands:

• [x] KEP readme using the latest template has been merged into the k/enhancements repo.
• [x] KEP status is marked as implementable for latest-milestone: v1.31. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• [ ] KEP readme has up-to-date graduation criteria
• [x] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline so that the PRR team has enough time to review your KEP before the enhancements freeze.

For this KEP, we need to do the following:

• [x] Get https://github.com/kubernetes/enhancements/pull/4600 merged before the enhancements freeze. The files look good, but I couldn't find the graduation criteria, please fill in these too.

Rest everything looks good to me, everything seems to be taken care of in https://github.com/kubernetes/enhancements/pull/4600. Please get the KEP files merged before the enhancements freeze and update the issue description with the links to the KEP and the PR.

The status of this enhancement is marked as at risk for enhancement freeze. But I can mark it as tracked as soon as the above changes are merged. Please make sure to get this done before the enhancements freeze.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Let me know if you have any questions! Thank you!

[liggitt]

https://github.com/kubernetes/enhancements/pull/4600 merged, @deads2k, can you make sure any relevant graduation criteria is mentioned

[MaryamTavakkoli]

Hello @deads2k 👋, 1.31 Docs Shadow here. Does this enhancement work planned for 1.31 require any new docs or modifications to existing docs? If so, please follow the steps here to open a PR against the dev-1.31 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, June 27, 2024, 18:00 PDT. Also, take a look at Documenting for a release to get yourself familiarised with the docs requirement for the release. Thank you!

[deads2k]

Graduation criteria added in https://github.com/kubernetes/enhancements/pull/4730/files

[sreeram-venkitesh]

Thanks @deads2k! Marking this KEP as tracked for enhancements freeze! 🎉

[a-mccarthy]

Hi @deads2k,

👋 from the v1.31 Communications Team! We'd love for you to opt in to write a feature blog about your enhancement! Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and is graduating.

To opt in, let us know and open a Feature Blog placeholder PR against the website repository by 3rd July, 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[Princesso]

Graduation criteria added in https://github.com/kubernetes/enhancements/pull/4730/files

Hi @deads2k does this mean that this enhancement does not need any new documentation updates?

[liggitt]

placeholder doc PR open at https://github.com/kubernetes/website/pull/46986

[a-mccarthy]

@deads2k, friendly reminder about the upcoming blog opt-in and placeholder deadline on July 3rd. Please open a blog placeholder PR if you are interested in contributing a blog.

[sreeram-venkitesh]

Hey again @deads2k 👋 v1.31 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024.

Here's where this enhancement currently stands:

• [x] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• [x] All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs are open and need to be merged before code freeze (and we need to update the Issue description to include all the related PRs of this KEP):

• https://github.com/kubernetes/kubernetes/pull/125571

If you anticipate missing code freeze, you can file an exception request in advance.

Marking this KEP as Tracked for code freeze! Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. As always, we are here to help if any questions come up. Thanks!

[sreeram-venkitesh]

Hi again @deads2k @liggitt! We're a week away from code freeze and I wanted to ping you here as a small reminder for getting https://github.com/kubernetes/kubernetes/pull/125571 merged in time. Please let me know if there are any other PRs that we should be tracking for this KEP! Thanks!

[liggitt]

The alpha code changes are now merged for 1.31

[sreeram-venkitesh]

Thank you! KEP is marked as tracked for code freeze! 🎉

[liggitt]

opting in for beta for 1.32

[impact-maker]

Hello @liggitt 👋, v1.32 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 11th October 2024 / 19:00 PDT Thursday 10th October 2024.

This enhancement is targeting for stage beta for v1.32 (correct me, if otherwise).

Here's where this enhancement currently stands:

• [x] KEP readme using the latest template has been merged into the k/enhancements repo.
• [ ] KEP status is marked as implementable for latest-milestone: v1.32.
• [x] KEP readme has up-to-date graduation criteria.
• [ ] KEP has submitted a production readiness review request for approval and has a reviewer assigned.
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on Thursday 3rd October 2024 so that the PRR team has enough time to review your KEP.

For this KEP, we would need to update the following:

• [ ] KEP status is marked as implementable for latest-milestone: v1.32.
• [ ] KEP has submitted a production readiness review request for approval and has a reviewer assigned.
• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on Thursday 3rd October 2024 so that the PRR team has enough time to review your KEP.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[liggitt]

https://github.com/kubernetes/enhancements/pull/4894 should address the outstanding items in https://github.com/kubernetes/enhancements/issues/4601#issuecomment-2381350476

[impact-maker]

@liggitt thanks! Everything looks good, I have updated the issue status to tracked for enhancements freeze