I am deploying kubeless-function-controller to a non-rbac k8s cluster using webhooks for auth/z. My authz policies reject any non-whitelisted serviceaccounts, and I cannot whitelist the controller-acct serviceaccount nor can I use an existing, whitelisted serviceaccount.
Supply a secret or additional mounted file containing the bearer token and use the bearer token for k8s actions instead of using a serviceaccount.
How to reproduce it (as minimally and precisely as possible):
Use a webhook for k8s authz which rejects the kubeless service account.
Anything else we need to know?:
Is this a BUG REPORT or FEATURE REQUEST?:
Feature Request
What happened:
I am deploying kubeless-function-controller to a non-rbac k8s cluster using webhooks for auth/z. My authz policies reject any non-whitelisted serviceaccounts, and I cannot whitelist the controller-acct serviceaccount nor can I use an existing, whitelisted serviceaccount.
https://github.com/kubeless/kubeless's function controller allows mounting a k8s secret containing a bearer token for authz against k8s. See related issue: https://github.com/kubeless/kubeless/issues/877
What you expected to happen:
Supply a secret or additional mounted file containing the bearer token and use the bearer token for k8s actions instead of using a serviceaccount.
How to reproduce it (as minimally and precisely as possible): Use a webhook for k8s authz which rejects the kubeless service account. Anything else we need to know?:
Environment: Kubernetes version (use kubectl version): Client Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.1-palantir1", GitCommit:"f31005ab029ab58f05349b193fa2c22bdbe27ad3", GitTreeState:"clean", BuildDate:"2018-07-24T19:50:58Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.1-palantir1", GitCommit:"f31005ab029ab58f05349b193fa2c22bdbe27ad3", GitTreeState:"clean", BuildDate:"2018-07-24T19:46:29Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"} Kubeless version (use kubeless version): Kubeless version: v1.0.0-alpha.7 Cloud provider or physical cluster: AWS