-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to configure several resource request authorizations #154
Comments
cc @ibihim |
I am positive on this change 👍 one way to introduce this change without breaking existing behavior is to add |
squat
added a commit
to squat/kube-rbac-proxy
that referenced
this issue
Apr 1, 2022
This commit fixes issue brancz#154 by enabling the user to repeat the `--config-file` flag multiple times to specify multiple configurations. Doing so, allows the user to declare that the krp should, e.g., enforce multiple resource attributes. Signed-off-by: Lucas Servén Marín <[email protected]>
squat
added a commit
to squat/kube-rbac-proxy
that referenced
this issue
Apr 1, 2022
This commit fixes issue brancz#154 by enabling the user to repeat the `--config-file` flag multiple times to specify multiple configurations. Doing so, allows the user to declare that the krp should, e.g., enforce multiple resource attributes. Signed-off-by: Lucas Servén Marín <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now kube-rbac-proxy can be configured with only one resource request authorization (as described in https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes). It would be useful to specify more than one resource request.
We have a practical use case with the OpenShift cluster-monitoring operator: it deploys Alertmanager with an OAuth proxy sidecar that authorizes only users who are allowed to "get namespaces" and "patch a specific resource in a given namespace" permissions (see https://github.com/openshift/cluster-monitoring-operator/blob/d097e7095cf0c4a193935c2f58d4973a18a2c7db/assets/alertmanager/alertmanager.yaml#L34-L36 for details). The reason is that users who can only "get namespaces" have access to our Prometheus/Thanos APIs but not the Alertmanager API because the latest allows to modify data (silences).
Eventually we'd like to replace OAuth proxy by kube-rbac-proxy (to minimize our cognitive overhead) so being able to combine several resource requests would be great.
cc @s-urbaniak
The text was updated successfully, but these errors were encountered: