Enhancements: harden the default RBAC discovery clusterrolebindings

Created on 30 Jan 2019  路  9Comments  路  Source: kubernetes/enhancements

Enhancement Description

  • One-line enhancement description (can be used as a release note): Remove discovery from the set of APIs which allow for unauthenticated access by default, improving privacy for CRDs and the default security posture of default clusters in general.
  • Primary contact (assignee): @dekkagaijin
  • Responsible SIGs: sig-auth, sig-api-machinery
  • Design proposal link (community repo): https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/0034-20190123-harden-default-discovery-bindings.md
  • Link to e2e and/or unit tests: https://github.com/kubernetes/kubernetes/pull/73807/files#diff-10a6ed7aab30ba9661f23a9b9b542e38
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred: @liggitt, @deads2k
  • Approver (likely from SIG/area to which enhancement belongs): @liggitt
  • Enhancement target (which target equals to which milestone):

    • Alpha, Beta, Stable release target (1.14)

kinfeature siauth stagstable trackeno

Most helpful comment

Adding tracked/yes label to reconcile against https://bit.ly/k8s114-enhancements
FYI @claurence @lachie83 @lledru @ameukam

All 9 comments

/sig auth

dotting i's, crossing t's

/kind feature

Adding tracked/yes label to reconcile against https://bit.ly/k8s114-enhancements
FYI @claurence @lachie83 @lledru @ameukam

thanks!

@dekkagaijin are there any open PRs in k/k that need to be merged (in addition to the one referenced above) for this to be in 1.14? Code freeze is 3/7 and if the PRs are not able to merge by then this issue will be removed from the milestone.

Hey @dekkagaijin Just a friendly reminder we're looking for a PR against k/website (branch dev-1.14) due by Friday, March 1. It would be great if it's the start of the full documentation, but even a placeholder PR is acceptable. Let me know if you have any questions!

@dekkagaijin checking again if there are any open PRs for k/k that need to be merged for 1.14? Thanks!

Yup, one open PR for k/k that I'll hopefully close on tonight or tomorrow: https://github.com/kubernetes/kubernetes/pull/73807

I'll open a documentation PR on k/website...

Was this page helpful?
0 / 5 - 0 ratings

Related issues

liggitt picture liggitt  路  7Comments

justinsb picture justinsb  路  11Comments

robscott picture robscott  路  14Comments

sparciii picture sparciii  路  13Comments

majgis picture majgis  路  5Comments