Skip to content

Distribute auth tokens to pods #1907

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
Distribute auth tokens to pods#1907
Assignees
erictune
Labels
area/securitypriority/awaiting-more-evidenceLowest priority. Possibly useful, but not yet enough support to actually get it done.
@lavalamp

Description

@lavalamp
lavalamp
opened on Oct 20, 2014

Before allowing pods to make changes to the cluster state, we need to check their identity and verify that they're permitted to make changes.

An idea for checking identity: suppose we generate a token when a BoundPod is created. Kubelet passes this token into the pod via an ENV var. apiserver can then look up this token to verify identity.

Clearly there's some security implications; if the wrong actor is able to read the BoundPods endpoint, they could impersonate another pod.

Metadata

Assignees

Labels

area/securitypriority/awaiting-more-evidenceLowest priority. Possibly useful, but not yet enough support to actually get it done.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions