kubezoo icon indicating copy to clipboard operation
kubezoo copied to clipboard

Published 20 hours ago verified publisher icon kubewharf

[Proposal] KubeZoo supports using service account tokens to identify tenants without sa.pub and sa.key

Open caohe opened this issue 2 years ago • 1 comments

What would you like to be added?

KubeZoo supports identifying tenants with service account tokens by transparently passing tokens to the upstream cluster. That is, kubezoo does not need to authenticate tenants, while the upstream cluster authenticates them.

Why is this needed?

Currently, KubeZoo supports identifying tenants with service account tokens. This requires the admin to provide sa.pub and sa.key of the upstream cluster when deploying KubeZoo. However, users cannot access sa.pub and sa.key on some public clouds.

Therefore, KubeZoo needs to support using service account tokens to identify tenants without sa.pub and sa.key.

caohe avatar Feb 06 '23 09:02 caohe

Related: #29 is blocking on this issue and/or #34 since the coredns pod should authenticate as the tenant using its own serviceaccount in the tenant namespace.

SOF3 avatar Feb 07 '23 05:02 SOF3