Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-541

Document restricting api.<cluster>:6443/version to authenticated users

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • Core
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-16OpenShift - Kubernetes and Core Platform
    • 0% To Do, 0% In Progress, 100% Done
    • XS
    • 0
    • 0

      Feature Overview (aka. Goal Summary)  

      By default OCP allows unauthenticated users to retrieve the /version API endpoint. Organizations with strict security policies that can't have unauthenticated endpoints need a way to change this behavior.

      Since this is achievable with custom clusterrolebindings, this Feature is for documenting and testing an official configuration to restricting api.<cluster>:6443/version to authenticated users
       

      Goals (aka. expected user outcomes)

      • Test and document procedure to restrict `api.<cluster>:6443/version` to authenticated users only
      • Explore if testing and documenting [1]

      [1] https://github.com/kubernetes/kubernetes/issues/84040#issuecomment-623698336

      Requirements (aka. Acceptance Criteria):

      • Define CI to regularly test the procedure in following releases so the configuration can be considered supported

      Use Cases (Optional):

      • RFE-1621
      • Organizations with strict policies requiring minimizing unauthenticated API endpoints

      Out of Scope

      Interoperability Considerations

      Validate `oc` cli is not impacted by this change.

            wcabanba@redhat.com William Caban
            wcabanba@redhat.com William Caban
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: