• Kubernetes Submit Queue's avatar
    Merge pull request #41982 from deads2k/agg-18-ca-permissions · 45242048
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue
    
    Add namespaced role to inspect particular configmap for delegated authentication
    
    Builds on https://github.com/kubernetes/kubernetes/pull/41814 and https://github.com/kubernetes/kubernetes/pull/41922 (those are already lgtm'ed) with the ultimate goal of making an extension API server zero-config for "normal" authentication cases.
    
    This part creates a namespace role in `kube-system` that can *only* look the configmap which gives the delegated authentication check.  When a cluster-admin grants the SA running the extension API server the power to run delegated authentication checks, he should also bind this role in this namespace.
    
    @sttts Should we add a flag to aggregated API servers to indicate they want to look this up so they can crashloop on startup?  The alternative is sometimes having it and sometimes not.  I guess we could try to key on explicit "disable front-proxy" which may make more sense.
    
    @kubernetes/sig-api-machinery-misc 
    
    @ncdc I spoke to @liggitt about this before he left and he was ok in concept.  Can you take a look at the details?
    45242048
Name
Last commit
Last update
..
apps Loading commit data...
authentication Loading commit data...
authorization Loading commit data...
autoscaling Loading commit data...
batch Loading commit data...
cachesize Loading commit data...
certificates Loading commit data...
core Loading commit data...
extensions Loading commit data...
policy Loading commit data...
rbac Loading commit data...
registrytest Loading commit data...
storage Loading commit data...
BUILD Loading commit data...
OWNERS Loading commit data...
doc.go Loading commit data...