Thanks to visit codestin.com
Credit goes to github.com

Skip to content

apiserver: switch authorization to use protobuf client #74956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

apiserver: switch authorization to use protobuf client #74956

wants to merge 1 commit into from

Conversation

mfojtik
Copy link
Contributor

@mfojtik mfojtik commented Mar 5, 2019

What type of PR is this?

/kind bug

What this PR does / why we need it:

Set the DelegatingAuthorizationOptions client to prefer application/vnd.kubernetes.protobuf when talking to API server.

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 5, 2019
@mfojtik
Copy link
Contributor Author

mfojtik commented Mar 5, 2019

/assign @sttts

@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 5, 2019
@k8s-ci-robot k8s-ci-robot requested review from deads2k and liggitt March 5, 2019 12:58
@mfojtik
Copy link
Contributor Author

mfojtik commented Mar 5, 2019

/sig api-machinery

liggitt
liggitt reviewed Mar 5, 2019
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/options/authorization.go Outdated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems like a weird place to have to override this. Does this mean the webhook this points at must speak proto?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mechanism is explicitly about speaking to the "core" API server, i.e. kube-apiserver. Why should we not assume it speaks proto?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt additional question... why we use protoConfig.AcceptContentTypes and negotiate to fallback to JSON, when we then force the proto anyway (general question, not just this case, but in other places in code).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt why is this place weird? We load the kubeconfig some lines above. Where do you think we should decide about the wire format if not here? As @mfojtik writes, this returns a kube client. We should be able to assume that proto is the right format.

Copy link
Member

@liggitt liggitt Mar 16, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, I'm sorry... I thought this was the generic webhook setup. Does the same thing need to apply to the delegating token authenticator?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would scoping this to the rest.InClusterConfig() block be safer? there we're much more confident we're talking to the kube apiserver and not some arbitrary endpoint that speaks subjectaccessreviews

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

last two questions are still relevant

@mars1024 mars1024 mentioned this pull request Mar 6, 2019
Closed
@liggitt
Copy link
Member

liggitt commented Mar 6, 2019

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 6, 2019
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 4, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 4, 2019
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mfojtik
Copy link
Contributor Author

mfojtik commented Dec 5, 2019

/reopen

@k8s-ci-robot
Copy link
Contributor

@mfojtik: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Dec 5, 2019
@mfojtik
Copy link
Contributor Author

mfojtik commented Dec 5, 2019

/remove-lifecycle rotten

@openshift-ci-robot openshift-ci-robot mentioned this pull request Jan 5, 2024
Closed
@openshift-ci-robot openshift-ci-robot mentioned this pull request Feb 9, 2024
Closed
@openshift-ci-robot openshift-ci-robot mentioned this pull request Mar 12, 2024
Closed
This was referenced Mar 27, 2024
Closed
Closed
This was referenced Apr 9, 2024
Closed
Closed
This was referenced Apr 19, 2024
Merged
Closed
This was referenced Jun 28, 2024
Closed
Closed
@openshift-ci-robot openshift-ci-robot mentioned this pull request Jul 15, 2024
Closed
@openshift-ci-robot openshift-ci-robot mentioned this pull request Aug 15, 2024
Closed
This was referenced Sep 18, 2024
Closed
Merged
This was referenced Nov 27, 2024
Merged
Draft
Closed
@openshift-ci-robot openshift-ci-robot mentioned this pull request Dec 6, 2024
Open
This was referenced Apr 3, 2025
Closed
Closed
Closed
Closed
This was referenced Apr 15, 2025
Draft
Closed
@openshift-ci-robot openshift-ci-robot mentioned this pull request May 2, 2025
Closed
This was referenced May 26, 2025
Closed
Merged
This was referenced Jul 26, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts left review comments

@liggitt liggitt liggitt left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@sttts sttts

@liggitt liggitt

Labels
area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
[sig-release] Bug Triage
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.