Add option to use anonymous authentication in k8s WorkloadAttestor #3273
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The k8s WorkloadAttestor plugin does not provide a way to obtain selectors from the kubelet over the secure port when the kubelet is configured to use anonymous authentication. Add a configuration field `use_anonymous_authentication` that allows the plugin to send unauthenticated requests to the kubelet secure port. Signed-off-by: Ryan Turner <[email protected]>
rturner3
requested review from
evan2645,
amartinezfayo,
azdagron and
MarcosDY
as code owners
MarcosDY
reviewed
Jul 26, 2022
There was a problem hiding this comment.
Great!!! Code looks good, but can you add the new configuration with some notes on https://github.com/spiffe/spire/blob/main/conf/agent/agent_full.conf#L319?
added 2 commits
July 26, 2022 17:53
Signed-off-by: Ryan Turner <[email protected]>
Signed-off-by: Ryan Turner <[email protected]>
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this pull request
Oct 16, 2023
…piffe#3273) * Add option to use anonymous authentication in k8s WorkloadAttestor The k8s WorkloadAttestor plugin does not provide a way to obtain selectors from the kubelet over the secure port when the kubelet is configured to use anonymous authentication. Add a configuration field `use_anonymous_authentication` that allows the plugin to send unauthenticated requests to the kubelet secure port. Signed-off-by: Ryan Turner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Affected functionality
k8sWorkloadAttestor plugin integration with kubeletDescription of change
The
k8sWorkloadAttestor plugin does not provide a way to obtain selectors from the kubelet over the secure port when the kubelet is configured to use anonymous authentication. Add a configuration fielduse_anonymous_authenticationthat allows the plugin to send unauthenticated requests to the kubelet secure port.Which issue this PR fixes
#3193
Tested this with the
k8s-reconciletest with these changes applied in my local branch: 0d59a37