Adding "#" to escapable characters in CEL subsystem
45 views
Skip to first unread message
Allain Legacy
Feb 11, 2025, 5:20:31 PMFeb 11
to K8s API Machinery SIG
Hi,
Are there any technical reasons why we couldn't/shouldn't add the "#" character to the set of escapable characters in the CEL functionality? If not, would a PR be accepted?
here: staging/src/k8s.io/apiserver/pkg/cel/escaping.go
It currently supports escaping ".", "/", "_".
We have a usecase where we'd like to extract a claim from na OIDC token using the apiserver.JWTAuthenticator functionality but can't because the claim has a "#" embedded in it. The specific claim is a nested claim. Example:
{
"exp": 1739302920,
"iat": 1739302020,
"jti": "2abdffa9-1234-4283-8c65-f83d845319da",
"iss": "https://keycloak.apps.example.com/realms/example",
...
"cnf": {
"x5t#S256": "redacted"
},
...
"exp": 1739302920,
"iat": 1739302020,
"jti": "2abdffa9-1234-4283-8c65-f83d845319da",
"iss": "https://keycloak.apps.example.com/realms/example",
...
"cnf": {
"x5t#S256": "redacted"
},
...
}
We'd like to extract it into the User info using this approach:
Extra: []apiserver.ExtraMapping{
{
Key: "cert.example.com/fingerprint",
ValueExpression: "claims.cnf.x5t__hash__S256",
},
},
Extra: []apiserver.ExtraMapping{
{
Key: "cert.example.com/fingerprint",
ValueExpression: "claims.cnf.x5t__hash__S256",
},
},
Thanks,
Allain
Jordan Liggitt
Feb 11, 2025, 5:26:22 PMFeb 11
to Allain Legacy, K8s API Machinery SIG
Is there a reason not to access that as cnf['x5t#S256']?
--
You received this message because you are subscribed to the Google Groups "K8s API Machinery SIG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-api-m...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/2c578aa7-925b-408d-ae68-a74c86377090n%40googlegroups.com.
Allain Legacy
Feb 12, 2025, 10:21:39 AMFeb 12
to K8s API Machinery SIG
Hi Jordan,
Thanks for your response. I assume you mean using the same JWTAuthenticator interface? If so, ya, I had hoped that would work but the CEL Mapper only supports mapping to values that resolve to either a string or a list, and this claim ("cnf") maps to a map so it doesn't work.
e.g., this:
Allain
Mo Khan
Feb 12, 2025, 10:29:38 AMFeb 12
to Allain Legacy, K8s API Machinery SIG
I recommend moving this conversation to #sig-auth-authenticators-dev in the kube slack.
Jordan is asking while the following config does not work:
ValueExpression: "claims.cnf['x5t#S256']",
},
},
},
},
From: kubernetes-sig...@googlegroups.com <kubernetes-sig...@googlegroups.com> on behalf of Allain Legacy <ale...@redhat.com>
Date: Wednesday, February 12, 2025 at 10:21 AM
To: K8s API Machinery SIG <kubernetes-sig...@googlegroups.com>
Subject: [EXTERNAL] Re: [k8s API machinery] Adding "#" to escapable characters in CEL subsystem
Date: Wednesday, February 12, 2025 at 10:21 AM
To: K8s API Machinery SIG <kubernetes-sig...@googlegroups.com>
Subject: [EXTERNAL] Re: [k8s API machinery] Adding "#" to escapable characters in CEL subsystem
|
You don't often get email from ale...@redhat.com.
Learn why this is important
|
To view this discussion visit
https://groups.google.com/d/msgid/kubernetes-sig-api-machinery/5a68a356-443d-402d-be7a-6a3289738426n%40googlegroups.com.
Allain Legacy
Feb 12, 2025, 2:13:32 PMFeb 12
to K8s API Machinery SIG
Thank you! I was wasn't aware that such syntax was supported. When my test failed with "claims.cnf" with an error stating that it only supported lists or strings I guess I took that too literally.
I'll move to the slack channel if I have further comments/concerns about this.
Allain
Reply all
Reply to author
Forward
0 new messages