Enhancements: harden the default RBAC discovery clusterrolebindings

Created on 30 Jan 2019  路  9Comments  路  Source: kubernetes/enhancements

Enhancement Description

  • One-line enhancement description (can be used as a release note): Remove discovery from the set of APIs which allow for unauthenticated access by default, improving privacy for CRDs and the default security posture of default clusters in general.
  • Primary contact (assignee): @dekkagaijin
  • Responsible SIGs: sig-auth, sig-api-machinery
  • Design proposal link (community repo): https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/0034-20190123-harden-default-discovery-bindings.md
  • Link to e2e and/or unit tests: https://github.com/kubernetes/kubernetes/pull/73807/files#diff-10a6ed7aab30ba9661f23a9b9b542e38
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred: @liggitt, @deads2k
  • Approver (likely from SIG/area to which enhancement belongs): @liggitt
  • Enhancement target (which target equals to which milestone):

    • Alpha, Beta, Stable release target (1.14)

kinfeature siauth stagstable trackeno
Source
picture dekkagaijin

Most helpful comment

Adding tracked/yes label to reconcile against https://bit.ly/k8s114-enhancements
FYI @claurence @lachie83 @lledru @ameukam

picture spiffxp on 7 Feb 2019
👍3

All 9 comments

/sig auth

dekkagaijin picture dekkagaijin on 30 Jan 2019

dotting i's, crossing t's

liggitt picture liggitt on 4 Feb 2019

/kind feature

ameukam picture ameukam on 6 Feb 2019

Adding tracked/yes label to reconcile against https://bit.ly/k8s114-enhancements
FYI @claurence @lachie83 @lledru @ameukam

spiffxp picture spiffxp on 7 Feb 2019
👍3

thanks!

dekkagaijin picture dekkagaijin on 7 Feb 2019

@dekkagaijin are there any open PRs in k/k that need to be merged (in addition to the one referenced above) for this to be in 1.14? Code freeze is 3/7 and if the PRs are not able to merge by then this issue will be removed from the milestone.

claurence picture claurence on 12 Feb 2019

Hey @dekkagaijin Just a friendly reminder we're looking for a PR against k/website (branch dev-1.14) due by Friday, March 1. It would be great if it's the start of the full documentation, but even a placeholder PR is acceptable. Let me know if you have any questions!

simplytunde picture simplytunde on 27 Feb 2019

@dekkagaijin checking again if there are any open PRs for k/k that need to be merged for 1.14? Thanks!

claurence picture claurence on 28 Feb 2019

Yup, one open PR for k/k that I'll hopefully close on tonight or tomorrow: https://github.com/kubernetes/kubernetes/pull/73807

I'll open a documentation PR on k/website...

dekkagaijin picture dekkagaijin on 28 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

euank picture euank  路  13Comments
justaugustus picture justaugustus  路  7Comments
boynux picture boynux  路  3Comments
AndiLi99 picture AndiLi99  路  13Comments
justaugustus picture justaugustus  路  3Comments