enhancements icon indicating copy to clipboard operation
enhancements copied to clipboard
verified publisher icon kubernetes

KEP-5681: Conditional Authorization

Open luxas opened this issue 1 month ago • 5 comments

  • One-line PR description: Initial commit of the Conditional Authorization KEP
  • Issue link: https://github.com/kubernetes/enhancements/issues/5681

/sig auth

Rendered

Status Nov 26: Proposal updated to include discussions from KubeCon and last week's SIG Auth meeting comments.

luxas avatar Nov 06 '25 11:11 luxas

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: luxas Once this PR has been reviewed and has the lgtm label, please assign micahhausler for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Nov 06 '25 11:11 k8s-ci-robot

This PR doesn't follow the conventions we use for our PRs. It's so different that I found it hard to follow.

Sorry you felt it is hard to follow. It'll get improved over time, with feedback and increased iteration. Indeed, this KEP has more "background material" than most other, but the purpose of this is to make sure everyone is on the same page before reading the actual proposal, e.g. as partial evaluation is not a technique used in Kubernetes yet. I'll improve the flow of the text as we go, and eventually add all other KEP-related metadata sections that are not here yet to make it conform with the information needed. However, I prefer to proceed iteratively over polishing all parts fully before we've got enough initial reviews.

luxas avatar Nov 19 '25 15:11 luxas

All comments so far should be addressed and responded to now. Please let me know other feedback you have and/or if anything's unclear.

luxas avatar Dec 04 '25 16:12 luxas

@luxas: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-enhancements-test 5a97afaefeadc68c428c3499194b360592e1cde7 link true /test pull-enhancements-test
pull-enhancements-verify 5a97afaefeadc68c428c3499194b360592e1cde7 link true /test pull-enhancements-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

k8s-ci-robot avatar Dec 04 '25 16:12 k8s-ci-robot

See https://github.com/kubernetes/enhancements/pull/5684#discussion_r2589782316 fory thoughts on being kind to aggregated API servers doing SubjectAccessReviews.

lmktfy avatar Dec 04 '25 16:12 lmktfy