mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-04-22 06:39:18 -04:00
452420484c
Automatic merge from submit-queue Add namespaced role to inspect particular configmap for delegated authentication Builds on https://github.com/kubernetes/kubernetes/pull/41814 and https://github.com/kubernetes/kubernetes/pull/41922 (those are already lgtm'ed) with the ultimate goal of making an extension API server zero-config for "normal" authentication cases. This part creates a namespace role in `kube-system` that can *only* look the configmap which gives the delegated authentication check. When a cluster-admin grants the SA running the extension API server the power to run delegated authentication checks, he should also bind this role in this namespace. @sttts Should we add a flag to aggregated API servers to indicate they want to look this up so they can crashloop on startup? The alternative is sometimes having it and sometimes not. I guess we could try to key on explicit "disable front-proxy" which may make more sense. @kubernetes/sig-api-machinery-misc @ncdc I spoke to @liggitt about this before he left and he was ok in concept. Can you take a look at the details? |
||
|---|---|---|
| .. | ||
| apps | ||
| authentication | ||
| authorization | ||
| autoscaling | ||
| batch | ||
| cachesize | ||
| certificates | ||
| core | ||
| extensions | ||
| policy | ||
| rbac | ||
| registrytest | ||
| storage | ||
| BUILD | ||
| doc.go | ||
| OWNERS | ||