Comments (2)
mattmoyer
commented on May 17, 2024
Other ideas:
- We could try to re-write the kubeconfig YAML to include the
as/as-groups` fields. It wouldn't be super smooth because the first kubectl command would fail, but it would work without a custom kubectl. - If you know the username/groups ahead of time, you can generate the kubeconfig with those
as/as-groupsfields in advance. This means your kubeconfig becomes outdated if your groups change.
Other tradeoffs/drawbacks in this proposal:
- Couldn't use alternative CLI clients, including
ocor tools likesternthat use client-go but aren't kubectl itself. - There's a risk that our change would never be accepted upstream into client-go/kubectl.
from pinniped.
mattmoyer
commented on May 17, 2024
We ended up deciding not to do this for now, and to continue pursuing the impersonation proxy as a solution on managed cluster environments. We could still consider doing this in the future, especially if the upstream ExecCredential API adds custom header support.
from pinniped.
Related Issues (20)
- Add requirement for kube-apiserver not including `--anonymous-auth=false` flag to Concierge docs (when impersonation proxy is not being used) HOT 4
- LDAPIdentityProvider could support group queries using an attributes from the authenticating user other than DN
- [Proposal] Concierge Impersonation Proxy | External Certificate Management
- Configurable ID expiration time
- Pinniped CLI is hiding an error during login to an OIDC provider
- Reference a secret instead of directly pasting a base64 encoded pem file to TLSspec.certificateAuthorityData HOT 3
- Support mTLS for LDAP configuration HOT 2
- Document how to debug LDAPIdentity provider spec using `ldapsearch` CLI and pod logs
- Add a way to configure the cipher suite used for TLS HOT 4
- Add Carvel package proposal (please update with more detail) HOT 4
- The local-user-authenticator-tls-serving-certificate is not actually a TLS serving cert, it is a CA HOT 3
- Session expires based on ID Token instead of Access Token HOT 2
- Pinniped CLI version command should match `kubectl version` HOT 2
- API Discovery (`kubectl explain`) should work for OpenAPIv3 and aggregate APIs
- Aggregate APIs should not have name `Generic API Server` HOT 1
- show interstitial web page to allow user to choose IDP when multiple IDPs are configured and authorize endpoint query param to choose IDP is not used
- Support/ignore injected sidecar containers in the kube cert agent pod
- Add to Pinniped.dev: FederationDomain transformation playground
- The Concierge Impersonation Proxy should use a service account token from the TokenRequest API HOT 2
- Removing the concierge secret makes ingress-nginx reload fail HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pinniped.