This repository has been archived by the owner on Mar 13, 2022. It is now read-only.
This repository has been archived by the owner on Mar 13, 2022. It is now read-only.
userinfo.email scope is needed to work with rbac #54
Closed
Description
KubeConfigLoader._refresh_credentials sets the scope to cloud-platform.
I think userinfo.email scope is needed as well.
See kubernetes/kubernetes#58141 for a similar issue with kubectl and a good explanation.
I think we need the userinfo.email scope because RBAC rules can be expressed in terms of the email of service accounts. But if the userinfo.email scope isn't included that APIServer ends up using the numeric id of service accounts which won't work if RBAC rules are written in terms of
the emails.
I haven't confirmed for myself this is an issue (I'm working through a variety of issues with kubectl/kubeconfig/client libs) so I could be wrong.