Enhancement Description

• One-line enhancement description (can be used as a release note): Structured Authentication Config
• Kubernetes Enhancement Proposal: KEP
• Discussion Link:
  • Slack post - https://kubernetes.slack.com/archives/C0EN96KUY/p1638208007167400
  • Google doc - https://docs.google.com/document/d/1sY8fRyRtk4eG9R439z5ao5i9bFuuxilS03XaNlqoni0/edit?disco=AAAARL1K8OE
• Primary contact (assignee): @nabokihms
• Responsible SIGs: sig-auth
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): v1.29
  • Beta release target (x.y): v1.30
  • Stable release target (x.y): v1.34
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-3331: Structured Authentication Config #3332
  • Code (k/k) update PR(s):
    • [StructuredAuthenticationConfig] Create struct for authn config and re-wire OIDC flags to use it kubernetes#118984
    • [StructuredAuthenticationConfig] Add feature flag and wire up --authentication-config flag kubernetes#119142
    • [StructuredAuthnConfig] use local variables in oidc pkg kubernetes#120183
    • Implement CEL for StructuredAuthenticationConfig kubernetes#121078
    • [StructuredAuthn] Ensure empty fields of user object are accessible by CEL kubernetes#121709
  • Docs (k/website) update PR(s): add docs for StructuredAuthenticationConfig v1alpha1 website#43397
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-3331: update for beta in v1.30 #4461
    • KEP-3331: update configuration reload metric #4491
    • KEP-3331: update kep latest milestone to v1.32 #4844
  • Code (k/k) update PR(s):
    • add StructuredAuthenticationConfiguration feature to kube feature gates file kubernetes#121622
    • [StructuredAuthnConfig] add comment for extra keys unique requirement kubernetes#122560
    • cleanup structured authn/authz error logic kubernetes#122975
    • Add AudienceMatchPolicy and support multiple audiences in AuthenticationConfiguration kubernetes#123165
    • Add apiserver_authentication_jwt_authenticator_latency_seconds metric kubernetes#123225
    • Support all key algs with structured authn config kubernetes#123282
    • Add integration test for multiple audience in structured authn kubernetes#123305
    • Support multiple JWT authenticators with structured authn config kubernetes#123431
    • add min valid jwt payload to API docs for structured authn config kubernetes#123458
    • Add dynamic reload support for authentication configuration kubernetes#123525
    • Add DiscoveryURL to Authentication Configuration kubernetes#123527
    • Prevent conflicts between service account and jwt issuers kubernetes#123561
    • jwt: fail on empty username via CEL expression kubernetes#123568
    • Duplicate v1alpha1 AuthenticationConfiguration to v1beta1 kubernetes#123696
    • Mark StructuredAuthenticationConfiguration feature gate as beta kubernetes#123719
    • Fix AuthenticationConfiguration docs around nested claims via CEL kubernetes#123721
    • Require email_verified to be used when email is set as username via CEL kubernetes#123737
    • Add metrics for authentication config reload kubernetes#123793
    • fix test flake in TestStructuredAuthenticationConfigReload kubernetes#123856
    • Set credential-id in userinfo.extra for jwt authenticators if jti claim present kubernetes#127010
    • Disallow k8s.io and kubernetes.io namespaced extra key in structured authn config kubernetes#126553
    • Add JWKS fetch metrics for jwt authenticator kubernetes#123642
  • Docs (k/website) update(s):
    • Add blog post for Structured Authn beta website#45106
    • Add docs for Structured Authn beta website#45108
    • Add note about k8s.io, kubernetes disallowed prefix for structured authn website#47821

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.