8000 Support multiple JWT authenticators with structured authn config by aramase · Pull Request #123431 · kubernetes/kubernetes · GitHub
[go: up one dir, main page]
Skip to content

Support multiple JWT authenticators with structured authn config #123431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 7, 2024
Merged

Support multiple JWT authenticators with structured authn config #123431

merged 1 commit into from
Mar 7, 2024

Conversation

aramase
Copy link
Member
@aramase aramase commented Feb 21, 2024

/kind feature

  • Support configuring multiple JWT authenticators using structured authentication configuration

part of #121553

Added support for configuring multiple JWT authenticators in Structured Authentication Configuration. The maximum allowed JWT authenticators in the authentication configuration is 64.

[KEP]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. labels Feb 21, 2024
@aramase
Copy link
Member Author
aramase commented Feb 21, 2024

/kind api-change
(for validation changes)

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 21, 2024
@aramase
Copy link
Member Author
aramase commented Feb 21, 2024

/sig auth
/triage accepted
/priority important-soon

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 21, 2024
@aramase
Copy link
Member Author
aramase commented Feb 21, 2024

/assign enj liggitt

@k8s-ci-robot k8s-ci-robot added area/test sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Feb 21, 2024
@aramase aramase force-pushed the aramase/f/kep_3331_multiple_jwt_authenticator branch from da93751 to 266024a Compare February 21, 2024 23:25
@k8s-triage-robot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@mickeyboxell mickeyboxell mentioned this pull request Feb 22, 2024
Open
56 tasks
sgaist
sgaist reviewed Feb 25, 2024
View reviewed changes
staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go
// remove the 1 authenticator limit check and add set the limit to 64.
if len(c.JWT) > 1 {
allErrs = append(allErrs, field.TooMany(root, len(c.JWT), 1))
if len(c.JWT) > 64 {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I haven't followed all the changes but why 64 ? Performance ?
Shouldn't that number rather be a documented constant such as MaximumAuthenticatorNumber so it may be more easily changed ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #122809 (comment) for more details.

Shouldn't that number rather be a documented constant such as MaximumAuthenticatorNumber so it may be more easily changed ?

I can do this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if using a documented constant here matters much since the ideal long term is to remove the limit altogether (i.e. before GA seems best). The number itself is also somewhat arbitrary since we didn't want to impact any normal use case, and just want to avoid users getting stuck in a bad edge case.

Copy link
@sgaist sgaist Feb 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point, then I think it would be good to keep a comment or maybe a todo in order to not lose the link to the original decision and wonder later on why that 64.

A comment about it in the commit message would also be of value.

@aramase aramase mentioned this pull request Feb 27, 2024
Merged
@aramase
Copy link
Member Author
aramase commented Feb 28, 2024

/hold

add duplicate discovery url check after #123527 is merged.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 28, 2024
@aramase aramase mentioned this pull request Mar 1, 2024
Merged
@aramase aramase force-pushed the aramase/f/kep_3331_multiple_jwt_authenticator branch from 266024a to 0251f15 Compare March 4, 2024 09:21
@aramase
Copy link
Member Author
aramase commented Mar 4, 2024

/hold

add duplicate discovery url check after #123527 is merged.

/hold cancel

Added the duplicate discovery url check.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 4, 2024
sgaist
sgaist suggested changes Mar 4, 2024
View reviewed changes
@enj enj mentioned this pull request Mar 5, 2024
Merged
5 tasks
@liggitt liggitt added this to the v1.30 milestone Mar 5, 2024
liggitt
liggitt reviewed Mar 6, 2024
View reviewed changes
Copy link
Member
@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a couple nits, lgtm otherwise. @enj, anything else from your side?

@aramase aramase force-pushed the aramase/f/kep_3331_multiple_jwt_authenticator branch from 0251f15 to 7f00ade Compare March 6, 2024 22:21
@aramase
Support multiple JWT authenticators with structured authn config
39e1c91 
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase aramase force-pushed the aramase/f/kep_3331_multiple_jwt_authenticator branch from 7f00ade to 39e1c91 Compare March 6, 2024 22:42
@liggitt
Copy link
Member
liggitt commented Mar 6, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 6, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 1d9ddb730e1607dc6b5d54ff7e97546913e411c3

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 6, 2024
@aramase
Copy link
Member Author
aramase commented Mar 6, 2024

/test pull-kubernetes-e2e-gce

@k8s-ci-robot k8s-ci-robot merged commit c726b2b into kubernetes:master Mar 7, 2024
@aramase aramase deleted the aramase/f/kep_3331_multiple_jwt_authenticator branch March 7, 2024 01:43
@aramase aramase mentioned this pull request Aug 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liggitt liggitt liggitt left review comments

@tallclair tallclair Awaiting requested review from tallclair

+2 more reviewers

@sgaist sgaist sgaist requested changes

@enj enj enj left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@liggitt liggitt

@enj enj

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Projects

API Reviews
Status: API review completed, 1.30
SIG Auth
Archived in project

Milestone

v1.30

Development

Successfully merging this pull request may close these issues.

6 participants

@aramase @k8s-triage-robot @liggitt @k8s-ci-robot @sgaist @enj
0