Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(41) Is a massive mutation of the authorizer.Attributes intended? Why? link. #356

Open
Tracked by #238
ibihim opened this issue Jan 27, 2025 · 0 comments
Open
Tracked by #238

(41) Is a massive mutation of the authorizer.Attributes intended? Why? link. #356

ibihim opened this issue Jan 27, 2025 · 0 comments

Comments

@ibihim
Copy link
Collaborator

ibihim commented Jan 27, 2025
edited
Loading

What

Why do we, by default, only care about those Resource Attributes:

  • User
  • Verb
  • Path

And ignore:

  • Namespace
  • APIGroup
  • APIVersion
  • Resource
  • SubResource
  • Name

Why

Most probably, we assume that there must be a specific authorization to the path we are protecting with kube-rbac-proxy. Speak, is the: User allowed to Verb at Path.

But worth to investigate the behavior of the SAR request created in such a situation, if not trimmed and compare the results.

Notes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ibihim