KEP: Referential Authorization

Question

KEP: Referential Authorization

robscott opened this issue 2 years ago · 21 comments

robscott commented 2 years ago

Enhancement Description

One-line enhancement description (can be used as a release note): Move ReferenceGrant to new sig-auth API Group
Kubernetes Enhancement Proposal: #3767
Discussion Link: https://groups.google.com/g/kubernetes-sig-auth/c/akUOI3gea0c
Primary contact (assignee): @robscott
Responsible SIGs: sig-auth, closely related to sig-network and sig-storage
Enhancement target (which target equals to which milestone):
- Alpha release target (x.y): 1.30
- Stable release target (x.y):
Beta
- KEP (k/enhancements) update PR(s):
- Code (k/k) update PR(s):
- Docs (k/website) update(s):
Stable
- KEP (k/enhancements) update PR(s):
- Code (k/k) update PR(s):
- Docs (k/website) update(s):

Answer 1 · 2023-01-20T23:36:30.000Z

/sig auth
/sig network
/sig storage

Answer 2 · 2023-01-23T03:01:24.000Z

/assign @youngnick

Answer 3 · 2023-01-24T21:55:09.000Z

Would folks be willing to retitle this KEP? Although the change we want to bring about is a move of API group, the desired state is that there is a ReferenceGrant API available for multiple consumers and with review by SIG Architecture.

I'd like to capture that desired outcome, which will become visible to end users (eg: in release notes, other release-related comms), in the KEP title.

Answer 4 · 2023-01-24T22:35:45.000Z

That seems reasonable to me, something like "Create in-tree ReferenceGrant resource for allowing cross-namespace references"? ("in-tree" is doing a lot of heavy lifting there.)

Answer 5 · 2023-01-24T22:39:21.000Z

That's also changing the intent. I originally thought this KEP was about updating the existing CRD to be one that SIG Auth would own.

Let's be clear on which we want, so that our end users are also not confused!

Answer 6 · 2023-02-01T12:51:29.000Z

Hello @robscott 👋, v1.27 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage alpha for 1.27 (please correct me, if otherwise)

Here's where this enhancement currently stands:

KEP readme using the latest template has been merged into the k/enhancements repo.
KEP status is marked as implementable for latest-milestone: 1.27
KEP readme has a updated detailed test plan section filled out
KEP readme has up to date graduation criteria
KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would need to update the following:

Update to the latest KEP template. Specifically, there is an additional question in the Scalability section of the PRR.
Update kep.yaml to reflect current stage information. This assumes that the description in the issue that states that the v1.27 is for beta is correct, and that the kep.yaml information that v1.27 is for alpha is not - if the opposite is true then no change would be needed in the file.
Fix formatting in the Graduation Criteria section.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

Answer 7 · 2023-02-07T03:00:01.000Z

@fsmunoz I don't believe this has had a PRR review.

Answer 8 · 2023-02-07T22:58:59.000Z

Yes, it is merged right now as provisional, so the PRR tooling doesn't kick in - Rob & I discussed this. Before it moves to implementable it needs PRR. @robscott this needs to move to implementable ASAP if you want to make the release!

Answer 9 · 2023-02-08T00:00:57.000Z

@johnbelamaric filed a PR earlier that would make that change, but still needs some more reviews + approvals: #3832

Answer 10 · 2023-02-08T16:30:28.000Z

@johnbelamaric thank you, I was going from the content of the KEP PRR section. Until it's marked as implementable though it's not going to be tracked.

Answer 11 · 2023-02-09T22:49:41.000Z

As much as I'd love to get this in to the 1.27 cycle, I think everyone that could review/approve is pretty underwater this cycle and we likely need some rounds of review + revision on this KEP still. In light of that, we should probably formally punt this to the 1.28 cycle.

Answer 12 · 2023-02-10T00:04:01.000Z

@robscott I'm marking this as Deferred, should this change in the next hours place comment and we'll try to review it. Thanks!

Answer 13 · 2023-03-13T16:21:18.000Z

/milestone clear

Answer 14 · 2024-01-03T18:10:10.000Z

Some quick updates on this KEP.

We've met at the previous 2 KubeCons with some sig-auth leads to discuss a path forward, resulting in this updated proposal
I've translated that proposal into a rough proof of concept here: https://github.com/robscott/referencegrant-poc

Answer 15 · 2024-01-31T21:57:50.000Z

Hello @robscott @deads2k @youngnick 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on [02:00 UTC Friday 9th February 2024 / 18:00 PDT Thursday 8th February 2024](https://everytimezone.com/s/1ade3dca):.

This enhancement is targeting for stage alpha for v1.30 (correct me, if otherwise)

Here's where this enhancement currently stands:

KEP readme using the [latest template](https://github.com/kubernetes/enhancements/tree/master/keps/NNNN-kep-template) has been merged into the k/enhancements repo.
KEP status is marked as implementable for latest-milestone: 1.30. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
KEP readme has up-to-date graduation criteria
KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check [here](https://github.com/kubernetes/community/blob/master/sig-architecture/production-readiness.md#submitting-a-kep-for-production-readiness-approval)).

For this KEP, we would just need to update the following:

The latest-milestone and stage should be updated to 1.30 in the kep.yaml file.
The production readiness review should be completed and updated with the information for the targeting stage alpha.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

Answer 16 · 2024-02-05T14:56:46.000Z

Per the slack thread conversation, I am moving this KEP out of the v1.30 release.

Answer 17 · 2024-02-09T02:55:26.000Z

/milestone clear

Answer 18 · 2024-05-09T03:11:37.000Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Answer 19 · 2024-06-08T03:50:33.000Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle rotten
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

Answer 20 · 2024-07-08T04:03:44.000Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen
Mark this issue as fresh with /remove-lifecycle rotten
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Answer 21 · 2024-07-08T04:03:49.000Z

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied

After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied

After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Reopen this issue with /reopen

Mark this issue as fresh with /remove-lifecycle rotten

Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.