-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update TokenVerifier to verify AuthZ too #8063
Update TokenVerifier to verify AuthZ too #8063
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8063 +/- ##
==========================================
- Coverage 67.92% 67.76% -0.16%
==========================================
Files 366 366
Lines 17154 17192 +38
==========================================
Hits 11651 11651
- Misses 4781 4819 +38
Partials 722 722 ☔ View full report in Codecov by Sentry. |
@pierDipi could you check on this? |
1d0f605
to
7555093
Compare
3e408da
to
80aca3b
Compare
- apiGroups: | ||
- eventing.knative.dev | ||
resources: | ||
- eventpolicies | ||
verbs: | ||
- get | ||
- list | ||
- watch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be a bit confusing. The webhook is not directly using the EventPolicyLister. But the SinkBinding uses the OIDCTokenProvider from the auth package. In this package we also have the OIDCTokenVerifier, which uses the EventPolicyLister (via eventpolicylister.Get()) and thus registers the informer in its init() method
/test reconciler-tests |
- apiGroups: | ||
- eventing.knative.dev | ||
resources: | ||
- eventtypes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this related?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before my PR, it was
- apiGroups:
- eventing.knative.dev
resources:
- eventtypes
verbs:
- create
- get
- list
- watch
since we need the same (except for create
) for the eventpolicies and they are in the same api group as eventtypes, I merged them and created one dedicated for eventtypes create: -->
- apiGroups:
- eventing.knative.dev
resources:
- eventtypes
- eventpolicies
verbs:
- get
- list
- watch
- apiGroups:
- eventing.knative.dev
resources:
- eventtypes
verbs:
- create
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: creydr, pierDipi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Updates the TokenVerifier to verify AuthZ too
VerifyRequest()
which bundles AuthN and AuthZ checksVerifyJWTFromRequest()
which only checks AuthN (switch toVerifyRequest()
will be done in mt-broker ingress: Reject unauthorized requests #7980 and InMemoryChannel ingress: Reject unauthorized requests #7981)