Support for OIDC 'username-prefix' and 'groups-prefix' flags #4085
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
|
FYI: CLA signed. |
k8s-ci-robot
added
cncf-cla: yes
|
@xoen yes they are autogenerated, we need them generated. will review when I have a couple of minutes. |
k8s-ci-robot
removed
the
needs-ok-to-test
pkg/apis/kops/componentconfig.go
Outdated
| @@ -228,9 +228,15 @@ type KubeAPIServerConfig struct { | |||
| // The OpenID claim to use as the user name. | |||
| // Note that claims other than the default ('sub') is not guaranteed to be unique and immutable. | |||
| OIDCUsernameClaim *string `json:"oidcUsernameClaim,omitempty" flag:"oidc-username-claim"` | |||
| // Prefix prepended to username claims to prevent clashes with existing | |||
| // names (such as 'system:' users). | |||
| OIDCUsernamePrefix *string `json:"oidcUsernamePrefix,omitempty" flag:"oidc-username-prefix"` | |||
There was a problem hiding this comment.
Great docs. You mind updating them to follow the go style guide? https://blog.golang.org/godoc-documenting-go-code
Sentence starts with the struct member name.
There was a problem hiding this comment.
We are trying to clean these up as you can see many are not correct.
k8s-ci-robot
added
size/M
|
Hi @chrislovecnm - I ran Let me know if this is good. |
|
Looks awesome, if you can squash you git comitts into one commit, we can merge. Thanks again! |
See: https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server This is very similar to this other PR: https://github.com/kubernetes/kops/pull/1438/files I also updated the format of the documentation for the OIDC API Server fields to follow the Go Style guide: https://blog.golang.org/godoc-documenting-go-code Fixes: kubernetes#4007
xoen
force-pushed
the
ag-oidc-prefixes-config
branch
from
781c4bf to
9e30999
Compare
|
@chrislovecnm my pleasure, it's just a tiny one :) - I squashed the changes in one single commit now (sorry, wasn't sure about that). |
|
@chrislovecnm I added these two fields by copying the other PR but this is not tested. |
|
/lgtm Thanks @xoen :-) And yes, this is correct: these fields won't be set by default, so can't cause any damage unless someone actively sets the fields. And the mapping to flags looks correct. It is possible to do a test but frankly it's probably overkill vs just manually verifying that the flag values are the right values :-) |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. |
What
Added support for
--oidc-username-prefixand--oidc-groups-prefix.By passing these it's possible to override the default prefixes used to map the OIDC user with the username in kubernetes.
See
See: https://kubernetes.io/docs/admin/authentication/#configuring-the-api-server
IMPORTANT
I'm far from a kubernetes/KOPS, this is not tested so someone needs to have a look and see if something is missing or if this can cause troubles! (don't want to accidentally cause the destruction of the universe 💥 )
It's basically the same done in this other PR: https://github.com/kubernetes/kops/pull/1438/files
I did not change the
zz_generated.conversion.gofiles as according to comment at the top of them they're autogenerated:// This file was autogenerated by conversion-gen. Do not edit it manually!(I wonder if they should be
.gitignored)Fixes
This should fix #4007: field oidcUsernamePrefix is not recognized in cluster configuration file