Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8s exec-credential does not support mTLS #459

Open
wasaga opened this issue Oct 15, 2024 · 0 comments
Open

k8s exec-credential does not support mTLS #459

wasaga opened this issue Oct 15, 2024 · 0 comments
Labels
NeedsProposal

Comments

@wasaga
Copy link
Contributor

wasaga commented Oct 15, 2024

Is your feature request related to a problem? Please describe.

We previously added support for client certificates contained in the system Keychain to pomerium-cli.

When used in kubectl exec-info mode along with the route that requires client certificate to be presented, the communication would fail with

kubectl get pods
Error from server (Forbidden): unknown (get pods)

In k8s exec-credential mode, we currently fill some of the ExecCredentials parameters but not the client certificate data.

Some considerations for key selection:

  • kubectl is called frequently, and the certificate selection pop-up on every command would be a major inconvenience.
  • the client certificate key, in principle, may not be exportable from the keychain.
@wasaga wasaga changed the title be able to use endpoints with mTLS requirements k8s exec-credential does not support mTLS requirements Oct 15, 2024
@wasaga wasaga changed the title k8s exec-credential does not support mTLS requirements k8s exec-credential does not support mTLS Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsProposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wasaga