ContainerImage.Pinniped

djpbessems/ContainerImage.Pinniped

Fork 0

Commit Graph

Author	SHA1	Message	Date
Monis Khan	d78b845575	Fix bad test package name Signed-off-by: Monis Khan <mok@vmware.com>	2021-06-22 11:23:19 -04:00
Monis Khan	524ff21b7f	TestServiceAccountPermissions: handle extra permissions on EKS Signed-off-by: Monis Khan <mok@vmware.com>	2021-06-15 11:17:59 -04:00
Monis Khan	898f2bf942	impersonator: run as a distinct SA with minimal permissions This change updates the impersonation proxy code to run as a distinct service account that only has permission to impersonate identities. Thus any future vulnerability that causes the impersonation headers to be dropped will fail closed instead of escalating to the concierge's default service account which has significantly more permissions. Signed-off-by: Monis Khan <mok@vmware.com>	2021-06-11 12:13:53 -04:00

Author

SHA1

Message

Date

Monis Khan

d78b845575

Fix bad test package name

Signed-off-by: Monis Khan <mok@vmware.com>

2021-06-22 11:23:19 -04:00

Monis Khan

524ff21b7f

TestServiceAccountPermissions: handle extra permissions on EKS

Signed-off-by: Monis Khan <mok@vmware.com>

2021-06-15 11:17:59 -04:00

Monis Khan

898f2bf942

impersonator: run as a distinct SA with minimal permissions

This change updates the impersonation proxy code to run as a
distinct service account that only has permission to impersonate
identities.  Thus any future vulnerability that causes the
impersonation headers to be dropped will fail closed instead of
escalating to the concierge's default service account which has
significantly more permissions.

Signed-off-by: Monis Khan <mok@vmware.com>

2021-06-11 12:13:53 -04:00

3 Commits