KEP-3221: Promote StructuredAuthorizationConfiguration to GA

2024-10-18 15:31:26 -04:00 · 2024-10-18 15:31:26 -04:00 · 32aad9dd3f
parent 35e7e1d00c
commit 32aad9dd3f
5 changed files with 42 additions and 9 deletions
--- a/content/en/docs/reference/access-authn-authz/authorization.md
+++ b/content/en/docs/reference/access-authn-authz/authorization.md
@ -177,7 +177,7 @@ You can use the following modes:
 * `--authorization-mode=AlwaysDeny` (always denies requests)

 You can choose more than one authorization mode; for example:
-`--authorization-mode=Node,Webhook`
+`--authorization-mode=Node,RBAC,Webhook`

 Kubernetes checks authorization modules based on the order that you specify them
 on the API server's command line, so an earlier module has higher priority to allow
@ -197,7 +197,7 @@ For more information on command line arguments to the API server, read the

 {{< feature-state feature_gate_name="StructuredAuthorizationConfiguration" >}}

-As a beta feature, Kubernetes lets you configure authorization chains that can include multiple
+Kubernetes lets you configure authorization chains that can include multiple
 webhooks. The authorization items in that chain can have well-defined parameters that validate
 requests in a particular order, offering you fine-grained control, such as explicit Deny on failures.

@ -220,7 +220,7 @@ are only available if you use an authorization configuration file.
 #
 # DO NOT USE THE CONFIG AS IS. THIS IS AN EXAMPLE.
 #
-apiVersion: apiserver.config.k8s.io/v1beta1
+apiVersion: apiserver.config.k8s.io/v1
 kind: AuthorizationConfiguration
 authorizers:
  - type: Webhook
--- a/content/en/docs/reference/access-authn-authz/node.md
+++ b/content/en/docs/reference/access-authn-authz/node.md
@ -69,7 +69,24 @@ the local `hostname` and the `--hostname-override` option.
 For specifics about how the kubelet determines the hostname, see the
 [kubelet options reference](/docs/reference/command-line-tools-reference/kubelet/).

-To enable the Node authorizer, start the apiserver with `--authorization-mode=Node`.
+To enable the Node authorizer, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}
+with the `--authorization-config` flag set to a file that includes the `Node` authorizer; for example:
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AuthorizationConfiguration
+authorizers:
+  ...
+  - type: Node
+  ...
+```
+
+Or, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} with
+the `--authorization-mode` flag set to a comma-separated list that includes `Node`;
+for example:
+```shell
+kube-apiserver --authorization-mode=...,Node --other-options --more-options
+```

 To limit the API objects kubelets are able to write, enable the
 [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers#noderestriction)
--- a/content/en/docs/reference/access-authn-authz/rbac.md
+++ b/content/en/docs/reference/access-authn-authz/rbac.md
@ -20,10 +20,22 @@ RBAC authorization uses the `rbac.authorization.k8s.io`
 decisions, allowing you to dynamically configure policies through the Kubernetes API.

 To enable RBAC, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}}
-with the `--authorization-mode` flag set to a comma-separated list that includes `RBAC`;
+with the `--authorization-config` flag set to a file that includes the `RBAC` authorizer; for example:
+
+```yaml
+apiVersion: apiserver.config.k8s.io/v1
+kind: AuthorizationConfiguration
+authorizers:
+  ...
+  - type: RBAC
+  ...
+```
+
+Or, start the {{< glossary_tooltip text="API server" term_id="kube-apiserver" >}} with
+the `--authorization-mode` flag set to a comma-separated list that includes `RBAC`;
 for example:
 ```shell
-kube-apiserver --authorization-mode=Example,RBAC --other-options --more-options
+kube-apiserver --authorization-mode=...,RBAC --other-options --more-options
 ```

 ## API objects {#api-overview}
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates/structured-authorization-configuration.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/structured-authorization-configuration.md
@ -6,13 +6,17 @@ _build:
  render: false

 stages:
-  - stage: alpha 
+  - stage: alpha
    defaultValue: false
    fromVersion: "1.29"
    toVersion: "1.29"
-  - stage: beta 
+  - stage: beta
    defaultValue: true
    fromVersion: "1.30"
+    toVersion: "1.31"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.32"
 ---
 Enable structured authorization configuration, so that cluster administrators
 can specify more than one [authorization webhook](/docs/reference/access-authn-authz/webhook/)
--- a/content/en/docs/setup/production-environment/_index.md
+++ b/content/en/docs/setup/production-environment/_index.md
@ -232,7 +232,7 @@ As someone setting up authentication and authorization on your production Kubern

 - *Set the authorization mode*: When the Kubernetes API server
  ([kube-apiserver](/docs/reference/command-line-tools-reference/kube-apiserver/))
-  starts, the supported authentication modes must be set using the *--authorization-mode*
+  starts, supported authorization modes must be set using an *--authorization-config* file or the *--authorization-mode*
  flag. For example, that flag in the *kube-adminserver.yaml* file (in */etc/kubernetes/manifests*)
  could be set to Node,RBAC. This would allow Node and RBAC authorization for authenticated requests.
 - *Create user certificates and role bindings (RBAC)*: If you are using RBAC