-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
http/2(h2, h2c) and gRPC support #1
Comments
Thanks for the praise! Happy it's useful to people 🙂. I think native gRPC support is a very cool idea. I think we need to find the right abstractions. As gRPC builds on top of HTTP2, maybe we can hop on that. A gRPC method has a specific HTTP2 path which is in the form of Augmenting a request with obtained userdata seems reasonable, on plain HTTP that would be a |
@brancz Hi, thanks for your comment, and the direction! Seems like I've managed to finish it. Changes so far: mumoshu/kube-rbac-proxy@master...grpc-and-h2c-support Gotchas addressed:
Thanks for the confirmation here 👍 I've ended up with Probably all I need to do towards my original goal are:
Sorry for a lengthy comment but things are getting more and more interesting |
No worries, your comment is not too long, it covers everything is great detail, and I think this is starting to take shape! Also nice job on the code comments, they guided my through your thought process very well. Regarding the headers, I'd suggest to go with Thanks a lot for putting this together, I love it! |
@brancz Thanks for your comment again!
Sounds great 👍 |
For anyone interested: The PR is in-progress at #2 |
Rebase container image on openshift/origin-base
@brancz Hi, thanks for sharing a very inspiring project 👍
I'm POCing to add support for gRPC but I'm not really sure if it is really feasible.
I'd greatly appreciate if you could leave comments on the state of my POC.
Thanks!
https://github.com/mumoshu/kube-rbac-proxy/tree/grpc-support
In nutshell:
nonResourceURL
in K8S' RBAC policy, so that we could authorize the method call w/ RBACauthorization
header(=metadata
in gRPC?) to be used for authenticationMy end-goal/intended use-case of adding a gRPC support to kube-rbac-proxy is achieve authn/authz for Helm/Tiller. I don't like to implemented a yet another RBAC system inside Helm/Tiller but rather reuse K8S RBAC instead.
helm/helm#1918 (comment)
Ideally, kube-rbac-proxy could authenticate the client and authorize the rpc call w/ RBAC. Once authorized, rbac-proxy could add the authn result to metadata to be used by tiller(upstream of kube-rbac-proxy) to "impersonate" the user. Tiller could then CRUD k8s resources as the user.
WDYT?
The text was updated successfully, but these errors were encountered: