Exception Request for Enhancement Freeze for KEP 6060

[Benjamin Petersen]

Hi Release Team,

I am requesting an exception for Enhancement Freeze for KEP #6060: API Server Authentication to Admission Webhooks.  Details: 

• Enhancement name: API Server Authentication to Admission Webhooks
• Enhancement status (alpha/beta/stable): Alpha
• SIG: SIG-Auth
• k/enhancements repo issue #:  https://github.com/kubernetes/enhancements/issues/6060
• PR #’s:  https://github.com/kubernetes/enhancements/pull/6156
• Additional time needed (in calendar days, due end of day AoE): 3 days (Friday, June 19th)
• Reason this enhancement is critical for this milestone:
• https://nvd.nist.gov/vuln/detail/CVE-2025-1974
• 9.8 critical, related to the Ingress-Nginx Controller
• This patch addresses an issue that was a component of this exploit
• Risks from adding code late: (to k8s stability, testing, etc.):
• low, this is an alpha api, disabled by default
• Risks from cutting enhancement: (partial implementation, critical customer usecase, etc.):
• Delaying this KEP simply means that a security gap regarding webhooks remains open for a longer period of time.  This gap may continue to invite bad actors to look for ways to utilize it to compromise clusters.

Thanks!

[Mo Khan]

+1 from me as this KEP is working to address a long standing security issue.

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CALCMx2Rje4uCsMXHqGX9UQqKFfyp0v5eYmQHybQggYfZavvjnw%40mail.gmail.com.