New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add a custom authorizer to ensure kube-apiserver can always access tokenreviews webhook #41
Conversation
/hold This demonstrates the how. It would need unit tests at least. |
type tokenReviewAuthorizer struct{} | ||
|
||
func (tokenReviewAuthorizer) Authorize(ctx context.Context, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) { | ||
if a.GetUser().GetName() != "system:serviceaccount:openshift-authentication:tokenreviewer"{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alright, so this is a service account token used by the KAS, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alright, so this is a service account token used by the KAS, right?
In @stlaz's PR, yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. This is just an example. Thanks for sharing it with me.
lgtm
1ff5310
to
4856240
Compare
4856240
to
5864f3f
Compare
5864f3f
to
d9f38e9
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, stlaz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
Adds a hardcoded authorizer to avoid unnecessary SAR calls. This could be made generic. We could also add one for handling /metrics