github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-25 12:17:52 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #38968 from liggitt/anonymous-abac

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 36751, 38968)

Convert * users/groups to system:authenticated group in ABAC

Part of enabling anonymous auth by default in 1.6 means protecting earlier policies that did not intend to grant access to anonymous users.

This modifies ABAC policies that match `user` or `group` `*` to only match authenticated users.

Docs PR to update examples to use `system:authenticated` or `system:unauthenticated` groups explicitly: https://github.com/kubernetes/kubernetes.github.io/pull/1992

```release-note
ABAC policies using "user":"*" or "group":"*" to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify "group":"system:unauthenticated"
```
This commit is contained in:
Kubernetes Submit Queue
2016-12-20 23:31:43 -08:00
committed by GitHub
parent d4bad94461 742ef34484
commit c3aac2b938
16 changed files with 591 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hack/.linted_packages
View File

@@ -75,6 +75,7 @@ pkg/api/v1
pkg/api/v1/service
pkg/apimachinery
pkg/apis/abac/v0
pkg/apis/abac/v1beta1
pkg/apis/apps/install
pkg/apis/authentication.k8s.io/install
pkg/apis/authentication/install