• Kubernetes Submit Queue's avatar
    Merge pull request #41982 from deads2k/agg-18-ca-permissions · 45242048
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue
    
    Add namespaced role to inspect particular configmap for delegated authentication
    
    Builds on https://github.com/kubernetes/kubernetes/pull/41814 and https://github.com/kubernetes/kubernetes/pull/41922 (those are already lgtm'ed) with the ultimate goal of making an extension API server zero-config for "normal" authentication cases.
    
    This part creates a namespace role in `kube-system` that can *only* look the configmap which gives the delegated authentication check.  When a cluster-admin grants the SA running the extension API server the power to run delegated authentication checks, he should also bind this role in this namespace.
    
    @sttts Should we add a flag to aggregated API servers to indicate they want to look this up so they can crashloop on startup?  The alternative is sometimes having it and sometimes not.  I guess we could try to key on explicit "disable front-proxy" which may make more sense.
    
    @kubernetes/sig-api-machinery-misc 
    
    @ncdc I spoke to @liggitt about this before he left and he was ok in concept.  Can you take a look at the details?
    45242048
Name
Last commit
Last update
..
cmd/kube-scheduler Loading commit data...
pkg Loading commit data...
BUILD Loading commit data...
OWNERS Loading commit data...