Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin kubeconfig docs #36

Merged
merged 2 commits into from
Jun 12, 2023
Merged

Admin kubeconfig docs #36

merged 2 commits into from
Jun 12, 2023

Conversation

mjudeikis
Copy link
Contributor

@mjudeikis mjudeikis commented Jun 8, 2023
edited
Loading

Supersedes: #30

NONE

Steven Hardy added 2 commits June 7, 2023 11:31
@mjudeikis
rename readme.md -> README.md
332a755
@mjudeikis
README: add example of creating admin kubeconfig
7171d0b 
Provides an example of how to create a client-cert based admin
kubeconfig.
@kcp-ci-bot kcp-ci-bot added dco-signoff: yes Indicates the PR's author has signed the DCO. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 8, 2023
embik
embik reviewed Jun 8, 2023
View reviewed changes
Copy link
Member

@embik embik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor nit where I'm not exactly sure how important it is to "fix" that.

README.md
Comment on lines +57 to +59
:warning: this example allows global admin permissions across all workspaces, you may also want to
consider using more restricted groups for example `system:kcp:workspace:access` to provide a
user `system:authenticated` access to a workspace.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I don't think we should hardcode these kinds of groups (system:kcp:workspace:access will grant access to all workspaces automatically, no?) into certificates and instead link to the authZ docs to give users the tools to set up proper RBAC for their certificate-based users. So I would update this section with a brief note you can pass commonName in your cert instead of a system group and give permissions via RBAC to that new user. WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something to fix later, probably.

@kcp-ci-bot
Copy link
Contributor

@embik: changing LGTM is restricted to collaborators

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sttts
Copy link
Member

sttts commented Jun 12, 2023

/approve

@kcp-ci-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 12, 2023
@mjudeikis
Copy link
Contributor Author

/lgtm

@kcp-ci-bot
Copy link
Contributor

@mjudeikis: you cannot LGTM your own PR.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mjudeikis mjudeikis added the lgtm Indicates that a PR is ready to be merged. label Jun 12, 2023
@kcp-ci-bot kcp-ci-bot merged commit f942969 into kcp-dev:main Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@embik embik embik approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has signed the DCO. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mjudeikis @kcp-ci-bot @sttts @embik