Open whitlockjc opened 8 years ago
We need to ensure we work together with @mpnally to make sure we use the proper JWT claim for identifying the user. This will have an impact on the Kubernetes authz webhook (https://github.com/30x/project-management/issues/162).
Based on the way the permission service works now, we need to use the sub
claim. Since --oidc-username-claim
defaults to sub
, we can just omit this flag for now or explicitly set it to sub
.
Useful link on how to setup ~/.kube/config
to do automatic token refreshing:
https://github.com/TremoloSecurity/wiki/blob/master/kubernetes.md#option-1---oidc-authenticator
Now that we know we can use Apigee's SSO for Kubernetes authentication, we need to get the SSO deployed in a way to allow for it and configure the Kubernetes API Servers to consume it.