Comments (6)
Thanks for the report and sorry for the late reply! I did a quick test and I agree that we should be setting ClientAuth: tls.RequestClientCert
here. The fix itself is very simple but adding a test case is more involved. If someone wants to have a look, they're welcome :)
cc @s-urbaniak for awareness.
from kube-rbac-proxy.
I feel like I can give it a try if you do not mind.
from kube-rbac-proxy.
@nabokihms generally the addition of RequestClientCert
makes sense to me, but out of curiosity to understand why we need that option, do you also want to contribute a client-cert based authenticator in kube-rbac-proxy as well?
from kube-rbac-proxy.
The client-cert based authenticator is already in the code.
Actually, this authenticator is a combination of various authenticators.
Look here. The New
method shows exactly how it combines authenticators and which authentication types you can use.
So, two thing you need to do to make client-cert based authenticator works:
- Add
srv.TLSConfig.ClientAuth = tls.RequestClientCert
- Specify
--client-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
flag for kube-rbac-proxy instance.
from kube-rbac-proxy.
I forked this proxy and tested it (I think it was a year ago). In our Kubernetes clusters, we use both tokens and certs.
from kube-rbac-proxy.
Ahh, ok i was always under the impression that the delegating authenticator just does the token review. Yes, this makes perfect sense to me now 👍 Indeed, that would be a great contribution!
from kube-rbac-proxy.
Related Issues (20)
- Bump golang version HOT 2
- Sig-Auth Pre-Acceptance 2nd Review HOT 10
- Cut a new release with golang version 1.20 HOT 3
- Add livenessProbe support for kube-rbac-proxy HOT 2
- Twistlock reporting CVE PRISMA-2022-0227 HOT 2
- kube-rbac-proxy failing authentication and authorization intermittently with error: HOT 2
- Option to output the logs as JSON HOT 1
- vulnerabilities on kube-rbac-proxy v0.14.2 HOT 2
- Image of kube-rbac-proxy new version (v0.14.3) wasn't pushed to quay.io repository HOT 4
- Failing to instantiate OIDC authenticator when --oidc-ca-file is not specified HOT 6
- vulnerabilities on kube-rbac-proxy v0.14.4 HOT 6
- Can they be friends --ignore-path and --allow-path? HOT 3
- CVE high security vulnerabilities found in image: quay.io/brancz/kube-rbac-proxy:v0.15.0 HOT 14
- Compability with new K8S versions HOT 2
- Can kube rbac proxy be used for kubeedge? HOT 3
- CVE vulnerabilities found for golang-runtime:1.20.4 (usr/local/bin/kube-rbac-proxy) HOT 3
- Multi Arch Image pulled from quay.io does not work in arm64/graviton nodes HOT 3
- 0.16 Image does not appear to be available HOT 3
- CVE-2023-47108 "Vulnerability detected affecting otelgrpc v0.42.0" found in kube-rbac-proxy v0.16.0 HOT 7
- [HELP] Trying to expose Hubble UI with kube-rbac-proxy HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-rbac-proxy.