weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'design-identity' of github.com:joshvanl/cert-manager into design-identity

Browse Source 
Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>
This commit is contained in:
joshvanl 2021-02-11 17:24:37 +00:00
commit 7e38aab32a
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
design/20210203.certificate-request-identity.md
View File

@ -48,13 +48,13 @@ is able to determine whether that identity is allowed to request that
certificate, given some policy configuration setup by a cluster administrator.
Although auditing exists in Kubernetes and exposes the identity of the
requester, its configuration is not always exposed to end users, such as in
scenarios when using managed Kubernetes (GKE, EKS etc). In scenarios when
requester, its configuration is not always exposed to end users, such as
when using managed Kubernetes (GKE, EKS etc). In scenarios where
configuring auditing is available, it is often not preferable and an
anti-pattern to make runtime decisions on historical audit logs.
The upstream [Kubernetes certificates
`CertificateSigningRequest`](https://github.com/kubernetes/api/blob/master/certificates/v1/types.go#L41)
`CertificateSigningRequest`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#certificatesigningrequest-v1-certificates-k8s-io)
API has the identity of the requesting Kubernetes user. As the project intends
to transition to this resource as part of the project, the `CertificateRequest`
should strive to match 1:1 wherever possible. This means extensions or additions
@ -94,7 +94,7 @@ simply override them.
- No user info fields have been set by the [user creating the resource](
https://github.com/kubernetes/kubernetes/blob/7a94debba5f8c21bbf8b42b2a7f1d5e974ddb837/pkg/registry/certificates/certificates/strategy.go#L63-L79)
- Set user info fields to exactly what is received from the API server in the
[UserInfo](https://github.com/kubernetes/api/blob/master/authentication/v1/types.go#L102)
[UserInfo](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#userinfo-v1-authentication-k8s-io)
The webhook will also responsible for enforcing the following during an UPDATE
operation. Any attempt to changes these fields will result in a rejected