-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent proxy from starting if the SA does not match #61
Comments
@enj This sounds like a good idea to me. |
+1 |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
We get the SA name as user input, and process it here:
oauth-proxy/providers/openshift/provider.go
Lines 94 to 105 in a95fc9f
This code assumes the SA provided by user input is the same one that is running the pod (because we use that as the secret for the SA based OAuth client). It pulls the SA namespace from this as well.
We need to validate this instead of assuming the values are in agreement. We could do
oc get user ~
with the SA token to make sure it matches (but I feel like there must be a better way to tell what SA is running a pod from inside the pod). The more correct thing would be a flag like--use-openshift-service-account=bool
that just pulls the correct information from the pod / API.xref: #60
The text was updated successfully, but these errors were encountered: