Merge pull request #80724 from cceckman/provider-info-e2e

Provide OIDC discovery for service account token issuer
2025-09-15 06:01:50 +00:00 · 2020-02-13 01:38:35 -08:00
parent c099585b10 5a176ac772
commit 8ca96f3e07
15 changed files with 1090 additions and 5 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -461,6 +461,21 @@ func ClusterRoles() []rbacv1.ClusterRole {
 		},
 	}

+	if utilfeature.DefaultFeatureGate.Enabled(features.ServiceAccountIssuerDiscovery) {
+		// Add the cluster role for reading the ServiceAccountIssuerDiscovery endpoints
+		// but do not bind it explicitly. Leave the decision of who can read it up
+		// to cluster admins.
+		roles = append(roles, rbacv1.ClusterRole{
+			ObjectMeta: metav1.ObjectMeta{Name: "system:service-account-issuer-discovery"},
+			Rules: []rbacv1.PolicyRule{
+				rbacv1helpers.NewRule("get").URLs(
+					"/.well-known/openid-configuration",
+					"/openid/v1/jwks",
+				).RuleOrDie(),
+			},
+		})
+	}
+
 	// node-proxier role is used by kube-proxy.
 	nodeProxierRules := []rbacv1.PolicyRule{
 		rbacv1helpers.NewRule("list", "watch").Groups(legacyGroup).Resources("services", "endpoints").RuleOrDie(),