You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To support operating in environments that require mTLS and enhanced levels of security validation on OIDC access tokens it would be helpful to add support for RFC8705 (certificate bound access tokens) [0].
Acquiring the client certificate details should either be done locally (if the TLS session is terminated on kube-rbac-proxy directly), or remotely (if the TLS session is terminated on an ingress proxy ahead of kube-rbac-proxy). If acquired remotely the the ingress proxy should support RFC9440 (Client-Cert Header Field) [1] or kube-rbac-proxy should make an attempt at supporting implementations that pre-date the RFC [2]
To support operating in environments that require mTLS and enhanced levels of security validation on OIDC access tokens it would be helpful to add support for RFC8705 (certificate bound access tokens) [0].
Acquiring the client certificate details should either be done locally (if the TLS session is terminated on kube-rbac-proxy directly), or remotely (if the TLS session is terminated on an ingress proxy ahead of kube-rbac-proxy). If acquired remotely the the ingress proxy should support RFC9440 (Client-Cert Header Field) [1] or kube-rbac-proxy should make an attempt at supporting implementations that pre-date the RFC [2]
Depends on #353
[0] See: https://datatracker.ietf.org/doc/html/rfc8705
[1] https://datatracker.ietf.org/doc/html/rfc9440
[2] haproxy/haproxy#2235
The text was updated successfully, but these errors were encountered: