[jira] [Work logged] (KNOX-3353) k8s pre-auth filter for service account annotation

Thu, 18 Jun 2026 05:49:15 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3353?focusedWorklogId=1025770&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025770
 ]

ASF GitHub Bot logged work on KNOX-3353:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 18/Jun/26 12:48
            Start Date: 18/Jun/26 12:48
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #1269:
URL: https://github.com/apache/knox/pull/1269

   [KNOX-3353](https://issues.apache.org/jira/browse/KNOX-3353) - Eliminate 
K8sPreAuthFederationFilter and consolidate logic in ServiceAccountValidator
   
   ## What changes were proposed in this pull request?
   
   Consolidated the Kubernetes pre-authentication logic by eliminating the 
redundant `K8sPreAuthFederationFilter` and moving its resolver management and 
initialization directly into `ServiceAccountValidator`. 
   
   Key changes include:
      - Updated the `PreAuthValidator` interface to include 
`init(FilterConfig)` and `destroy()` methods for better lifecycle management.
      - Updated `AbstractPreAuthFederationFilter` to properly initialize and 
destroy all configured validators.
      - Refactored `ServiceAccountValidator` to manage the 
`K8sServiceAccountResolver` and its cache internally.
      - Renamed validator parameters to use a consistent `preauth.k8s.sa.` 
prefix.
      - Removed the now-obsolete `K8sPreAuthFederationFilter`, 
`K8sPreAuthContributor`, and related service registrations.
   
   
   ## How was this patch tested?
   
   The changes were verified by running existing and updated unit tests:
      - `mvn test -pl gateway-provider-security-k8s`: Verified 
`ServiceAccountValidator`, `K8sServiceAccountResolver`, and `SpiffeId` logic.
      - `mvn test -pl gateway-provider-security-preauth`: Verified 
`AbstractPreAuthFederationFilter`, `IPValidator`, and `DefaultValidator` with 
the new lifecycle methods.
      - Specifically verified that `ServiceAccountValidatorTest` correctly 
mocks the resolver and validates parameter handling.
   
   TODO: show real testing in a local kind cluster.
   
   ## Integration Tests
   N/A
   
   ## UI changes
   N/A




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1025770)
    Remaining Estimate: 0h
            Time Spent: 10m

> k8s pre-auth filter for service account annotation
> --------------------------------------------------
>
>                 Key: KNOX-3353
>                 URL: https://issues.apache.org/jira/browse/KNOX-3353
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>    Affects Versions: 2.1.0
>            Reporter: Tamás Hanicz
>            Assignee: Tamás Hanicz
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>




--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to