Skip to content
This repository has been archived by the owner on Jun 17, 2022. It is now read-only.

Latest commit

 

History

History
17 lines (13 loc) · 865 Bytes

README.md

File metadata and controls

17 lines (13 loc) · 865 Bytes

kapprover

kapprover is a tool meant to be deployed in Kubernetes clusters that uses the TLS client certificate bootstrapping flow for kubelets. It will then monitor and automatically approves Certificate Signing Requests submitted by kubelets, based on the the policy selected at startup.

As of today, a single approval policy, called always exists, and approves any pending CSRs without making any kind of validation besides checking that the requester's user/group are respectively kubelet-bootstrap / system:kubelet-bootstrap. Long term, we hope to support advanced policies, such as validating that the requester is part of a given AWS's AutoScalingGroup.

The easiest way to deploy kapprover is to use the provided deployment.yaml resource.