[WIP] authn-authz: document delegating custom signing domains #49275
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
language/en
k8s-ci-robot
added
the
size/L
Correctly scoping permissions for an actor that can delegate permissions to sign and approve CertificateSigningRequests under a domain is subtle. Signed-off-by: Steve Kuznetsov <[email protected]>
stevekuznetsov
force-pushed
the
skuznets/delegating-csr-tutorial
branch
from
c8dc3aa to
5e12edc
Compare
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
sounds like a task [page] - this is a task a cluster admin might want to learn |
| @@ -613,6 +613,249 @@ To test it, change the context to `myuser`: | |||
| kubectl config use-context myuser | |||
| ``` | |||
|
|
|||
| <!-- TODO this should become a task page --> | |||
There was a problem hiding this comment.
Can we make this a task page before the first merge?
There was a problem hiding this comment.
Yes totally - I didn't know what the preference was, since the other set above was not a task yet. Do you think we should put this under content/en/docs/tasks/administer-cluster/?
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: top-level-csr-approver | ||
| rules: | ||
| - apiGroups: ["certificates.k8s.io"] | ||
| resourceNames: ["example.com/*"] | ||
| resources: ["signers"] | ||
| verbs: ["approve", "sign"] |
There was a problem hiding this comment.
Ideally, either:
- mention that RBAC is only one possible authz mechanism
- avoid a focus RBAC and instead talk about what the SubjectAccessReview(s) will look like
There was a problem hiding this comment.
Thanks, I need to read up on the other mechanisms right now.
There was a problem hiding this comment.
The main in-tree alternative is webhook authz, but you can combine that with eg https://www.openpolicyagent.org/integrations/kubernetes-authorization/ or https://github.com/awslabs/cedar-access-control-for-k8s
OpenShift has its own custom authz that extends K8s RBAC.
|
|
||
| ### Set up a service account for the installer | ||
|
|
||
| In this example, we will assume some application that installs CSR signers on a Kubernetes cluster. |
There was a problem hiding this comment.
Per the style guide we avoid using “we“.
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: csr-signer-installer |
There was a problem hiding this comment.
Defining this namespace should be its own step.
k8s-ci-robot
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
Description
Correctly scoping permissions for an actor that can delegate permissions to sign and approve CertificateSigningRequests under a domain is subtle.
Issue
Closes: kubernetes/kubernetes#122154
cc @enj