Skip to content

Commit

Permalink
switch to certificatesigners resource for limiting approval powers
Browse files Browse the repository at this point in the history
  • Loading branch information
@deads2k
deads2k committed Jan 2, 2020
1 parent edf0386 commit 7204822
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions keps/sig-auth/20190607-certificates-api.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,9 +205,9 @@ release.
#### Limiting approval powers for certain signers.
Given multiple signers which may be implemented as "dumb" controllers that sign if the CSR is approved, there is benefit
to providing a simple way to subdivide approval powers through the API. We can introduce an admission plugin that requires
1. verb == `create`
2. resource == `certificatesigningrequests/approve/(.spec.signerName)`
3. name == `<name of CSR>`
1. verb == `approve`
2. resource == `certificatesigners`
3. name == `<name of certificatesigningrequests/(.spec.signerName)>`
4. group == `certificates.k8s.io`

If a signer/approver pairs want a stronger guarantee like a signed assertion, that can be built today using annotations.
Expand Down

0 comments on commit 7204822

Please sign in to comment.