Mo Khan

Using `interface{}` here is the wrong approach. A custom `type Audience []string` with the appropriate unmarshall implementation will give you type safety and avoid panics. Any attempt to fix this...

@openshift/sig-security

Projects are already annotated with the user who requested them.

1. This applies to both the supervisor and the concierge 2. `system:` should also be disallowed in usernames 3. Related but a separate issue: all pinniped logins should always include...

My current thoughts on this are: 1. Distinct `JWTAuthenticator`s on the same cluster should have distinct audiences, even in the face of multiple API group support 2. The audiences should...

Lets make sure stuff like #337 is considered when we implement this.

In case anyone decides to pick this up: The impersonation proxy uses client certificates for authentication, thus any form TLS termination is incompatible with it (i.e. if using Kube ingress,...

> Are you saying that the solution of exposing the proxy on a non-TLS port is not an option? It may be simpler, even if it is not the initial...

A possible "workaround" https://github.com/vmware-tanzu/pinniped/issues/1004#issuecomment-1039213449

@neolit123 mentioned that folks upstream had a hard time reading starlark when used with bazel. [CEL](https://github.com/google/cel-go) might be something to look into.