Fine grained Kubelet API authorization

[pacoxu]

Enhancement Description

• One-line enhancement description (can be used as a release note): The node API authorization is too coarse. We need finer grained authorization of different request types, and maybe resources acted on.
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2862-fine-grained-kubelet-authz/README.md
• Discussion Link: Fine grained Kubelet API authorization kubernetes#83465
• Primary contact (assignee): @vinayakankugoyal @tallclair
• Responsible SIGs: auth node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.32
  • Beta release target (x.y): 1.33
  • Stable release target (x.y): 1.35
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-2862: Fine-grained Kubelet API Authorization #4760
  • Code (k/k) update PR(s):
    • KEP-2862: Fine-grained Kubelet API Authorization kubernetes#126347
  • Docs (k/website) update PR(s): KEP-2862: Fine-grained Authz for Kubelet API. website#48412
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-2862: Graduate to BETA. #5016
  • Code (k/k) update PR(s):
    • KEP-2862: Graduate KubeletFineGrainedAuthz to BETA. kubernetes#129656
  • Docs (k/website) update PR(s):
    • KEP-2862: KubeletFineGrainedAuthz Graduate to BETA website#49578

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[pacoxu]

/sig auth
/sig node
/kind feature
/area kubelet-api
/priority important-longterm

See also:

• Deprecate Kubelet Read-only port kubernetes#12968
• Implement a kubelet pod api kubernetes#28138
• Clean up Kubelet RESTful APIs kubernetes#2098

[k8s-ci-robot]

@pacoxu: The label(s) area/kubelet-api cannot be applied, because the repository doesn't have them.

In response to this:

/sig auth
/sig node
/kind feature
/area kubelet-api
/priority important-longterm

See also:

• Deprecate Kubelet Read-only port kubernetes#12968
• Implement a kubelet pod api kubernetes#28138
• Clean up Kubelet RESTful APIs kubernetes#2098

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pacoxu]

/assign
I will start to work on the KEP.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[enj]

/remove-lifecycle stale