ContainerImage.Pinniped/deploy/concierge
Matt Moyer b80cbb8cc5
Run kube-cert-agent pod as Concierge ServiceAccount.
Since 0dfb3e95c5, we no longer directly create the kube-cert-agent Pod, so our "use"
permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the
one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat
simply by using the same service account as the main Concierge pods.

We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the
agent pod when running.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-03 16:20:13 -05:00
..
authentication.concierge.pinniped.dev_jwtauthenticators.yaml Generated 2021-02-10 21:52:09 -05:00
authentication.concierge.pinniped.dev_webhookauthenticators.yaml Generated 2021-02-10 21:52:09 -05:00
config.concierge.pinniped.dev_credentialissuers.yaml Fix a copy-paste typo in the ImpersonationProxyInfo JSON field name. 2021-03-12 13:24:05 -06:00
deployment.yaml Run kube-cert-agent pod as Concierge ServiceAccount. 2021-05-03 16:20:13 -05:00
helpers.lib.yaml deploy: wire API group suffix through YTT templates 2021-01-19 17:23:06 -05:00
rbac.yaml Add a new "legacy pod cleaner" controller. 2021-04-26 08:19:45 -06:00
README.md Restructure docs into new layout. 2021-02-23 11:11:07 -06:00
values.yaml fix a typo in some comments 2021-03-22 09:34:58 -07:00
z0_crd_overlay.yaml deploy: wire API group suffix through YTT templates 2021-01-19 17:23:06 -05:00

Pinniped Concierge Deployment

See the how-to guide for details.