Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent conflicts between service account and jwt issuers #123561

Merged
merged 1 commit into from
Mar 5, 2024
Merged

Prevent conflicts between service account and jwt issuers #123561

merged 1 commit into from
Mar 5, 2024

Conversation

enj
Copy link
Member

@enj enj commented Feb 28, 2024

/kind feature
/kind api-change
/assign liggitt aramase
/sig auth
/triage accepted
/priority important-soon

Conflicting issuers between JWT authenticators and service account config are now detected and fail on API server startup.  Previously such a config would run but would be inconsistently effective depending on the credential.

@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Feb 28, 2024
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Feb 28, 2024
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Feb 28, 2024
aramase
aramase reviewed Feb 28, 2024
View reviewed changes
Copy link
Member

@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 28, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: fd937c0a637c9f7defcd10075af03532007363c4

@k8s-triage-robot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

liggitt
liggitt reviewed Feb 28, 2024
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go Outdated
Comment on lines 82 to 83
"https://kubernetes.default.svc",
"https://kubernetes.default.svc.cluster.local",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why hard-code these if they weren't used as the service account issuers?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking along the lines of "these can never be valid because they resolve to the cluster's SA issuer which does not make sense." But I have dropped it since the configured values should be fine.

@liggitt
Copy link
Member

liggitt commented Feb 28, 2024

one question on the hard-coded entries, lgtm otherwise

@enj enj force-pushed the enj/i/validate_jwt_sa_iss branch from 91bce3a to 87e4fc1 Compare March 4, 2024 15:53
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 4, 2024
@k8s-ci-robot k8s-ci-robot requested review from aramase and liggitt March 4, 2024 15:53
@enj enj force-pushed the enj/i/validate_jwt_sa_iss branch from 87e4fc1 to 05e1eff Compare March 4, 2024 16:40
@liggitt
Copy link
Member

liggitt commented Mar 4, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 4, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: ca0a38ec8375241bae991a79bd6c316dbd2e7e0b

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 4, 2024
@liggitt
Copy link
Member

liggitt commented Mar 4, 2024

/retest

@liggitt liggitt added this to the v1.30 milestone Mar 4, 2024
@liggitt
Copy link
Member

liggitt commented Mar 4, 2024

/retest

@k8s-triage-robot
Copy link

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

  • The PR does have any do-not-merge/* labels
  • The PR does not have the needs-ok-to-test label
  • The PR is mergeable (does not have a needs-rebase label)
  • The PR is approved (has cncf-cla: yes, lgtm, approved labels)
  • The PR is failing tests required for merge

You can:

/retest

@liggitt
Copy link
Member

liggitt commented Mar 5, 2024

/retest

@pacoxu
Copy link
Member

pacoxu commented Mar 5, 2024

/test pull-kubernetes-e2e-kind

@k8s-ci-robot k8s-ci-robot merged commit 26600b1 into kubernetes:master Mar 5, 2024
14 checks passed
This was referenced Mar 11, 2024
Open
Merged
@bryantbiggs bryantbiggs mentioned this pull request May 31, 2024
Merged
3 tasks
@igorbrites igorbrites mentioned this pull request Aug 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@logicalhan logicalhan Awaiting requested review from logicalhan

@aramase aramase Awaiting requested review from aramase

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@liggitt liggitt

@aramase aramase

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.
6 participants
@enj @k8s-ci-robot @k8s-triage-robot @liggitt @pacoxu @aramase