Ability to configure several resource request authorizations

[simonpasquier]

trafficstars

Right now kube-rbac-proxy can be configured with only one resource request authorization (as described in https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes). It would be useful to specify more than one resource request.

We have a practical use case with the OpenShift cluster-monitoring operator: it deploys Alertmanager with an OAuth proxy sidecar that authorizes only users who are allowed to "get namespaces" and "patch a specific resource in a given namespace" permissions (see https://github.com/openshift/cluster-monitoring-operator/blob/d097e7095cf0c4a193935c2f58d4973a18a2c7db/assets/alertmanager/alertmanager.yaml#L34-L36 for details). The reason is that users who can only "get namespaces" have access to our Prometheus/Thanos APIs but not the Alertmanager API because the latest allows to modify data (silences). Eventually we'd like to replace OAuth proxy by kube-rbac-proxy (to minimize our cognitive overhead) so being able to combine several resource requests would be great.

cc @s-urbaniak

[s-urbaniak]

cc @ibihim

[s-urbaniak]

I am positive on this change :+1: one way to introduce this change without breaking existing behavior is to add --config-files (plural) in addition to the existing --config-file setting.