Closed israel-hdez closed 2 weeks ago
Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: israel-hdez
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Closing PR. It does not work.
Motivation
ServingRuntimes on a namespace need to be protected individually, rather than allowing/rejecting access to all deployed runtimes in a namespace in conjunction.
Modifications
In oauth-proxy, instead of checking for GET over Kubernetes Services, do a more fine-grained check over ServingRuntimes: test that the user can GET the ServingRuntime associated with the deployment. This will allow protecting ServingRuntimes individually.
Result
The oauth-proxy will now allow access only if the provided token has GET privileges over a specific ServingRuntime.
PR checklist
Checklist items below are applicable for development targeted to both fast and stable branches/tags
Checklist items below are applicable for development targeted to both fast and stable branches/tags