linkerd2 icon indicating copy to clipboard operation
linkerd2 copied to clipboard
verified publisher icon linkerd

Include extra attributes in SubjectAccessReview

Open multimac opened this issue 1 year ago • 5 comments

Kubernetes authorization plugins can rely on extra attributes on a user, and these are provided via X-Remote-Extra- headers. Currently the Linkerd Viz tap API doesn't include these attributes when making the SubjectAccessReview request which means the Tap API cannot be used by end-users who's clusters use such authz plugins.

This change updates the tap controller to parse the X-Remote-Extra- headers and include them in the SubjectAccessReview request.

Fixed #13169

multimac avatar Oct 11 '24 04:10 multimac

Hey @multimac, just a quick check-in -- we're heads-down to ship Linkerd 2.17 but will be coming back to this as soon as we can. Sorry for the delay!

kflynn avatar Oct 31 '24 16:10 kflynn

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 30 '25 07:01 stale[bot]

@kflynn: Looks like 2.17 is out by now. Is there plan to revisit this?

alex-kattathra-johnson avatar Mar 03 '25 22:03 alex-kattathra-johnson

Ping @adleong

alex-kattathra-johnson avatar Mar 06 '25 15:03 alex-kattathra-johnson

Unassigning @adleong so that this bubbles back up for prioritization. Since this branch isn't passing CI, it will clearly need some more work before it can be merged.

olix0r avatar Mar 27 '25 18:03 olix0r

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 26 '25 03:06 stale[bot]