Add '--allow-paths' CLI flag #83
Conversation
simonpasquier
force-pushed
the
allow-paths-regex
branch
from
7ba3ba8
to
31d6ef8
Compare
|
What's the concrete use case we have here? I'm just wondering if regex is really the right thing for this or if we should rather use a list of slightly less flexible template strings. I'm just worried that this will be used accidentally incorrectly and then causes potential security problems (which my understanding is is exactly what we're trying to avoid). |
|
The concrete use case is when you have several kube-rbac-proxies in front of the same backend with different permissions for each proxy.
I think it's also fine if we have to specify all paths that are managed by the proxy. |
simonpasquier
force-pushed
the
allow-paths-regex
branch
from
31d6ef8
to
5d5b804
Compare
|
I'm all for enabling the use case but I feel getting regexes right in order for a security feature to work doesn't seem like a good idea, I'd be more comfortable to have explicit paths each listed without regex support. That should still fulfill the requirement no? |
Completely. I'll update the PR accordingly :) |
kube-rbac-proxy checks that the incoming request matches with one of the paths specified by the flag. If not, it returns a 404 status code. If omitted (the default), kube-rbac-proxy doesn't check the incoming request path (same as previously). Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier
force-pushed
the
allow-paths-regex
branch
2 times, most recently
from
36a6175
to
7bc0757
Compare
| @@ -190,6 +191,90 @@ func testTokenAudience(s *kubetest.Suite) kubetest.TestSuite { | |||
| } | |||
| } | |||
|
|
|||
| func testAllowPathsRegexp(s *kubetest.Suite) kubetest.TestSuite { | |||
There was a problem hiding this comment.
@simonpasquier maybe as a small follow-up: s/testAllowPathsRegexp/testAllowPaths ?
s-urbaniak
changed the title
No description provided.