History

Monis Khan 898f2bf942 impersonator: run as a distinct SA with minimal permissions This change updates the impersonation proxy code to run as a distinct service account that only has permission to impersonate identities. Thus any future vulnerability that causes the impersonation headers to be dropped will fail closed instead of escalating to the concierge's default service account which has significantly more permissions. Signed-off-by: Monis Khan <mok@vmware.com>		2021-06-11 12:13:53 -04:00
..
authentication.concierge.pinniped.dev_jwtauthenticators.yaml	Generated	2021-02-10 21:52:09 -05:00
authentication.concierge.pinniped.dev_webhookauthenticators.yaml	Generated	2021-02-10 21:52:09 -05:00
config.concierge.pinniped.dev_credentialissuers.yaml	Update generated code from previous commit.	2021-05-19 11:41:35 -05:00
deployment.yaml	impersonator: run as a distinct SA with minimal permissions	2021-06-11 12:13:53 -04:00
helpers.lib.yaml	deploy: wire API group suffix through YTT templates	2021-01-19 17:23:06 -05:00
rbac.yaml	impersonator: run as a distinct SA with minimal permissions	2021-06-11 12:13:53 -04:00
README.md	Restructure docs into new layout.	2021-02-23 11:11:07 -06:00
values.yaml	Fix typo in CredentialIssuer ytt template.	2021-06-02 14:48:18 -05:00
z0_crd_overlay.yaml	deploy: wire API group suffix through YTT templates	2021-01-19 17:23:06 -05:00

Pinniped Concierge Deployment