-
Story
-
Resolution: Obsolete
-
Undefined
-
None
-
None
-
False
-
None
-
False
-
-
The proxy sidecar delegates certain authorization requests to Openshift.
- It delegates authorization checks for specific resources (identified by name) using the --openshift-delegate-urls option (this is defined as static per host). For example:
* For each newly created notebook namespace, the injected oauth-proxy defines SARs (SubjectAccessReviews) to ensure that a given user can perform certain actions on a particular resource, for example:--openshift-delegate-urls ={"/": {"resource": "services", "verb": "get", "name": "odh-dashboard" } }
--openshift-sar= {"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org", + "resourceName":" + notebook.Name + ","namespace":"$(NAMESPACE)" }
With offloading it to the mesh we have to find a way to provide those checks.
See Kubernetes docs about authentication and authorization for more details.
1.
|
Integrate Authorino | Code Review | Bartosz Majsak | ||
2.
|
Bug: logout button not working correctly | Closed | Cameron Garrison | ||
3.
|
Bug: logout from notebook not working | Closed | Bartosz Majsak | ||
4.
|
Apply CSRF Envoy filter | New | Unassigned |