search

kyverno / website

User docs and sample policies: https://kyverno.io
Apache License 2.0
37 stars 153 forks source link

[Bug] Kyverno docs state that no authentication is used in external service calls but a bearer token is passed in the HTTP header #1308

Open Dyex719 opened 3 months ago

Dyex719 commented 3 months ago

Page link

https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-service-calls

Description

The kyverno docs under external service call state that:

At this time, authentication as part of these service calls is not supported.

However, a token is added to allow verification of the caller identity, using the token review API as seen here: https://github.com/kyverno/kyverno/blob/main/pkg/engine/apicall/executor.go#L121

Expected behavior

Something along the lines of:

Authentication is provided by adding a bearer token to allow verification of the caller identity, using the token review API. At the moment, this token review API uses the default service account token as the bearer token.

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1721163419677659

welcome[bot] commented 3 months ago

Thanks for opening your first issue here! Be sure to follow the issue template!