adamant-kite-43734
09/20/2024, 7:08 PMaloof-application-95693
09/20/2024, 7:19 PMerr
is always nil
so the debug message isn't very useful, I imagine it was intended to be logrus.Debugf("saauth: JWT sub is not a service account: %v", claims.Subject)
instead)creamy-pencil-82913
09/20/2024, 9:28 PMaloof-application-95693
09/20/2024, 9:30 PMsub
set to system:serviceaccount:example:example
, but I'm not sure how the Rancher auth proxy would handle thatcreamy-pencil-82913
09/20/2024, 9:30 PMaloof-application-95693
09/20/2024, 9:31 PMcreamy-pencil-82913
09/20/2024, 9:31 PMcreamy-pencil-82913
09/20/2024, 9:31 PMaloof-application-95693
09/20/2024, 9:32 PMthat will pass a TokenReview in the downstream cluster
bit is what I'm not sure aboutcreamy-pencil-82913
09/20/2024, 9:32 PMaloof-application-95693
09/20/2024, 9:33 PMaloof-application-95693
09/20/2024, 9:33 PMcreamy-pencil-82913
09/20/2024, 9:34 PMaloof-application-95693
09/20/2024, 9:35 PMaloof-application-95693
09/20/2024, 9:36 PMaloof-application-95693
09/20/2024, 9:38 PMsub
claim in the JWTs provided by my IdP (GitLab in my case), so I won't be able to get past the Rancher auth proxy, since the ServiceAccountUsernamePrefix check will failcreamy-pencil-82913
09/20/2024, 9:42 PMaloof-application-95693
09/20/2024, 9:42 PMaloof-application-95693
09/20/2024, 9:45 PMaloof-application-95693
09/20/2024, 9:45 PMaloof-application-95693
09/20/2024, 9:47 PMaloof-application-95693
09/20/2024, 9:49 PMcreamy-pencil-82913
09/20/2024, 9:51 PMaloof-application-95693
09/20/2024, 9:51 PMkube-api-auth
webhook to essentially just bypass Rancher's authenticationcreamy-pencil-82913
09/20/2024, 9:52 PMaloof-application-95693
09/20/2024, 9:53 PMaloof-application-95693
09/20/2024, 9:54 PMaloof-application-95693
09/20/2024, 9:55 PMlocal
(management) cluster?creamy-pencil-82913
09/20/2024, 10:09 PMaloof-application-95693
09/20/2024, 10:11 PM