ContainerImage.Pinniped

History

Matt Moyer b80cbb8cc5 Run kube-cert-agent pod as Concierge ServiceAccount. Since `0dfb3e95c5`, we no longer directly create the kube-cert-agent Pod, so our "use" permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat simply by using the same service account as the main Concierge pods. We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the agent pod when running. Signed-off-by: Matt Moyer <moyerm@vmware.com>	2021-05-03 16:20:13 -05:00
..
concierge	Run kube-cert-agent pod as Concierge ServiceAccount.	2021-05-03 16:20:13 -05:00
supervisor	Add WhoAmIRequest Aggregated Virtual REST API	2021-02-22 20:02:41 -05:00

Run kube-cert-agent pod as Concierge ServiceAccount.

Since 0dfb3e95c5, we no longer directly create the kube-cert-agent Pod, so our "use"
permission on PodSecurityPolicies no longer has the intended effect. Since the deployments controller is now the
one creating pods for us, we need to get the permission on the PodSpec of the target pod instead, which we do somewhat
simply by using the same service account as the main Concierge pods.

We still set `automountServiceAccountToken: false`, so this should not actually give any useful permissions to the
agent pod when running.

Signed-off-by: Matt Moyer <moyerm@vmware.com>

2021-05-03 16:20:13 -05:00

concierge Run kube-cert-agent pod as Concierge ServiceAccount. 2021-05-03 16:20:13 -05:00

supervisor Add WhoAmIRequest Aggregated Virtual REST API 2021-02-22 20:02:41 -05:00