KEP-5917: Add KEP for Authenticator Provided Authorization Constraints#5918
KEP-5917: Add KEP for Authenticator Provided Authorization Constraints#5918everettraven wants to merge 1 commit intokubernetes:masterfrom
Conversation
everettraven
commented
Feb 12, 2026
everettraven
commented
- One-line PR description: Adds KEP for adding support for authenticator provided authorization constraints
- Issue link: Authenticator Provided Authorization Constraints #5917
Signed-off-by: Bryce Palmer <bpalmer@redhat.com>
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
needs-ok-to-test
|
Hi @everettraven. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: everettraven The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
sig/auth
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
@everettraven: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
|
||
| ## Proposal | ||
|
|
||
| - Add a new `user.Info` field, `constraints` that contains a list of constraints, provided by the authenticator to be enforced during authorization. |
There was a problem hiding this comment.
I think we should build on top of KEP 5681 as much as possible:
- Same condition representation
- Same evaluation model: an authorizer can return conditions, which are then evaluating during the validating admission stage?
Basically, copy the design of KEP 5681, but sub in authenticators instead of authorizers.
If we wanted to think through a concrete case for supporting DPoP from the JWT or service account token authenticators:
- The authenticator sees that the input JWT carries a cnf.jkt claim.
- The authenticator gets the DPoP JWT from the DPoP header.
- The authenticator validates the DPoP JWT against the cnf.jkt claim. If the DPoP JWT does not come from the correct key, the request is rejected.
- The authenticator checks any statically-checkable properties of the DPoP JWT, like expiration time. If they fail, the request is rejected.
- The authenticator returns an authentication response, with CEL conditions on the HTTP method and request path.
- The CEL conditions are evaluated by the conditional authorization machinery during validating admission control. We will need to make sure that the HTTP method and request path are available in the CEL evaluation context.
There was a problem hiding this comment.
Same condition representation
I'm not strongly opinionated on the condition representation format, so if folks strongly prefer CEL expressions as that representation, I'm OK with that. It feels a bit heavy to need to compile CEL expressions and then run them on the fly per request though, so that is why I went with a more RBAC rule-style format for the simple path of something like "This token can only be used to get Pods in Namespace foo".
Same evaluation model: an authorizer can return conditions, which are then evaluating during the validating admission stage?
I think I see two paths here:
- If we are able to concretely enforce the conditions during the authorization stage we should short-circuit the rest of the request flow
- If we are not able to concretely enforce the conditions during the authorization stage, we can defer evaluation of those conditions to the conditional authorization logic of KEP 5681
There was a problem hiding this comment.
so if folks strongly prefer CEL expressions as that representation
Specifically, I think we should build on exactly the same machinery that's already been / being built for KEP 5681. So that has a CEL (potentially in pre-parsed binary format) for evaluation within kube-apiserver, plus opaque formats that are only understood by the specific authenticator that issued them.
Let's see what others think as well, but I would be wary of introducing a third representation for conditions.
If we are able to concretely enforce the conditions during the authorization stage we should short-circuit the rest of the request flow
I think the gain from this is likely to be small.
There's value in rejecting during authentication (to prevent someone from DoS-ing kube-apiserver with a completely invalid credential), and there's value in rejecting during validating admission control (that's when we have the maximum amount of information about the request available as input to conditions).
Rejecting during authorization saves some compute, but only if someone is spamming you with a valid but downscoped credential that is invalid for the verb/resource they are trying to act upon.
There was a problem hiding this comment.
What about non-resource URLs and resource requests that do not go through admission (like a get/list)?
| ## Proposal | ||
|
|
||
| - Add a new `user.Info` field, `constraints` that contains a list of constraints, provided by the authenticator to be enforced during authorization. | ||
| - Add a new built-in authorizer, added first in the authorizer chain, that evaluates authenticator constraints. |
There was a problem hiding this comment.
I think we should do this during validating admission control -- there is no reason a credential like a biscuit, macaron, or future JWT equivalent could not encode restrictions on the request body as well.
"This derived token is only allowed to create Pods that are labeled with foo=bar" or similar.
There was a problem hiding this comment.
"This derived token is only allowed to create Pods that are labeled with foo=bar" or similar.
I agree that this specific statement would be best handled by a conditional authorization check that happens at admission time, but what about "This derived token is only allowed to get Pods in Namespace 'foo'"?
Why should that operation be deferred all the way to validating admission control if we have the information available to use earlier in the request lifecycle to deny it?
3 participants
