New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(28) Force a manual opt-in for legacy SA token? link #336

Open

Tracked by

ibihim opened this issue Nov 29, 2024 · 0 comments

Open

Tracked by

(28) Force a manual opt-in for legacy SA token? link #336

ibihim opened this issue Nov 29, 2024 · 0 comments

Labels

sig-auth-acceptance

Collaborator

ibihim commented Nov 29, 2024 •

edited

Loading

What

(1) Don't accept legacy token, except a flag is being used that enables legacy tokens.
(2) Reject tokens that don't address us (kube-apiserver SA tokens).

Why

(1) Legacy tokens are more insecure and are being phased out.
(2) It is hard to predict what kind of audience "upstream" is, but we can be sure it is not kube-apiserver.

Reference

https://github.com/brancz/kube-rbac-proxy/pull/229/files#diff-5379bac64778825441ad4a223c319e73645905b9864419d08eb7b8d2db974cddR141-R143

ibihim mentioned this issue

Sig-Auth Pre-Acceptance 2nd Review #238

Open

58 tasks

ibihim added the sig-auth-acceptance label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment