mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-27 20:03:52 +00:00
452420484c
Automatic merge from submit-queue Add namespaced role to inspect particular configmap for delegated authentication Builds on https://github.com/kubernetes/kubernetes/pull/41814 and https://github.com/kubernetes/kubernetes/pull/41922 (those are already lgtm'ed) with the ultimate goal of making an extension API server zero-config for "normal" authentication cases. This part creates a namespace role in `kube-system` that can *only* look the configmap which gives the delegated authentication check. When a cluster-admin grants the SA running the extension API server the power to run delegated authentication checks, he should also bind this role in this namespace. @sttts Should we add a flag to aggregated API servers to indicate they want to look this up so they can crashloop on startup? The alternative is sometimes having it and sometimes not. I guess we could try to key on explicit "disable front-proxy" which may make more sense. @kubernetes/sig-api-machinery-misc @ncdc I spoke to @liggitt about this before he left and he was ok in concept. Can you take a look at the details?