Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-541

Document restricting api.<cluster>:6443/version to authenticated users

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • XS
    • 0

      Feature Overview (aka. Goal Summary)  

      By default OCP allows unauthenticated users to retrieve the /version API endpoint. Organizations with strict security policies that can't have unauthenticated endpoints need a way to change this behavior.

      Since this is achievable with custom clusterrolebindings, this Feature is for documenting and testing an official configuration to restricting api.<cluster>:6443/version to authenticated users
       

      Goals (aka. expected user outcomes)

      • Test and document procedure to restrict `api.<cluster>:6443/version` to authenticated users only
      • Explore if testing and documenting [1]

      [1] https://github.com/kubernetes/kubernetes/issues/84040#issuecomment-623698336

      Requirements (aka. Acceptance Criteria):

      • Define CI to regularly test the procedure in following releases so the configuration can be considered supported

      Use Cases (Optional):

      • RFE-1621
      • Organizations with strict policies requiring minimizing unauthenticated API endpoints

      Out of Scope

      Interoperability Considerations

      Validate `oc` cli is not impacted by this change.

              racedoro@redhat.com Ramon Acedo
              wcabanba@redhat.com William Caban
              William Caban
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: