New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dynamic allowed service accounts watcher for injector #5898
dynamic allowed service accounts watcher for injector #5898
Conversation
4f90659
to
1e8fe3d
Compare
From the linked issue:
I want to make it clear what scenario we're enabling here, as Dapr can in fact run by default inside of VClusters. |
@yaron2 yes this enables VCluster Clusters (Vcluster 0.14.0) to consume a single Dapr installation that is in the Host cluster. |
@yaron2 I wonder.. can we make this into 1.10? or is it too late? |
53b798c
to
958723f
Compare
looks like there was a recent commit on 1.10 branch where |
This will need to go in 1.11. |
8d916e7
to
d361ed1
Compare
Signed-off-by: Filinto Duran <filinto@diagrid.io>
…ctors Signed-off-by: Filinto Duran <filinto@diagrid.io>
…more k8s frienly namespace:name Signed-off-by: Filinto Duran <filinto@diagrid.io>
add comment about order guarantees just in case we forget in the future Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
from feedback Co-authored-by: Mukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com> Signed-off-by: Filinto Duran <duranto@gmail.com>
Co-authored-by: Mukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com> Signed-off-by: Filinto Duran <duranto@gmail.com>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
Signed-off-by: Filinto Duran <filinto@diagrid.io>
1539ff0
to
e7a903e
Compare
@filintod Please don't rebase your PRs as that breaks our ability to use things like "see changes since your last review", and we need to review the entire PR from scratch every time! |
…namic-service-account Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Feedback addressed - please re-review
Description
Added capability to dynamically add allowed UIDs by watching against namespace and/or service account name prefixes. When a service account is created or deleted we add/delete the ID of the service account in the injector authUIDs list. The watch can also be set against a string label selector.
A user/operator can provide the extra value
allowedServiceAccountsPrefixNames
to the sidecar chart definition with star sign at the end to say whether the service account name or the namespace or both are prefixes. We separate eachnamespace:serviceaccountname
tuple with commas (,
). The predicates will be ORed.Service Account Name or Namespace Prefix watch examples
Watch for service account names prefix with
name1-x
orname2-x
in namespace1, or forname1-x
in namepsace-2.Watch for service account names prefix with
name-x
in namespace1Issue reference
Please reference the issue this PR will close: #5906
Checklist
Please make sure you've completed the relevant tasks for this PR, out of the following list: