This is the second release for kube-oidc-proxy which included a number of new features. We have also updated the build to use Go v1.3.5 and have halved the image size down to 14.8MB.
Features
- Token Passthrough: If enabled, the proxy is able to fall back to using a Kubernetes TokenReview request on bearer tokens that fail OIDC verification. This is useful for also authenticating non-OIDC authentication tokens such as Kubernetes service accounts through the proxy.
- Disable Impersonation: If enabled, the proxy can pass requests as is, with the bearer token removed from the request and without adding impersonation headers. This is useful for securing arbitrary backends with OIDC authentication.
- Improved Probe: Previously, the readiness probe condition was set to true based on an arbitrary time. The readiness probe has now been improved so that the proxy is only set to ready once the OIDC discovery has succeeded and is therefore able to validate OIDC tokens.
- Client Authentication Configuration: Previously when running the proxy inside a Kubernetes pod, it was impossible to configure the proxy to use any custom client configuration as the pod's service account was always used. Now, if any client flags are set they will override using an "in-cluster" client configuration.
Testing
We have greatly improved the end to end tests which are now being run using GINKGO which gives us a much better development experience adding new features as well as improving our confidence in the proxy's correctness.
Contributions
This release has seen contributions from a number of people in the
community 😄