File tree 1 file changed +4
-2
lines changed
keps/sig-auth/3331-structured-config-for-oidc-authentication 1 file changed +4
-2
lines changed Original file line number Diff line number Diff line change @@ -765,11 +765,11 @@ No.
765765
766766###### Can the feature be disabled once it has been enabled (i.e . can we roll back the enablement)?
767767
768- Yes.
768+ Yes. Note that if the ` --oidc-* ` flags were previously in use, they must be restored for OIDC authentication to function correctly.
769769
770770###### What happens if we reenable the feature if it was previously rolled back?
771771
772- No impact.
772+ No impact (generally speaking, authentication does not cause persisted state in the cluster) .
773773
774774###### Are there any tests for feature enablement/disablement?
775775
@@ -786,6 +786,7 @@ It cannot fail until a bug in kube-apiserver connected to parsing structured con
786786Possible consequences are:
787787* A cluster administrator rolls out the feature with the addition of some validation rules that may allow access to previously restricted users.
788788* Other cluster components can depend on claim validations. Rolling back would mean losing validation functionality.
789+ * If the cluster admin fails to restore any previously in-use ` --oidc-*` OIDC authentication will not function.
789790
790791###### What specific metrics should inform a rollback?
791792
814815
815816* There will be a corresponding message in kube-apiserver logs.
816817* By checking the kube-apiserver flags.
818+ * By checking the metrics emitted by the kube-apiserver.
817819
818820###### How can someone using this feature know that it is working for their instance?
819821
You can’t perform that action at this time.
0 commit comments