Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

don't ignore UID impersonation in webhook clients #116681

Merged
merged 1 commit into from
Apr 12, 2023
Merged

don't ignore UID impersonation in webhook clients #116681

merged 1 commit into from
Apr 12, 2023

Conversation

stlaz
Copy link
Member

@stlaz stlaz commented Mar 16, 2023
edited

What type of PR is this?

/kind bug
/sig auth

What this PR does / why we need it:

This fixes webhook client config handling not to ignore UID for impersonation

Which issue(s) this PR fixes:

Fixes None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Fixed an issue where the API server did not send impersonated UID to authentication webhooks.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. sig/auth Categorizes an issue or PR as relevant to SIG Auth. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 16, 2023
@k8s-ci-robot k8s-ci-robot added area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 16, 2023
@sftim
Copy link
Contributor

sftim commented Mar 16, 2023

Looking at the changelog text, it's not that webhooks were ignoring impersonated UID data, its that the API server failed to pass it to the webhook.

@stlaz
Copy link
Member Author

stlaz commented Mar 20, 2023

I modified the changelog, is it clearer now?

@sftim
Copy link
Contributor

sftim commented Mar 20, 2023
edited

This might be better:

-Fixed an issue where webhooks would not honor the UID impersonation configuration.
+Fixed an issue where authentication webhooks would not honor the UID impersonation configuration.

However, it still sounds like the thing that was at fault was the far end. That's misleading. Try this:

Fixed an issue where the API server did not send impersonated UID to authentication webhooks.

@cici37
Copy link
Contributor

cici37 commented Mar 21, 2023

/assign @deads2k
Thank you!
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 21, 2023
@deads2k
Copy link
Contributor

deads2k commented Mar 21, 2023

/lgtm
/approve

it's a bug, but I don't see it as urgent. @stlaz if you want to pick it, how about 1.27.z?

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 21, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 018593169f28d901a3a0c6312d089ccb097d662e

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, stlaz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 21, 2023
@stlaz
Copy link
Member Author

stlaz commented Mar 22, 2023

1.27.z seems ok. What does it mean in terms of this PR and it getting merged? Should we have a cherry pick to 1.27 and merge in 1.28?

@liggitt
Copy link
Member

liggitt commented Mar 22, 2023

1.27.z seems ok. What does it mean in terms of this PR and it getting merged? Should we have a cherry pick to 1.27 and merge in 1.28?

this PR will merge to master when it opens for 1.28, then we'll pick to release-1.27 for 1.27.x

@k8s-ci-robot k8s-ci-robot merged commit 27f5601 into kubernetes:master Apr 12, 2023
@k8s-ci-robot k8s-ci-robot added this to the v1.28 milestone Apr 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@apelisse apelisse Awaiting requested review from apelisse

@ncdc ncdc Awaiting requested review from ncdc

Assignees

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
Milestone
v1.28
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@stlaz @sftim @cici37 @deads2k @k8s-ci-robot @liggitt