Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to configure several resource request authorizations #154

Open
simonpasquier opened this issue Dec 2, 2021 · 2 comments
Open

Ability to configure several resource request authorizations #154

simonpasquier opened this issue Dec 2, 2021 · 2 comments

Comments

@simonpasquier
Copy link
Contributor

Right now kube-rbac-proxy can be configured with only one resource request authorization (as described in https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes). It would be useful to specify more than one resource request.

We have a practical use case with the OpenShift cluster-monitoring operator: it deploys Alertmanager with an OAuth proxy sidecar that authorizes only users who are allowed to "get namespaces" and "patch a specific resource in a given namespace" permissions (see https://github.com/openshift/cluster-monitoring-operator/blob/d097e7095cf0c4a193935c2f58d4973a18a2c7db/assets/alertmanager/alertmanager.yaml#L34-L36 for details). The reason is that users who can only "get namespaces" have access to our Prometheus/Thanos APIs but not the Alertmanager API because the latest allows to modify data (silences).
Eventually we'd like to replace OAuth proxy by kube-rbac-proxy (to minimize our cognitive overhead) so being able to combine several resource requests would be great.

cc @s-urbaniak
@s-urbaniak
Copy link
Collaborator

cc @ibihim

@s-urbaniak
Copy link
Collaborator

I am positive on this change 👍 one way to introduce this change without breaking existing behavior is to add --config-files (plural) in addition to the existing --config-file setting.

squat added a commit to squat/kube-rbac-proxy that referenced this issue Apr 1, 2022
@squat
config: allow multiple configurations
a2d4f0e 
This commit fixes issue brancz#154 by enabling the user to repeat the
`--config-file` flag multiple times to specify multiple configurations.
Doing so, allows the user to declare that the krp should, e.g., enforce
multiple resource attributes.

Signed-off-by: Lucas Servén Marín <[email protected]>
@squat squat mentioned this issue Apr 1, 2022
Closed
squat added a commit to squat/kube-rbac-proxy that referenced this issue Apr 1, 2022
@squat
config: allow multiple configurations
e6e5cc9 
This commit fixes issue brancz#154 by enabling the user to repeat the
`--config-file` flag multiple times to specify multiple configurations.
Doing so, allows the user to declare that the krp should, e.g., enforce
multiple resource attributes.

Signed-off-by: Lucas Servén Marín <[email protected]>
@squat squat mentioned this issue Apr 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

config: allow multiple configurations squat/kube-rbac-proxy
2 participants
@s-urbaniak @simonpasquier