-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge Admin Server into API Server and secure via TLS #1115
Conversation
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
pkg/api-server/auth/admin.go
Outdated
return | ||
} | ||
log.Info("attempt to access admin endpoints from the outside of the same machine without allowed certificates") | ||
response.WriteHeader(403) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And if this is an authn then 401
makes more sense
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After putting some thoughts, I think this is authz. Authentication itself is done by mTLS. Here we are checking if you are Mesh Admin (by providing certs or having access to the machine) you can access admin endpoints
Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is a fantastic improvement! Merge it :)
closes #184 |
Current state (before the PR)
State after PR
KUMA_ADMIN_SERVER_APIS_DATAPLANE_TOKEN_ENABLED
to determine if we should require a dp token on universal. This is now changed toKUMA_DP_SERVER_AUTH_TYPE
where you can enable/disable auth on both K8S and UniversalLeftovers for separate PR