Store `Shoot` cluster CA bundle as `ConfigMap`
petersutter opened this issue · comments
How to categorize this issue?
/area usability
/area security
/kind enhancement
What would you like to be added:
The Shoot
cluster CA bundle should be stored as ConfigMap
so that it can be read by users with viewer
Project
role. The CA bundle is not sensitive data, hence it doesn't need to be stored as a Secret
.
Why is this needed:
Gardener stores a Secret
with the name <shoot-name>.ca-cluster
in the project namespace in the garden cluster. This Secret
contains the CA bundle of the cluster. The dashboard
and gardenctl
generate a gardenlogin
kubeconfig by reading the CA data from the Secret
and mapping it to the certificate-authority-data
field.
Gardenlogin will soon also support the shoot/viewerkubeconfig
subresource (#78) which enables users with viewer
role to have read-only access to a cluster. However, users with viewer
role using gardenctl
or the dashboard
do not have the permission to read this Secret
.
A potential workaround for generating the gardenlogin
kubeconfig could involve calling the subresource shoot/adminkubeconfig
or shoot/viewerkubeconfig
solely for the certificate-authority-data
field and discarding the rest. However, this approach might lead to unnecessary audit events.
/assign