Skip to content
Snippets Groups Projects
Commit 5c99525e authored by Erwin van Eyk's avatar Erwin van Eyk Committed by erwinvaneyk
Browse files

Clarify the origin of openid-ca

parent aeb2861a
Branches
Tags
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Documentation/kubernetes.md
+ 1
0
View file @ 5c99525e
...@@ -43,6 +43,7 @@ Additional notes: ...@@ -43,6 +43,7 @@ Additional notes:
* Kubernetes only trusts ID Tokens issued to a single client. * Kubernetes only trusts ID Tokens issued to a single client.
* As a work around dex allows clients to [trust other clients][trusted-peers] to mint tokens on their behalf. * As a work around dex allows clients to [trust other clients][trusted-peers] to mint tokens on their behalf.
* If a claim other than "email" is used for username, for example "sub", it will be prefixed by `"(value of --oidc-issuer-url)#"`. This is to namespace user controlled claims which may be used for privilege escalation. * If a claim other than "email" is used for username, for example "sub", it will be prefixed by `"(value of --oidc-issuer-url)#"`. This is to namespace user controlled claims which may be used for privilege escalation.
* The `/etc/ssl/certs/openid-ca.pem` used here is the CA from the [generated TLS assets](#generate-tls-assets), and is assumed to be present on the cluster nodes.
## Deploying dex on Kubernetes ## Deploying dex on Kubernetes
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment