github/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-02-14 18:10:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

impersonator: add docs regarding limited serivce account

Browse Source 
Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan
2021-06-11 13:56:11 -04:00
parent 87489da316
commit addf632e7c
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/concierge/impersonator/doc.go
View File

@@ -11,7 +11,9 @@ The specifics of how it is implemented are of interest. The most novel detail
about the implementation is that we use the "front-end" of the aggregated API
server logic, mainly the DefaultBuildHandlerChain func, to handle how incoming
requests are authenticated, authorized, etc. The "back-end" of the proxy is a
reverse proxy that impersonates the user (instead of serving REST APIs).
reverse proxy that impersonates the user (instead of serving REST APIs). Since
impersonation fails open, we impersonate users via a secondary service account
that has no other permissions on the cluster.
In terms of authentication, we aim to handle every type of authentication that
the Kubernetes API server supports by delegating most of the checks to it. We