-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add '--allow-paths' CLI flag #83
Conversation
7ba3ba8
to
31d6ef8
Compare
What's the concrete use case we have here? I'm just wondering if regex is really the right thing for this or if we should rather use a list of slightly less flexible template strings. I'm just worried that this will be used accidentally incorrectly and then causes potential security problems (which my understanding is is exactly what we're trying to avoid). |
The concrete use case is when you have several kube-rbac-proxies in front of the same backend with different permissions for each proxy.
I think it's also fine if we have to specify all paths that are managed by the proxy. |
31d6ef8
to
5d5b804
Compare
I'm all for enabling the use case but I feel getting regexes right in order for a security feature to work doesn't seem like a good idea, I'd be more comfortable to have explicit paths each listed without regex support. That should still fulfill the requirement no? |
Completely. I'll update the PR accordingly :) |
kube-rbac-proxy checks that the incoming request matches with one of the paths specified by the flag. If not, it returns a 404 status code. If omitted (the default), kube-rbac-proxy doesn't check the incoming request path (same as previously). Signed-off-by: Simon Pasquier <spasquie@redhat.com>
36a6175
to
7bc0757
Compare
@@ -190,6 +191,90 @@ func testTokenAudience(s *kubetest.Suite) kubetest.TestSuite { | |||
} | |||
} | |||
|
|||
func testAllowPathsRegexp(s *kubetest.Suite) kubetest.TestSuite { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@simonpasquier maybe as a small follow-up: s/testAllowPathsRegexp/testAllowPaths
?
No description provided.