Add auth API to get self subject attributes #111333

nabokihms · 2022-07-22T00:08:57Z

Signed-off-by: m.nabokikh maksim.nabokikh@flant.com

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

As KEP states:

There is no resource which represents a user in Kubernetes. Instead, Kubernetes has authenticators to get user attributes from tokens or x509 certificates or by using the OIDC provider or receiving them from the external webhook. This KEP proposes adding a new API endpoint to see what attributes the current user has after the authentication.

Which issue(s) this PR fixes:

This PR is a part of kubernetes/enhancements#3325

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add auth API to get self subject attributes (new selfsubjectreviews API is added). 
The corresponding command for kubctl is provided - `kubectl auth whoami`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/issues/3325
- [Docs]: https://github.com/kubernetes/website/pull/35385
- [e2e]: https://github.com/kubernetes/test-infra/pull/26999

k8s-ci-robot · 2022-07-22T00:09:06Z

Hi @nabokihms. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

nabokihms · 2022-07-22T00:09:19Z

/sig auth

k8s-triage-robot · 2022-07-22T00:47:37Z

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

pkg/apis/authentication/types.go

pkg/apis/authentication/validation/validation.go

pkg/quota/v1/install/registry.go

deads2k · 2022-07-26T19:47:12Z

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go

@@ -220,6 +220,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
 			Rules: []rbacv1.PolicyRule{
 				// TODO add future selfsubjectrulesreview, project request APIs, project listing APIs
 				rbacv1helpers.NewRule("create").Groups(authorizationGroup).Resources("selfsubjectaccessreviews", "selfsubjectrulesreviews").RuleOrDie(),
+				rbacv1helpers.NewRule("create").Groups(authenticationGroup).Resources("selfsubjectattributesreviews").RuleOrDie(),


this means that distros that wish to restrict access to this API, must disable API when it goes GA. I think this is reasonable, but wanted to call it out explicitly for other reviewers.

staging/src/k8s.io/api/authentication/v1alpha1/types.go

staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go

enj

I have not reviewed this PR yet but the feature gate comment is wrong now.

pkg/features/kube_features.go

enj · 2022-08-23T00:25:15Z

/lgtm cancel

liggitt · 2022-08-31T16:55:18Z

master is open for 1.26, once this gets rebased it looks ready for merge

pkg/apis/authentication/types.go

pkg/registry/authentication/rest/storage_authentication.go

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

nabokihms · 2022-09-14T17:23:19Z

/retest

deads2k · 2022-09-14T18:57:20Z

confirmed test still present in https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/111333/pull-kubernetes-e2e-gce-alpha-features/1570080230440177664/

/lgtm

sftim · 2022-09-20T08:29:57Z

- [KEP]: https://github.com/kubernetes/enhancements/issues/3325
- [Docs]: https://github.com/kubernetes/website/pull/35385
- [e2e]: https://github.com/kubernetes/test-infra/pull/26999

“Docs” should be a link to the documentation for the feature, not to the PR that first added it. @nabokihms would you be willing to revise?

nabokihms · 2022-09-22T20:09:24Z

@sftim yes, I will, but I think we should wait for the doc to be merged first.

liggitt · 2022-09-26T16:58:45Z

staging/src/k8s.io/kubectl/pkg/cmd/auth/whoami.go

+	sar := &authenticationv1alpha1.SelfSubjectReview{}
+	response, err := o.authClient.SelfSubjectReviews().Create(context.TODO(), sar, metav1.CreateOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {


if the feature is not enabled on the server, the permission to run this will not be included in the basic-user role, and users are likely to get a forbidden error... it might be worth detecting forbidden errors and saying something like "The selfsubjectreviews API is not enabled in the cluster or you do not have permission to call it..." to clarify the possible reasons

k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Jul 22, 2022

k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 22, 2022

nabokihms mentioned this pull request Jul 22, 2022

Auth API to get self user attributes kubernetes/enhancements#3325

Closed

12 tasks

k8s-ci-robot added area/apiserver area/code-generation labels Jul 22, 2022

k8s-ci-robot requested review from aojea and deads2k July 22, 2022 00:12

k8s-ci-robot added area/kubectl area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jul 22, 2022