[WIP] authn-authz: document delegating custom signing domains #49275
Conversation
k8s-ci-robot
added
language/en
k8s-ci-robot
added
the
size/L
stevekuznetsov
force-pushed
the
skuznets/delegating-csr-tutorial
branch
from
c8dc3aa to
5e12edc
Compare
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
sounds like a task [page] - this is a task a cluster admin might want to learn |
content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
Outdated
Show resolved
Hide resolved
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: top-level-csr-approver | ||
| rules: | ||
| - apiGroups: ["certificates.k8s.io"] | ||
| resourceNames: ["example.com/*"] | ||
| resources: ["signers"] | ||
| verbs: ["approve", "sign"] |
There was a problem hiding this comment.
Ideally, either:
- mention that RBAC is only one possible authz mechanism
- avoid a focus RBAC and instead talk about what the SubjectAccessReview(s) will look like
There was a problem hiding this comment.
Thanks, I need to read up on the other mechanisms right now.
There was a problem hiding this comment.
The main in-tree alternative is webhook authz, but you can combine that with eg https://www.openpolicyagent.org/integrations/kubernetes-authorization/ or https://github.com/awslabs/cedar-access-control-for-k8s
OpenShift has its own custom authz that extends K8s RBAC.
There was a problem hiding this comment.
Thought about this a little more and I'm not sure how to address this comment. The document is specifically addressing a workaround for the RBAC authorizer not understanding example.com/* in a ClusterRole as granting permissions over the entire domain. Other implementations of SubjectAccessReview backends won't necessarily have the delegation problem that RBAC has. OpenShift RBAC ~is k8s RBAC, so the doc here applies to OpenShift identically. By design the doc will not have any meaning in other contexts.
content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/certificate-signing-requests.md
Outdated
Show resolved
Hide resolved
k8s-ci-robot
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
stevekuznetsov
force-pushed
the
skuznets/delegating-csr-tutorial
branch
from
5e12edc to
00ab59d
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
stevekuznetsov
force-pushed
the
skuznets/delegating-csr-tutorial
branch
from
00ab59d to
c7bcb15
Compare
| its permissions to sign, approve or deny CertificateSigningRequests outside of that | ||
| domain may be restricted by: | ||
|
|
||
| <!-- TODO validate best posture here, signer names are opaque and don't need to be domains? --> |
There was a problem hiding this comment.
@enj would appreciate your review here.
| Error from server (Forbidden): error when creating "-": clusterroles.rbac.authorization.k8s.io "specific-csr-approver" is forbidden: ValidatingAdmissionPolicy 'installer-csr-delegation-policy' with binding 'installer-csr-delegation-policy-binding' denied request: failed expression: variables.signerNameInDomain == true | ||
| ``` | ||
|
|
||
| TODO: why don't we get the message? from the VAP?? |
There was a problem hiding this comment.
@enj would appreciate your review here.
|
|
||
| TODO: why don't we get the message? from the VAP?? | ||
|
|
||
| TODO: validate that domain parameter is not empty or startsWith is useless? |
There was a problem hiding this comment.
@enj would appreciate your review here.
stevekuznetsov
force-pushed
the
skuznets/delegating-csr-tutorial
branch
2 times, most recently
from
b3728e3 to
b5d1101
Compare
Correctly scoping permissions for an actor that can delegate permissions to sign and approve CertificateSigningRequests under a domain is subtle. Signed-off-by: Steve Kuznetsov <[email protected]>
stevekuznetsov
force-pushed
the
skuznets/delegating-csr-tutorial
branch
from
b5d1101 to
25b4950
Compare
Description
Correctly scoping permissions for an actor that can delegate permissions to sign and approve CertificateSigningRequests under a domain is subtle.
Issue
Closes: kubernetes/kubernetes#122154
cc @enj