Why not an Authenticating Proxy

Question

Why not an Authenticating Proxy

mikebell90 opened this issue 4 years ago · 2 comments

Forgive me this ignorant question as I'm a relative Kubernetes n00b.

Why is this not implemented as an Authenticating Proxy instead of the way it is? Wouldn't that be cleaner and avoid the whole impersonation thing?

Feels cleaner to me, so I'm probably missing a crucial detail?

Answer 1 · 2020-05-11T09:56:20.000Z

Hello!

The reason for this is when using Kubernetes platforms (GKE, EKS...) where there is no access to the API server CLI flags and so can't be configured. This means that functionality needs to be put outside of the control plane, which makes using impersonation a requirement.

Answer 2 · 2020-08-03T03:14:17.000Z

@JoshVanL i see a big warning at the top of the readme for this project. What makes this project not secure enough ?Is there a list of things listed somewhere which are known issues or things we need to worry about from security perspective ?