Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for sa token volume projection in the admission charts #380

Merged
merged 10 commits into from
Feb 15, 2022
Merged

Add support for sa token volume projection in the admission charts #380

merged 10 commits into from
Feb 15, 2022

Conversation

dimityrmirchev
Copy link
Member

@dimityrmirchev dimityrmirchev commented Jan 20, 2022
edited
Loading

How to categorize this PR?

/area security
/kind enhancement
/platform gcp

What this PR does / why we need it:
This PR adds:

  • The ability to configure the admission deployment to use service account token volume projection (ref).
  • The ability to configure a user instead of a service account subject in the clusterrolebinding definition when using a "virtual garden" setup. This will enable other possibilities for authentication to the virtual garden, i.e., leveraging oidc-webhook-authenticator.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
If this gets approved I will open similar PRs for the other extensions.

Release note:

`gardener-extension-admission-gcp` now supports configuration for enabling service account token volume projection. It is exposed through the `.Values.global.serviceAccountTokenVolumeProjection` section in the respective chart's values.
It is now possible to configure a `user` instead of a `serviceaccount` subject in the `clusterrolebinding` for the `gardener-extension-admission-gcp` when using virtual garden setup by setting `.Values.global.virtualGarden.user.name`.

@dimityrmirchev dimityrmirchev requested review from a team as code owners January 20, 2022 13:58
@gardener-robot gardener-robot added area/security Security related platform/gcp Google cloud platform/infrastructure labels Jan 20, 2022
@gardener-robot
Copy link

@dimityrmirchev Label kind/feature does not exist.

@gardener-robot gardener-robot added needs/review Needs review size/s Size of pull request is small (see gardener-robot robot/bots/size.py) labels Jan 20, 2022
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 20, 2022
@gardener-robot gardener-robot added the kind/enhancement Enhancement, improvement, extension label Jan 20, 2022
@gardener-robot-ci-2 gardener-robot-ci-2 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jan 20, 2022
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 20, 2022
@dimityrmirchev
Copy link
Member Author

/invite @vpnachev @rfranzke @timebertt

@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 20, 2022
@rfranzke
Copy link
Member

/assign

@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 21, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 21, 2022
@dimityrmirchev
Copy link
Member Author

I left out the ability to configure an already existing "generic" kubeconfig for now as the current changes will not expand the etcd size. If this becomes something that we want to chase I can contribute it in a different set of PRs, but I guess for now priority is the actual functionality.

@dimityrmirchev dimityrmirchev marked this pull request as draft January 21, 2022 09:52
@dimityrmirchev
Copy link
Member Author

Converted to draft since there are some changes still needed.

@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 21, 2022
rfranzke
rfranzke previously approved these changes Jan 28, 2022
View reviewed changes
This was referenced Jan 31, 2022
Merged
Merged
Merged
Merged
Merged
Closed
@gardener-robot gardener-robot added needs/review Needs review and removed needs/review Needs review labels Jan 31, 2022
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 31, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 31, 2022
@dimityrmirchev dimityrmirchev mentioned this pull request Feb 2, 2022
Merged
vpnachev
vpnachev previously approved these changes Feb 3, 2022
View reviewed changes
Copy link
Member

@vpnachev vpnachev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-robot gardener-robot added needs/review Needs review and removed needs/review Needs review labels Feb 11, 2022
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Feb 11, 2022
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Feb 11, 2022
@dimityrmirchev dimityrmirchev mentioned this pull request Feb 11, 2022
Merged
@dkistner dkistner merged commit 17d771c into gardener:master Feb 15, 2022
@dimityrmirchev dimityrmirchev mentioned this pull request Mar 21, 2022
Merged
@dimityrmirchev dimityrmirchev mentioned this pull request Mar 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timebertt timebertt timebertt left review comments

@dkistner dkistner dkistner approved these changes

@vpnachev vpnachev vpnachev left review comments

@rfranzke rfranzke rfranzke left review comments

@n-boshnakov n-boshnakov n-boshnakov left review comments

Assignees

@rfranzke rfranzke

Labels
area/security Security related kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) platform/gcp Google cloud platform/infrastructure reviewed/lgtm Has approval for merging size/m Size of pull request is medium (see gardener-robot robot/bots/size.py)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@dimityrmirchev @gardener-robot @rfranzke @dkistner @vpnachev @n-boshnakov @timebertt @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3