)]}'
{"specs/approved/k8s_external_facing_api.rst":[{"author":{"_account_id":23186,"name":"Felipe Monteiro","email":"felipe.carneiro.monteiro@gmail.com","username":"felipe.monteiro"},"change_message_id":"610608b26045ee7d82debcefd0b136abd41ee99e","unresolved":false,"context_lines":[{"line_number":53,"context_line":"webhook side-car for each API server (i.e. ``sidecare`` mode). The other mode of operation"},{"line_number":54,"context_line":"is ``federated`` mode where the webhook will be accessed over a Kubernetes service."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"A new chart is needed because the `standard apiserver chart \u003chttps://github.com/openstack/airship-promenade/tree/master/charts/apiserver\u003e`"},{"line_number":57,"context_line":"relies on the anchor pattern creating static pods. The ``webhook_apiserver`` chart"},{"line_number":58,"context_line":"should be based on the standard apiserver chart and use helm_toolkit_ standards."},{"line_number":59,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"3f79a3b5_184d9799","line":56,"range":{"start_line":56,"start_character":137,"end_line":56,"end_character":138},"updated":"2018-08-09 16:48:46.000000000","message":"`_","commit_id":"a2770334d80a5cbccb4a6f75aa0fef17dc77e18f"},{"author":{"_account_id":22477,"name":"Matt McEuen","email":"matt.mceuen@att.com","username":"mattmceuen"},"change_message_id":"62315e0fdc38cf276a86c76f544c3ec1dba5fbaf","unresolved":false,"context_lines":[{"line_number":35,"context_line":"should minimize risk to the core Kubernetes API servers used by other"},{"line_number":36,"context_line":"Kubernetes core components. This specification proposes a design to maximize"},{"line_number":37,"context_line":"the security of this external facing API endpoint and minimizes the"},{"line_number":38,"context_line":"risk to the core operations of the cluster."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Impacted components"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f79a3b5_31754901","line":38,"updated":"2018-09-25 20:11:22.000000000","message":"Do we want to add a blurb about what the risk to the core API servers is that we\u0027re trying to avoid?  We expect operator use of the webhook API to be minimal, so it\u0027s just DOS\u0027ing that we\u0027re avoiding, right?","commit_id":"b95305f5a2db2da0e7b1dc99a6039d08281811a0"},{"author":{"_account_id":26449,"name":"Scott Hussey","email":"sthussey@att.com","username":"sh8121"},"change_message_id":"62d22536683d81f1a01e315b9083b46740d37136","unresolved":false,"context_lines":[{"line_number":35,"context_line":"should minimize risk to the core Kubernetes API servers used by other"},{"line_number":36,"context_line":"Kubernetes core components. This specification proposes a design to maximize"},{"line_number":37,"context_line":"the security of this external facing API endpoint and minimizes the"},{"line_number":38,"context_line":"risk to the core operations of the cluster."},{"line_number":39,"context_line":""},{"line_number":40,"context_line":"Impacted components"},{"line_number":41,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f79a3b5_a71d9b11","line":38,"in_reply_to":"3f79a3b5_31754901","updated":"2018-09-25 21:05:21.000000000","message":"I can, but touching the core apiservers in any way introduces risk.","commit_id":"b95305f5a2db2da0e7b1dc99a6039d08281811a0"},{"author":{"_account_id":22477,"name":"Matt McEuen","email":"matt.mceuen@att.com","username":"mattmceuen"},"change_message_id":"62315e0fdc38cf276a86c76f544c3ec1dba5fbaf","unresolved":false,"context_lines":[{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Create a chart, ``webhook_apiserver``, for an external facing Kubernetes API server that would"},{"line_number":52,"context_line":"create a Kubernetes Ingress entrypoint for the API server and, optionally, also spin up a"},{"line_number":53,"context_line":"webhook side-car for each API server (i.e. ``sidecare`` mode). The other mode of operation"},{"line_number":54,"context_line":"is ``federated`` mode where the webhook will be accessed over a Kubernetes service."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"A new chart is needed because the `standard apiserver chart \u003chttps://github.com/openstack/airship-promenade/tree/master/charts/apiserver\u003e`"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f79a3b5_714421b9","line":53,"updated":"2018-09-25 20:11:22.000000000","message":"sidecar","commit_id":"b95305f5a2db2da0e7b1dc99a6039d08281811a0"},{"author":{"_account_id":26449,"name":"Scott Hussey","email":"sthussey@att.com","username":"sh8121"},"change_message_id":"62d22536683d81f1a01e315b9083b46740d37136","unresolved":false,"context_lines":[{"line_number":50,"context_line":""},{"line_number":51,"context_line":"Create a chart, ``webhook_apiserver``, for an external facing Kubernetes API server that would"},{"line_number":52,"context_line":"create a Kubernetes Ingress entrypoint for the API server and, optionally, also spin up a"},{"line_number":53,"context_line":"webhook side-car for each API server (i.e. ``sidecare`` mode). The other mode of operation"},{"line_number":54,"context_line":"is ``federated`` mode where the webhook will be accessed over a Kubernetes service."},{"line_number":55,"context_line":""},{"line_number":56,"context_line":"A new chart is needed because the `standard apiserver chart \u003chttps://github.com/openstack/airship-promenade/tree/master/charts/apiserver\u003e`"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f79a3b5_27b8abe6","line":53,"in_reply_to":"3f79a3b5_714421b9","updated":"2018-09-25 21:05:21.000000000","message":"Done","commit_id":"b95305f5a2db2da0e7b1dc99a6039d08281811a0"},{"author":{"_account_id":22477,"name":"Matt McEuen","email":"matt.mceuen@att.com","username":"mattmceuen"},"change_message_id":"62315e0fdc38cf276a86c76f544c3ec1dba5fbaf","unresolved":false,"context_lines":[{"line_number":61,"context_line":"`Keystone webhook addl`_ and `Keystone webhook chart`_) in ``sidecar`` mode and allow for configuring"},{"line_number":62,"context_line":"the webhook service address in ``federated``` mode. The Kubernetes apiserver"},{"line_number":63,"context_line":"would be configured to only allow for authentication/authorization via webhook."},{"line_number":64,"context_line":"No other admission policies would be enabled. All ``kube-apiserver`` command line options"},{"line_number":65,"context_line":"should match the with the following exceptions:"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"  - authorization-mode: ``Webhook``"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f79a3b5_74696f8a","line":64,"updated":"2018-09-25 20:11:22.000000000","message":"We would still want to enable other (orthogonal) admission controllers to (dis)allow the particular objects that a webhook-auth\u0027d user pushes to the API server, right? Let me know if \"admission policies\" are referring to something else.","commit_id":"b95305f5a2db2da0e7b1dc99a6039d08281811a0"},{"author":{"_account_id":26449,"name":"Scott Hussey","email":"sthussey@att.com","username":"sh8121"},"change_message_id":"62d22536683d81f1a01e315b9083b46740d37136","unresolved":false,"context_lines":[{"line_number":61,"context_line":"`Keystone webhook addl`_ and `Keystone webhook chart`_) in ``sidecar`` mode and allow for configuring"},{"line_number":62,"context_line":"the webhook service address in ``federated``` mode. The Kubernetes apiserver"},{"line_number":63,"context_line":"would be configured to only allow for authentication/authorization via webhook."},{"line_number":64,"context_line":"No other admission policies would be enabled. All ``kube-apiserver`` command line options"},{"line_number":65,"context_line":"should match the with the following exceptions:"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"  - authorization-mode: ``Webhook``"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f79a3b5_87e97fe4","line":64,"in_reply_to":"3f79a3b5_74696f8a","updated":"2018-09-25 21:05:21.000000000","message":"Yeah, this is a bit confusing. I\u0027ll update admission policies to refer to \u0027authorization modes\u0027.","commit_id":"b95305f5a2db2da0e7b1dc99a6039d08281811a0"},{"author":{"_account_id":22477,"name":"Matt McEuen","email":"matt.mceuen@att.com","username":"mattmceuen"},"change_message_id":"2189d106be0f290eacaf0ba1826c99f492b2019b","unresolved":false,"context_lines":[{"line_number":61,"context_line":"`Keystone webhook addl`_ and `Keystone webhook chart`_) in ``sidecar`` mode and allow for configuring"},{"line_number":62,"context_line":"the webhook service address in ``federated``` mode. The Kubernetes apiserver"},{"line_number":63,"context_line":"would be configured to only allow for authentication/authorization via webhook."},{"line_number":64,"context_line":"No other admission policies would be enabled. All ``kube-apiserver`` command line options"},{"line_number":65,"context_line":"should match the with the following exceptions:"},{"line_number":66,"context_line":""},{"line_number":67,"context_line":"  - authorization-mode: ``Webhook``"}],"source_content_type":"text/x-rst","patch_set":5,"id":"3f79a3b5_8a2e668a","line":64,"in_reply_to":"3f79a3b5_87e97fe4","updated":"2018-09-25 21:07:49.000000000","message":"ah gotcha - yeah, I think that should fit the bill.","commit_id":"b95305f5a2db2da0e7b1dc99a6039d08281811a0"}]}