Why not an Authenticating Proxy

jetstack / kube-oidc-proxy

Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.

https://jetstack.io

Apache License 2.0

477 stars 91 forks source link

Why not an Authenticating Proxy #152

Open mikebell90 opened 4 years ago

mikebell90 commented 4 years ago

Forgive me this ignorant question as I'm a relative Kubernetes n00b.

Why is this not implemented as an Authenticating Proxy instead of the way it is? Wouldn't that be cleaner and avoid the whole impersonation thing?

Feels cleaner to me, so I'm probably missing a crucial detail?

JoshVanL commented 4 years ago

Hello!

The reason for this is when using Kubernetes platforms (GKE, EKS...) where there is no access to the API server CLI flags and so can't be configured. This means that functionality needs to be put outside of the control plane, which makes using impersonation a requirement.

krmayankk commented 4 years ago

@JoshVanL i see a big warning at the top of the readme for this project. What makes this project not secure enough ?Is there a list of things listed somewhere which are known issues or things we need to worry about from security perspective ?