Arsharth/dex
1
0
Fork 0
forked from mystiq/dex
Code Issues Pull requests Packages Projects Releases Wiki Activity

Clarify the origin of openid-ca

Browse source
This commit is contained in:
Erwin van Eyk 2019-08-14 15:18:34 +02:00 committed by erwinvaneyk
parent aeb2861a40
commit 5c99525ed3
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Documentation/kubernetes.md
View file

@ -43,6 +43,7 @@ Additional notes:
* Kubernetes only trusts ID Tokens issued to a single client.
* As a work around dex allows clients to [trust other clients][trusted-peers] to mint tokens on their behalf.
* If a claim other than "email" is used for username, for example "sub", it will be prefixed by `"(value of --oidc-issuer-url)#"`. This is to namespace user controlled claims which may be used for privilege escalation.
* The `/etc/ssl/certs/openid-ca.pem` used here is the CA from the [generated TLS assets](#generate-tls-assets), and is assumed to be present on the cluster nodes.
## Deploying dex on Kubernetes