-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
control-plane: sds: support k8s environment #201
Conversation
7621069
to
17650e9
Compare
pkg/sds/auth/k8s/authenticator.go
Outdated
@@ -41,6 +41,9 @@ func (k *kubeAuthenticator) Authenticate(ctx context.Context, proxyId core_xds.P | |||
} | |||
|
|||
func (k *kubeAuthenticator) reviewToken(ctx context.Context, proxyId core_xds.ProxyId, credential sds_auth.Credential) error { | |||
if credential == "" { | |||
return errors.Errorf("authentication failed: k8s token is missing") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: errors.New
is enough
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
pkg/xds/envoy/envoy_test.go
Outdated
} | ||
|
||
// when | ||
resource := envoy.CreateInboundListener(ctx, "inbound:192.168.0.1:8080", "192.168.0.1", 8080, "localhost:8080", true) | ||
DescribeTable("should inject Kuma into a Pod", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Message copy paste?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
17650e9
to
aad8f46
Compare
changes:
k8s
, generated Envoy SDS config must includeCallCredentials
in order to passk8s token
toSDS server
tokenreviews
permission tokuma-control-plane
service account (to be able to make calls to Token Review API)kubernetes/controller-runtime
fetches all Secrets in the cluster which we cannot allow from security perspective)make run/k8s
(since we only auto-generate TLS cert inuniversal
case)