djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
b80cbb8cc5
ContainerImage.Pinniped/internal
History
Matt Moyer b80cbb8cc5
Run kube-cert-agent pod as Concierge ServiceAccount. 
Since 0dfb3e95c5, we no longer directly create the kube-cert-agent Pod, so our "use"
permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the
one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat
simply by using the same service account as the main Concierge pods.

We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the
agent pod when running.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-05-03 16:20:13 -05:00
..
apiserviceref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
certauthority dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
clusterhost Introduce clusterhost package to determine whether a cluster has control plane nodes 2021-02-09 11:16:01 -08:00
concierge impersonator: add support for service account token authentication 2021-04-29 17:30:35 -04:00
config Run kube-cert-agent pod as Concierge ServiceAccount. 2021-05-03 16:20:13 -05:00
constable Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
controller Run kube-cert-agent pod as Concierge ServiceAccount. 2021-05-03 16:20:13 -05:00
controllerlib Allow multiple Pinnipeds to work on same cluster 2021-02-02 15:18:41 -08:00
controllermanager Run kube-cert-agent pod as Concierge ServiceAccount. 2021-05-03 16:20:13 -05:00
crud Supervisor storage garbage collection controller enabled in production 2020-12-11 15:21:34 -08:00
deploymentref Use API service as owner ref for cluster scoped resources 2021-02-10 21:52:08 -05:00
downward internal/downward: add support for (optional) pod name 2020-12-11 11:49:27 -05:00
dynamiccert dynamiccert: unit test with DynamicServingCertificateController 2021-03-15 17:23:37 -04:00
execcredcache Add CLI caching of cluster-specific credentials. 2021-04-08 14:12:34 -05:00
fositestorage Update ExpectedAuthorizeCodeSessionJSONFromFuzzing. 2020-12-17 16:31:08 -06:00
groupsuffix Add WhoAmIRequest Aggregated Virtual REST API 2021-02-22 20:02:41 -05:00
here Save 2 lines by using inline-style comments for Copyright 2020-09-16 10:35:19 -04:00
httputil impersonator: test UID impersonation and header canonicalization 2021-03-16 13:00:51 -04:00
issuer dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
kubeclient internal/kubeclient: match plog level with klog level 2021-04-21 16:25:08 -04:00
mocks dynamiccert: split into serving cert and CA providers 2021-03-15 12:24:07 -04:00
oidc oidc discovery: encode metadata once and reuse 2021-03-03 13:37:43 -05:00
ownerref internal/groupsuffix: mutate TokenCredentialRequest's Authenticator 2021-02-10 15:53:44 -05:00
plog internal/plog: add KObj() and KRef() 2021-02-10 14:25:39 -05:00
registry certauthority.go: Refactor issuing client versus server certs 2021-03-12 16:09:37 -08:00
secret All controller unit tests should not cancel context until test is over 2021-03-04 17:26:01 -08:00
testutil certauthority.go: Refactor issuing client versus server certs 2021-03-12 16:09:37 -08:00
upstreamoidc Upgrade to github.com/coreos/go-oidc v3.0.0. 2021-01-21 12:08:14 -06:00
valuelesscontext valuelesscontext: make unit tests more clear 2021-04-30 10:43:29 -04:00