40m | Update from last weeks TODOs | Prashant, Shiv | - Shared overview of workload reconciler in management cluster
- SPIRE agent installed on all nodes via DaemonSet - how is registration of new nodes handled at scale?
- The SA token is applied to SPIRE agent, and each node knows which cluster it is part of - all nodes in a cluster are then "detected" by the workload reconciler using same cluster ID
- spire-bundle is contained in a configmap for the spire agents to talk to the spire server
- Currently all nodes in a cluster have the same SPIFFE ID but this can be changed - separate deep dive needed on this - can be per cluster, namespace, node, workload
- Wim will share notes or link on how to request a token with restricted permissions from the workload cluster instead of using kubeconfig
|