From 72048221554e48c1a9bbbffedcda40095a9a1f44 Mon Sep 17 00:00:00 2001 From: David Eads Date: Thu, 2 Jan 2020 13:58:51 -0500 Subject: [PATCH] switch to certificatesigners resource for limiting approval powers --- keps/sig-auth/20190607-certificates-api.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/keps/sig-auth/20190607-certificates-api.md b/keps/sig-auth/20190607-certificates-api.md index 4a04d55bb2bb..459d6620e1e1 100644 --- a/keps/sig-auth/20190607-certificates-api.md +++ b/keps/sig-auth/20190607-certificates-api.md @@ -205,9 +205,9 @@ release. #### Limiting approval powers for certain signers. Given multiple signers which may be implemented as "dumb" controllers that sign if the CSR is approved, there is benefit to providing a simple way to subdivide approval powers through the API. We can introduce an admission plugin that requires - 1. verb == `create` - 2. resource == `certificatesigningrequests/approve/(.spec.signerName)` - 3. name == `` + 1. verb == `approve` + 2. resource == `certificatesigners` + 3. name == `` 4. group == `certificates.k8s.io` If a signer/approver pairs want a stronger guarantee like a signed assertion, that can be built today using annotations.