-
Notifications
You must be signed in to change notification settings - Fork 39.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow restricting subresource access #29988
Conversation
GCE e2e build/test passed for commit 1e7adaa. |
LGTM |
remind me about the cherry-pick process. Do I tag it here or in the new pull? |
set milestone and tag here |
I think if you want to pick to 1.3, needs 1.3 milestone, which is weird |
needs release note |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e build/test passed for commit 1e7adaa. |
Automatic merge from submit-queue |
Cherrypick approved. Thanks. |
Automatic merge from submit-queue allow restricting subresource access Backport of #29988 to properly secure access to subresources. @kubernetes/sig-auth <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.kubernetes.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.kubernetes.io/reviews/kubernetes/kubernetes/30001) <!-- Reviewable:end -->
Commit found in the "release-1.3" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
Automatic merge from submit-queue allow restricting subresource access Backport of kubernetes#29988 to properly secure access to subresources. @kubernetes/sig-auth <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.kubernetes.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.kubernetes.io/reviews/kubernetes/kubernetes/30001) <!-- Reviewable:end -->
Looks like subresource resolution got lost in the port. Adding it back in as
"resource/subresource"
. That allows easy expression of rules and we can later allow something like"*/subresource"
to handle cases like the hpa controller.@kubernetes/sig-auth
This change is