-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add admission for some operations from edge to cloud #5456
Comments
Firstly, we can admit or reject the requests within cloudhub. NodeAuthorizer implements the node authorization mode. We can add the similar feature to cloudcore based on this. RBAC authorization mode is a flexable and finer-grained authorization mode. The k8s engineers can reuse their security configurations on cloudcore. However, RBAC is complex, it cloud take us several months to implement this feature. Secondly, we can also utilize the user impersonation mechanism. By adding special HTTP headers, cloudcore acts as the kubelet on a normal worker node. All of authorization modes are supported. However, it's hard to trace the requests from edge nodes. |
What would you like to be added/modified:
Add admission for some operations from edge to cloud, like pod deletion, node register.
FYI: https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/noderestriction/admission.go
Why is this needed:
Security Enhancement
The text was updated successfully, but these errors were encountered: