github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/pkg
History
Kubernetes Submit Queue c3aac2b938 Merge pull request #38968 from liggitt/anonymous-abac 
Automatic merge from submit-queue (batch tested with PRs 36751, 38968)

Convert * users/groups to system:authenticated group in ABAC

Part of enabling anonymous auth by default in 1.6 means protecting earlier policies that did not intend to grant access to anonymous users.

This modifies ABAC policies that match `user` or `group` `*` to only match authenticated users.

Docs PR to update examples to use `system:authenticated` or `system:unauthenticated` groups explicitly: https://github.com/kubernetes/kubernetes.github.io/pull/1992

```release-note
ABAC policies using "user":"*" or "group":"*" to match all users or groups will only match authenticated requests. To match unauthenticated requests, ABAC policies must explicitly specify "group":"system:unauthenticated"
```
 		2016-12-20 23:31:43 -08:00
..
admission
api Merge pull request #35805 from dgoodwin/token-mgmt 2016-12-20 14:44:40 -08:00
apimachinery Remove GroupMeta.Codec 2016-12-15 14:20:26 -08:00
apis Convert user/group * to match authenticated users only in ABAC 2016-12-19 13:41:35 -05:00
apiserver fix metrics.Monitor method call passed with incorrect parameters in ServeHTTP 2016-12-20 09:46:29 +08:00
auth Convert user/group * to match authenticated users only in ABAC 2016-12-19 13:41:35 -05:00
capabilities
client Update OWNERS 2016-12-19 16:05:48 -08:00
cloudprovider Merge pull request #38426 from abrarshivani/fix_lsi_logic_sas_bug 2016-12-19 18:08:58 -08:00
controller Merge pull request #38855 from gnufied/fix-variable-shadow-exp-backoff 2016-12-20 20:33:56 -08:00
conversion
credentialprovider Merge pull request #38410 from justinsb/aws_region_ca_central 2016-12-20 09:54:01 -08:00
dns rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
fieldpath
fields
generated Generate ABAC conversions 2016-12-19 08:36:06 -05:00
genericapiserver Update bazel and linted files 2016-12-19 23:13:14 +01:00
healthz Merge pull request #34410 from yuexiao-wang/heathz-log 2016-12-14 15:09:53 -08:00
httplog
hyperkube
kubectl Merge pull request #35805 from dgoodwin/token-mgmt 2016-12-20 14:44:40 -08:00
kubelet Merge pull request #38180 from NickrenREN/vmgr-actual-state 2016-12-20 20:33:54 -08:00
kubemark run hack/update-codegen.sh 2016-12-14 12:39:49 -08:00
labels
master Update bazel and linted files 2016-12-19 23:13:14 +01:00
metrics rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
probe
proxy Refactor port allocation logic a little, deflake tests. 2016-12-18 21:18:34 -08:00
quota rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
registry Update OWNERS 2016-12-19 16:22:41 -08:00
routes
runtime Merge pull request #38525 from juanvallejo/jvallejo/fix-panic-on-invalid-json-syntax 2016-12-19 13:23:03 -08:00
security
securitycontext
selection
serviceaccount rename /release_1_5 to /clientset 2016-12-14 12:39:48 -08:00
ssh
storage Reduce timeout for waiting for resource version 2016-12-20 10:05:38 +01:00
types
util Merge pull request #38855 from gnufied/fix-variable-shadow-exp-backoff 2016-12-20 20:33:56 -08:00
version Rename build-tools/ back to build/ 2016-12-14 13:42:15 -08:00
volume Merge pull request #36888 from linki/patch-1 2016-12-20 20:33:52 -08:00
watch
OWNERS