This allows osprey client to fetch the API server URL from the kube-public/ClientConfig resource. This is created when the OIDC Identity Service is enabled in GKE. This is an Envoy proxy that passes requests through the OIDC service. The API server CA cert is also fetched from the ClientConfig resource.
It seems like a chicken-and-egg situation that the API server URL is retrieved from the API server, but typically the public URL would be used in order to fetch the internal OIDC proxy URL.
Osprey client config
Note: when use-gke-clientconfig: true is specified api-server is also required, to know from where to retrieve the ClientConfig.
RBAC access needs to be granted for system:anonymous users to fetch the ClientConfig from kube-public for this to work without authentication. The API server must allow anonymous access, which is the default for GKE.
This allows osprey client to fetch the API server URL from the
kube-public
/ClientConfig
resource. This is created when the OIDC Identity Service is enabled in GKE. This is an Envoy proxy that passes requests through the OIDC service. The API server CA cert is also fetched from the ClientConfig resource.It seems like a chicken-and-egg situation that the API server URL is retrieved from the API server, but typically the public URL would be used in order to fetch the internal OIDC proxy URL.
Osprey client config
Note: when
use-gke-clientconfig: true
is specifiedapi-server
is also required, to know from where to retrieve the ClientConfig.The ClientConfig resource
Anonymous access to ClientConfig
RBAC access needs to be granted for
system:anonymous
users to fetch the ClientConfig fromkube-public
for this to work without authentication. The API server must allow anonymous access, which is the default for GKE.