KEP-4601: promote AuthorizeWithSelectors / AuthorizeNodeWithSelectors to stable #51461
+15
−9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
sig/auth
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
k8s-ci-robot
added
language/en
liggitt
changed the title
k8s-ci-robot
added
the
size/XS
12 tasks
lmktfy
reviewed
Jul 1, 2025
...t/en/docs/reference/command-line-tools-reference/feature-gates/AuthorizeNodeWithSelectors.md
Outdated
Show resolved
Hide resolved
k8s-ci-robot
added
size/S
lmktfy
reviewed
Jul 1, 2025
lmktfy
reviewed
Jul 1, 2025
lmktfy
reviewed
Jul 1, 2025
|
|
||
| With the `AuthorizeWithSelectors` feature enabled, field and label selectors in the request | ||
| are passed to the authorization webhook. The webhook can make authorization decisions | ||
| The `AuthorizeWithSelectors` feature causes field and label selectors in the request |
There was a problem hiding this comment.
Suggested change
| The `AuthorizeWithSelectors` feature causes field and label selectors in the request | |
| When calling out to an authorization webhook, Kubernetes passes information about selectors in the request to the authorization webhook (both label selectors and field selectors). The authorization webhook can make authorization decisions |
The shortcode serves as a hint to readers that if they are running an older version, the text they read might not be accurate.
lmktfy
reviewed
Jul 1, 2025
| {{< feature-state feature_gate_name="AuthorizeWithSelectors" >}} | ||
|
|
||
| With the alpha `AuthorizeWithSelectors` feature enabled, field and label selectors can be added to authorization checks. | ||
| The `AuthorizeWithSelectors` feature allows adding field and label selectors to authorization checks. |
There was a problem hiding this comment.
Suggested change
| The `AuthorizeWithSelectors` feature allows adding field and label selectors to authorization checks. | |
| For CEL expressions that have an authorization context available, Kubernetes includes information about the selectors used in the request (these can be label or field selectors). |
The shortcode serves as a hint to readers that if they are running an older version, the text they read might not be accurate.
lmktfy
reviewed
Jul 1, 2025
| * pods | ||
| * secrets, configmaps, persistent volume claims and persistent volumes related | ||
| to pods bound to the kubelet's node | ||
|
|
There was a problem hiding this comment.
Suggested change
| ## Restrictions based on associated Node | |
There was a problem hiding this comment.
(nit)
Can we move
In future releases, the node authorizer may add or remove permissions to ensure
kubelets have the minimal set of permissions required to operate correctly.earlier in this page?
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 073fb900bce643694bb0166b2222a4fa23bc39e2
|
k8s-ci-robot
added
the
approved
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lmktfy, reylejano The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel implementation is merged |
k8s-ci-robot
removed
the
do-not-merge/hold
|
the netlify build wasn't successful, due to secret scanning ... |
k8s-ci-robot
removed
the
lgtm
|
rebased to retrigger netlify |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
that seemed to work, needs re-lgtming |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: df77c39e9b2677f249cada1011644f627a1109ff
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Promote KEP-4601 to stable
Issue
kubernetes/enhancements#4601
/sig auth
/cc @deads2k