enhancements icon indicating copy to clipboard operation
enhancements copied to clipboard

Published 20 hours ago β€’ verified publisher icon kubernetes

Constrained Impersonation

Open qiujian16 opened this issue 7 months ago β€’ 11 comments

Enhancement Description

  • One-line enhancement description (can be used as a release note): Introduce new authorization rules to restrict impersonating on specified resources with specified actions.
  • Kubernetes Enhancement Proposal: KEP
  • Discussion Link:
    • https://github.com/kubernetes/kubernetes/issues/27152
    • https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit?tab=t.0#heading=h.j07vugxmibh2
    • https://groups.google.com/g/kubernetes-sig-auth/c/gCJ95N3wyZ0
  • Primary contact (assignee): @qiujian16
  • Responsible SIGs: sig-auth
  • Enhancement target (which target equals to which milestone):
    • Alpha release target (x.y): 1.34
    • Beta release target (x.y):
    • Stable release target (x.y):
  • [ ] Alpha
    • [x] KEP (k/enhancements) update PR(s): #5285
    • [ ] Code (k/k) update PR(s):
    • [ ] Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

qiujian16 avatar May 07 '25 02:05 qiujian16

/sig auth

qiujian16 avatar May 07 '25 02:05 qiujian16

I think the title of this KEP should be Constrained Impersonation.

You can already restrict impersonation (eg: deny the verb in your custom authz code), but you can't allow a principal to use only some of the permissions of the principal they impersonate.

The word constrain implies a bounding form restriction (eg you can impersonate this principal but only to perform actions in namespace kube-heptagon. That's different from conditions (eg: you can impersonate this principal, but only if the moon is waning at the time you submit the request).

lmktfy avatar May 13 '25 23:05 lmktfy

I think the title of this KEP should be Constrained Impersonation.

You can already restrict impersonation (eg: deny the verb in your custom authz code), but you can't allow a principal to use only some of the permissions of the principal they impersonate.

The word constrain implies a bounding form restriction (eg you can impersonate this principal but only to perform actions in namespace kube-heptagon. That's different from conditions (eg: you can impersonate this principal, but only if the moon is waning at the time you submit the request).

that makes sense, thanks. The title is updated to Constrained Impersonation

qiujian16 avatar May 16 '25 07:05 qiujian16

Hi @qiujian16 :wave:, v1.34 Enhancements team here.

This is a reminder of the upcoming PRR Freeze on Thursday 12th June 2025.

By this date, there must be a PR open in k/enhancements with:

  • The KEP's PRR questionnaire filled out.
  • The kep.yaml updated with the stage, latest-milestone, and milestone struct filled out.
  • A PRR approval file with the PRR approver listed for the stage the KEP is targeting.

Having the PRR questionnaire filled out by this deadline will help ensure that the PRR team has enough time to review your KEP before Enhancements Freeze on Friday 20th June 2025. For more information on the PRR process, see here.

If you could also confirm assignment for the primary owner, that would be great. Thanks!

stmcginnis avatar Jun 06 '25 11:06 stmcginnis

/stage alpha

stmcginnis avatar Jun 09 '25 14:06 stmcginnis

The KEP's PRR questionnaire filled out. The kep.yaml updated with the stage, latest-milestone, and milestone struct filled out. A PRR approval file with the PRR approver listed for the stage the KEP is targeting.

@stmcginnis thanks for the reminder, the above has been filled out.

qiujian16 avatar Jun 11 '25 03:06 qiujian16

Hello @qiujian16 πŸ‘‹, v1.34 Enhancements team here again.

Just checking in as we approach Enhancements Freeze on 21:00 UTC Friday 20th June 2025.

This enhancement is targeting stage alpha for v1.34 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • [x] KEP readme using the latest template has been merged into the k/enhancements repo.
  • [x] KEP status is marked as implementable for latest-milestone: v1.34.
  • [x] KEP readme has up-to-date graduation criteria
  • [ ] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on { PRR_FREEZE_DATETIME } so that the PRR team has enough time to review your KEP.

For this KEP, we would just need to update the following:

  • KEP merged to k/enhancements repo
  • PRR completed and merged

The status of this enhancement is marked as At risk for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

stmcginnis avatar Jun 11 '25 18:06 stmcginnis

Hey πŸ‘‹ - just a friendly reminder that enhancement freeze is coming up in just a few days. If we know this enhancement will not make it for 1.34, please remove or update the target milestone.

Also a reminder that, if necessary, you can file a freeze exception request. Thanks!

stmcginnis avatar Jun 17 '25 17:06 stmcginnis

@stmcginnis #5285 is merged.

enj avatar Jun 19 '25 15:06 enj

Hi @nabokihms @qiujian16 πŸ‘‹ -- this is Graziano (@graz-dev) from the 1.34 Communications Team!

For the 1.34 release, we are currently in the process of collecting and curating a list of potential feature blogs, and we'd love for you to consider writing one for your enhancement!

As you may be aware, feature blogs are a great way to communicate to users about features which fall into (but not limited to) the following categories:

  • This introduces some breaking change(s)
  • This has significant impacts and/or implications to users
  • ...Or this is a long-awaited feature, which would go a long way to cover the journey more in detail πŸŽ‰

To opt in to write a feature blog, could you please let us know and open a "Feature Blog placeholder PR" (which can be only a skeleton at first) against the website repository by Friday 11th July? For more information about writing a blog, please find the blog contribution guidelines πŸ“š

[!Tip] Some timeline to keep in mind:

  • 02:00 UTC Friday 11th July 2025: Feature blog PR freeze
  • Friday 8th August 2025: Feature blogs ready for review
  • You can find more in the release document

[!Note] In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

graz-dev avatar Jun 22 '25 15:06 graz-dev

Hello @enj πŸ‘‹, 1.34 Docs Lead here.

Does this enhancement work planned for 1.34 require any new docs or modification to existing docs? If so, please follows the steps here to open a PR against dev-1.34 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 3rd July 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

michellengnx avatar Jun 27 '25 16:06 michellengnx

Hello @enj πŸ‘‹, 1.34 Docs Lead here.

Does this enhancement work planned for 1.34 require any new docs or modification to existing docs? If so, please follows the steps here to open a PR against dev-1.34 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 3rd July 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

Hi @enj πŸ‘‹, 1.34 Docs Shadow here.

Just a reminder to open a placeholder PR against the dev-1.34 branch in the k/website repo if this KEP needs new or updated docs. (steps available here) If this KEP doesn’t require any docs updates, please kindly confirm that here too.

The deadline for this is Thursday, July 3 at 18:00 PDT. Thanks! πŸš€

yujen77300 avatar Jul 02 '25 00:07 yujen77300

Hey again @enj @qiujian16 πŸ‘‹, 1.34 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Friday 25th July 2025 .

Here's where this enhancement currently stands:

  • [ ] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • [ ] All PRs are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs need to be merged before code freeze :

  • https://github.com/kubernetes/kubernetes/pull/132669

Please update this issue description to link to this and any other PRs related to the enhancement implementation.

If the implementation work for this enhancement is occurring out-of-tree (i.e., outside of k/k), please link the relevant PRs in the issue description for visibility. Alternatively, if you're unable to provide specific PR links, a confirmation that all out-of-tree implementation work is complete and merged will help us finalize tracking and maintain accuracy.

The status of this enhancement is marked as At risk for code freeze.

If you anticipate missing code freeze, you can file an exception request in advance.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. As always, we are here to help if any questions come up. Thanks!

stmcginnis avatar Jul 03 '25 18:07 stmcginnis

Hi @nabokihms @qiujian16 πŸ‘‹, 1.34 Communications Team here again!

This is a gentle reminder for the feature blog deadline mentioned above, which is 02:00 UTC Friday 11th July 2025. To opt in, please let us know and open a Feature Blog placeholder PR against k/website by the deadline. If you have any questions, please feel free to reach out to us!

[!Tip] Some timeline to keep in mind:

  • 02:00 UTC Friday 11th July 2025: Feature blog PR freeze
  • Friday 8th August 2025: Feature blogs ready for review
  • You can find more in the release document

[!Note] In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

graz-dev avatar Jul 04 '25 10:07 graz-dev

Unfortunately, the implementation (code related) PR(s) associated with this enhancement are not in the merge-ready state by code-freeze and hence this enhancement is now removed from the v1.34 milestone.

Additionally, if any of the merged implementation PRs for this enhancement include user-facing changes, please let us know. This will help us determine whether the changes should be documented or considered for rollback to maintain release integrity.

If you still wish to progress this enhancement in v1.34, please file an exception request as soon as possible, within three days. If you have any questions, you can reach out in the #release-enhancements channel on Slack and we'll be happy to help. Thanks!

/label tracked/no /milestone clear

jenshu avatar Jul 25 '25 02:07 jenshu

Hi @qiujian16 :wave:, v1.35 Enhancements Lead here.

I am closing the v1.34 milestone now.

If you'd like to work on this enhancement in v1.35, please have the SIG lead opt-in by adding the lead-opted-in label, which ensures it gets added to the tracking board. Also, please set the milestone to v1.35 using /milestone v1.35.

Thanks!

/remove-label lead-opted-in /remove-label tracked/no

rayandas avatar Sep 16 '25 19:09 rayandas

The state of this to me seems to be that the KEP merged but the implementation for alpha did not make it in 1.34.

It seems that for 1.35, the goal will be to merge the implementation.

It seems there is no need for KEP review or PRR right?

kannon92 avatar Sep 28 '25 17:09 kannon92

@kannon92 I think there will be some updates on KEP.

qiujian16 avatar Sep 29 '25 01:09 qiujian16

Hello πŸ‘‹, v1.35 Enhancements team here.

This is a reminder of the upcoming PRR freeze on Thursday 9th October 2025 (AoE) / Friday 10th October 2025, 12:00 UTC.

This enhancement is targeting stage alpha for v1.35 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • [x] PR open or merged with the KEP's PRR questionnaire filled out.
  • [ ] PR open or merged with kep.yaml updated with the stage, latest-milestone, and milestone struct filled out.
  • [x] PR open or merged with a PRR approval file with the PRR approver listed for the stage the KEP is targeting.

For this KEP, we would just need to update the following:

  • Raise a PR to update the stage, latest-milestone, and milestone struct in kep.yaml to the current target (v1.35)

Note that the PRs are not required to be approved or merged by the PRR freeze deadline. Having the PRR questionnaire filled out by the deadline will help ensure that the PRR team has enough time to review your KEP before enhancements freeze on Thursday 16th October 2025 (AoE) / Friday 17th October 2025, 12:00 UTC. For more information on the PRR process, see here.

The status of this enhancement is marked as At risk for PRR freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing PRR freeze, you can file an exception request in advance. Thank you!

chanieljdan avatar Oct 06 '25 14:10 chanieljdan

@chanieljdan #5630 should cover everything needed to track the KEP for v1.35.

enj avatar Oct 07 '25 19:10 enj

This PR (https://github.com/kubernetes/enhancements/issues/5284) checks all the requirements for PRR freeze, hence this KEP is now Tracked for PRR freeze. Thanks! /label tracked/yes

chanieljdan avatar Oct 10 '25 03:10 chanieljdan

Hello @enj @qiujian16 πŸ‘‹, v1.35 Enhancements team here.

Just checking in as we approach enhancements freeze on Thursday 16th October 2025 (AoE) / Friday 17th October 2025, 12:00 UTC.

This enhancement is targeting stage alpha for v1.35 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • [X] KEP readme using the latest template has been merged into the k/enhancements repo.
  • [X] KEP status is marked as implementable for latest-milestone: v1.35. KEPs targeting stable will need to be marked as implemented after code PRs are merged.
  • [X] KEP readme has up-to-date graduation criteria.
  • [X] KEP has submitted a production readiness review request for approval and has a reviewer assigned.
  • [X] KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. πŸš€

The status of this enhancement is marked as Tracked for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

chanieljdan avatar Oct 15 '25 01:10 chanieljdan

Hello @enj :wave:, v1.35 Docs Shadow here.

Does this enhancement work planned for v1.35 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.35 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 23th October 2025.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release. Thank you!

Jimmykhangnguyen avatar Oct 15 '25 17:10 Jimmykhangnguyen

Hello @qiujian16, @enj πŸ‘‹, this is Aakanksha (@aakankshabhende) from the v1.35 Communications Team!

For the v1.35 release, we are currently in the process of collecting and curating a list of potential feature blogs, and we'd love for you to consider writing one for your enhancement!

As you may be aware, feature blogs are a great way to communicate to users about features which fall into (but not limited to) the following categories:

  • This introduces some breaking change(s)
  • This has significant impacts and/or implications to users
  • ...Or this is a long-awaited feature, which would go a long way to cover the journey more in detail πŸŽ‰

To opt in to write a feature blog, could you please let us know and open a "Feature Blog placeholder PR" (which can be only a skeleton at first) against the website repository by Friday, 31st October? For more information about writing a blog, please find the blog contribution guidelines πŸ“š

[!Tip] Some timeline to keep in mind:

  • 12:00 UTC Friday, 31st October: Feature blog PR freeze
  • Friday, 21st November: Feature blogs ready for review
  • You can find more in the release document

[!Note] In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

aakankshabhende avatar Oct 19 '25 09:10 aakankshabhende

Hello @qiujian16, @enj πŸ‘‹, v1.35 Docs Lead here.

Does this enhancement work planned for v1.35 require any new docs or modification to existing docs? If so, please follow the steps here to open a PR against dev-1.35 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 23th October 2025. Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

Urvashi0109 avatar Oct 20 '25 08:10 Urvashi0109

Hello @enj πŸ‘‹, v1.35 Docs Shadow here.

Does this enhancement work planned for v1.35 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.35 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 23th October 2025.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release. Thank you!

Hello @enj πŸ‘‹, We are closing in on the Placeholder PR deadline, Thursday 23rd October 2025. I'm dropping a reminder to please follow the guidelines mentioned in the quoted comment.

Urvashi0109 avatar Oct 21 '25 19:10 Urvashi0109

doc placeholder pr is created: https://github.com/kubernetes/website/pull/52907

qiujian16 avatar Oct 23 '25 07:10 qiujian16

@benjaminapetersen @qiujian16 @enj This KEP has been marked as opted in for the feature blog.

aakankshabhende avatar Oct 27 '25 06:10 aakankshabhende

Hey again @enj @qiujian16 πŸ‘‹, v1.35 Enhancements team here,

Just checking in as we approach code freeze and test freeze at Thursday 6th November 2025 (AoE) / Friday 7th November 2025, 12:00 UTC.

Here's where this enhancement currently stands:

  • [x] All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • [ ] All PRs are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

Per the issue description, these are all of the implementation (code-related) PRs for v1.35, some of which are not merged yet:

  • https://github.com/kubernetes/kubernetes/pull/134803

Please let me know (and keep the issue description updated) if there are any other PRs in k/k that we should track for this KEP, so that we can maintain accurate status.

If the implementation work for this enhancement is occurring out-of-tree (i.e., outside of k/k), please link the relevant PRs in the issue description for visibility. Alternatively, if you're unable to provide specific PR links, a confirmation that all out-of-tree implementation work is complete and merged will help us finalize tracking and maintain accuracy.

The status of this enhancement is marked as At risk for code freeze.

If you anticipate missing code freeze, you can file an exception request in advance.

chanieljdan avatar Nov 01 '25 23:11 chanieljdan

Hey again @enj @qiujian16 πŸ‘‹, v1.35 Enhancements team here,

With all the implementation (code-related) PRs merged per the issue description:

  • https://github.com/kubernetes/kubernetes/pull/134803

This enhancement is now marked as Tracked for code freeze for the {current release} Code Freeze!

/label tracked/yes

chanieljdan avatar Nov 05 '25 16:11 chanieljdan