Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Deprecation] Removal of insecure options: --insecure-listen-addresss and unset --tls-cert-file, --tls-private-key-file #187

Closed
ibihim opened this issue Aug 8, 2022 · 1 comment
Closed

[Deprecation] Removal of insecure options: --insecure-listen-addresss and unset --tls-cert-file, --tls-private-key-file #187

ibihim opened this issue Aug 8, 2022 · 1 comment
Labels
deprecation

Comments

@ibihim
Copy link
Collaborator

ibihim commented Aug 8, 2022
edited
Loading

What

We are removing the option to run kube-rbac-proxy without configured TLS certificates.
This means that:

  • using insecure-listen-addresss won't work any more.
  • not setting tls-cert-file and tls-private-key-file won't work any more.

Upstream H2C should still work, but we might remove verified claims about an identity that are send to upstream in the future.

Why

We are aware that we create obstacles in running kube-rbac-proxy for testing or debugging purposes.
But we reduce the probability for an insecure set up of kube-rbac-proxy, which is a security relevant component.

Running kube-rbac-proxy without TLS certificates, makes it possible to impersonate kube-rbac-proxy.

The reason that we remove that capability is a pre-acceptance requirement for kube-rbac-proxy, before we can donate the project so sig-auth of k8s.

Reference
@ibihim ibihim mentioned this issue Aug 8, 2022
Merged
@ibihim ibihim changed the title Removal of insecure options [Deprecation] Removal of insecure options: --insecure-listen-addresss and unset --tls-cert-file, --tls-private-key-file Aug 8, 2022
@ibihim ibihim mentioned this issue Nov 28, 2022
Closed
@ibihim
Copy link
Collaborator Author

ibihim commented Nov 28, 2022

Gathering deprecation in this issue: #196

@ibihim ibihim closed this as completed Nov 28, 2022
@antonincms antonincms mentioned this issue Aug 17, 2023
Closed
@chn217 chn217 mentioned this issue Sep 8, 2023
Closed
@simu simu mentioned this issue Nov 17, 2023
Open
@darren-recentive darren-recentive mentioned this issue Apr 28, 2024
Closed
@fullykubed fullykubed mentioned this issue May 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deprecation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ibihim