Need the ability to prefix the users and groups that we impersonante

Question

Need the ability to prefix the users and groups that we impersonante

nickperry opened this issue 5 years ago · 4 comments

Kubernetes API server OIDC provides the options oidc-username-prefix and oidc-groups-prefix.

At our site, for example we set

oidc-username-prefix=oidc:
oidc-groups-prefix=oidc:

This is a good practice as it makes it very obvious what sort of user and group we're dealing with, for example when looking at audit logs.

All of our role bindings for human users are based on this. Unfortunately this breaks when we use kube-oidc-proxy because although the full suite of oidc options are listed when you run kube-oidc-proxy -h, not all of them take effect.

It seems reasonable that kube-oidc-proxy should implement oidc-username-prefix and oidc-groups-prefix.

Answer 1 · 2019-07-08T09:04:29.000Z

Thanks for bringing this up, an oversight by me

/kind bug
/assign

Answer 2 · 2019-07-09T21:15:32.000Z

Sorry @JoshVanL . This is really embarrassing for me as I've seen the work you've put into 546c18e, but, I was mistaken - it actually worked already. I had a misconfiguration in my environment when I raised this issue.

I owe you a 🍺.

Here you can see that info.User.data.Name already has my "oidc:" prefix:

We are now using kube-oidc-proxy v0.1.1 successfully on our real clusters, with prefixes working perfectly for users and groups.

Answer 3 · 2019-07-10T08:20:44.000Z

Whoops! 😬
No harm done, my fault also for not checking!

Glad it working as expected :)

/close

Answer 4 · 2019-07-10T08:20:45.000Z

@JoshVanL: Closing this issue.

In response to this:

Whoops! 😬
No harm done, my fault also for not checking!

Glad it working as expected :)

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.