Skip to content

Allow "*" in kubernetes_users#58282

Merged
boxofrad merged 5 commits intomasterfrom
boxofrad/kubernetes-users-wildcard
Aug 28, 2025
Merged

Allow "*" in kubernetes_users#58282
boxofrad merged 5 commits intomasterfrom
boxofrad/kubernetes-users-wildcard

Conversation

@boxofrad
Copy link
Copy Markdown
Contributor

@boxofrad boxofrad commented Aug 22, 2025

Fixes #58274.

changelog: Support setting "*" in role kubernetes_users

tigrato
tigrato reviewed Aug 22, 2025
View reviewed changes
Comment thread lib/kube/proxy/forwarder.go Outdated
@rosstimothy rosstimothy requested a review from creack August 22, 2025 19:55
@creack
Copy link
Copy Markdown
Contributor

creack commented Aug 22, 2025

If we do it for users, wouldn't it make sense to allow * for groups as well?

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Aug 26, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
boxofrad/kubernetes-users-wildcard b4123d1 3 ✅SUCCEED boxofrad-kubernetes-users-wildcard 2025-08-26 12:40:55

@boxofrad
Copy link
Copy Markdown
Contributor Author

boxofrad commented Aug 26, 2025
edited
Loading

Hey folks 👋🏻

Following a Slack conversation with @tigrato, I've removed the behavior where we would not automatically impersonate any groups if kubernetes_users contained a wildcard. This constraint made sense in the context of Argo CD, but is confusing in the general case. I've added a warning to the Kubernetes Access docs instead, and will update #58229 accordingly.

He also suggested that we combine computeImpersonatedPrincipals with fillDefaultKubePrincipalDetails. I think this makes sense, but I'd rather keep the diff as small as possible, especially as I'm new to this part of the codebase.

Similarly, @creack's suggestion of supporting * in kubernetes_groups also makes sense - let's maybe revisit it in another PR?

@boxofrad boxofrad marked this pull request as ready for review August 26, 2025 11:59
@boxofrad boxofrad requested a review from tigrato August 26, 2025 11:59
@strideynet strideynet self-requested a review August 26, 2025 12:25
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from ptgott August 28, 2025 14:44
@boxofrad boxofrad added this pull request to the merge queue Aug 28, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Aug 28, 2025
@boxofrad boxofrad added this pull request to the merge queue Aug 28, 2025
@ryanclark ryanclark removed this pull request from the merge queue due to a manual request Aug 28, 2025
@boxofrad boxofrad added this pull request to the merge queue Aug 28, 2025
Merged via the queue into master with commit c854a6e Aug 28, 2025
43 checks passed
@boxofrad boxofrad deleted the boxofrad/kubernetes-users-wildcard branch August 28, 2025 20:02
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Aug 28, 2025

@boxofrad See the table below for backport results.

Branch Result
branch/v17 Failed
branch/v18 Failed

boxofrad added a commit that referenced this pull request Aug 28, 2025
@boxofrad
Allow "*" in kubernetes_users
1b6cd69 
Backport #58282 to branch/v18
@boxofrad boxofrad mentioned this pull request Aug 28, 2025
Merged
boxofrad added a commit that referenced this pull request Aug 28, 2025
@boxofrad
Allow "*" in kubernetes_users
bec3e6d 
Backport #58282 to branch/v17
@boxofrad boxofrad mentioned this pull request Aug 28, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Aug 29, 2025
@boxofrad
Allow "*" in kubernetes_users (#58477)
45dac6d 
Backport #58282 to branch/v18
github-merge-queue bot pushed a commit that referenced this pull request Sep 1, 2025
@boxofrad
Allow "*" in kubernetes_users (#58478)
e13b4c4 
Backport #58282 to branch/v17
mmcallister pushed a commit that referenced this pull request Sep 22, 2025
@boxofrad @mmcallister
Allow "*" in kubernetes_users (#58282)
8781683 
* Allow `"*"` in `kubernetes_users`

* Add tests for `kubernetes_users` wildcard

* Document the `kubernetes_users` wildcard support

* Remove the coupling of users and groups

* Fix broken test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@strideynet strideynet strideynet approved these changes

@tigrato tigrato Awaiting requested review from tigrato

+1 more reviewer

@creack creack creack approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/branch/v17 backport/branch/v18 documentation kubernetes-access size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for Argo CD Impersonation

4 participants

@boxofrad @creack @tigrato @strideynet