kube-apiserver: Add oidc-required-claim flag #6453
Conversation
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @jeyglk. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
|
/assign @geojaz |
pkg/apis/kops/componentconfig.go
Outdated
| // A key=value pair that describes a required claim in the ID Token. | ||
| // If set, the claim is verified to be present in the ID Token with a matching value. | ||
| // Repeat this flag to specify multiple claims. | ||
| OIDCRequiredClaim map[string]string `json:"oidcRequiredClaim,omitempty" flag:"oidc-required-claim"` |
There was a problem hiding this comment.
Has this been tested with multiple claims?
The documentation
--oidc-required-claim mapStringString
| A key=value pair that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value. Repeat this flag to specify multiple claims.i.e. the Repeat this flag to specify multiple claims ... but the default of the flagbuilder reflection which converts the struct to command line args is to append map[string]string like --node-labels=k1=v1,k2=v2 etc
If it's not supported perhaps use a slice and add the repeat tag to the annotation
There was a problem hiding this comment.
Yes, the flag doesn't support multiple claims. Thanks for the suggestion, that makes sense. Will try 👍
jmthvt
force-pushed
the
feature/add-oidc-required-claim-flag
branch
from
b271b74 to
893742f
Compare
|
@gambol99 comment addressed, PTAL |
|
/ok-to-test @geojaz are we still generating the api docs? |
k8s-ci-robot
added
ok-to-test
|
/test pull-kops-e2e-kubernetes-aws |
1 similar comment
|
/test pull-kops-e2e-kubernetes-aws |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gambol99, jeyglk The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This PR adds the oidc-required-claim flag for kube-apiserver, that has been released in Kubernetes 1.11.
This would work if we specify one key-value claim, however it would fail for more than one pair.This is due to the implementation of this flag. More info in this PR
https://github.com/kubernetes/kubernetes/pull/62136/filesI am not sure what would be the best approach? Any input is welcome.EDIT: Should be all good now!