Skip to content

Constrained Impersonation #5284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
4 tasks
qiujian16 opened this issue May 7, 2025 · 3 comments
Open
4 tasks

Constrained Impersonation #5284

qiujian16 opened this issue May 7, 2025 · 3 comments
Labels
lead-opted-in Denotes that an issue has been opted in to a release sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Milestone
v1.34

Comments

@qiujian16
Copy link
Contributor

qiujian16 commented May 7, 2025
edited by liggitt
Loading

Enhancement Description

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label May 7, 2025
@qiujian16
Copy link
Contributor Author

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 7, 2025
@qiujian16 qiujian16 mentioned this issue May 7, 2025
Open
@enj enj added this to SIG Auth May 7, 2025
@enj enj moved this to Needs Triage in SIG Auth May 7, 2025
@aramase aramase moved this from Needs Triage to In Review in SIG Auth May 12, 2025
@lmktfy
Copy link

lmktfy commented May 13, 2025

I think the title of this KEP should be Constrained Impersonation.

You can already restrict impersonation (eg: deny the verb in your custom authz code), but you can't allow a principal to use only some of the permissions of the principal they impersonate.

The word constrain implies a bounding form restriction (eg you can impersonate this principal but only to perform actions in namespace kube-heptagon. That's different from conditions (eg: you can impersonate this principal, but only if the moon is waning at the time you submit the request).

@qiujian16 qiujian16 changed the title Restrict impersonate action Constrained Impersonation May 16, 2025
@qiujian16
Copy link
Contributor Author

I think the title of this KEP should be Constrained Impersonation.

You can already restrict impersonation (eg: deny the verb in your custom authz code), but you can't allow a principal to use only some of the permissions of the principal they impersonate.

The word constrain implies a bounding form restriction (eg you can impersonate this principal but only to perform actions in namespace kube-heptagon. That's different from conditions (eg: you can impersonate this principal, but only if the moon is waning at the time you submit the request).

that makes sense, thanks. The title is updated to Constrained Impersonation

@enj enj added the lead-opted-in Denotes that an issue has been opted in to a release label May 29, 2025
@enj enj added this to the v1.34 milestone May 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lead-opted-in Denotes that an issue has been opted in to a release sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
1.34 Enhancements Tracking
Status: No status
SIG Auth
Status: In Review
Milestone
v1.34
Development

No branches or pull requests
4 participants
@qiujian16 @enj @k8s-ci-robot @lmktfy