Open meatuses opened 8 months ago
kubectl auth whoami
can be used for now to get information about current user. It helps to set correct ClusterAuthorizationRule.
This problem is not solved head-on. We cannot convert subjects to ClusterAuthorizationRule because they may contain not only emails from our resources, but also from users' resources. This task probably requires a redesign of the OIDC claim from email to user and should be resolved as part of a more global RBAC redesign.
Preflight Checklist
Version
v1.56.9
Expected Behavior
User
email should match case 1 to 1 withClusterAuthorizationRule
orAuthorizationRule
'sspec.subjects.name
field (case sensitive), or be case insensitive and match any letter case.Actual Behavior
Seems like
User
'semail
field is converted to lowercase by internal logic, butClusterAuthorizationRule
orAuthorizationRule
spec.subjects.name
field that should match that email is not converted. Currently you can't use any uppercase characters in authorization rule'sspec.subjects.name
as they wouldn't match the subjects.Steps To Reproduce
User
withemail
UserName@example.com
(using any uppercase characters)ClusterAuthorizationRule
withspec.subjects.name
UserName@example.com
(matches email 1-1)ClusterAuthorizationRule
spec.subjects.name
tousername@example.com
(manually set lowercase)UserName@example.com
Additional Information
manifests that were used to test this:
Logs
No response