TSM at Work
So between the two parallel methods of #authn/#authz for this #kubernetes #cluster, which one is ordinary income tax and which one is Alternative Minimum Tax? Which one punishes you arbitrarily because some #committee couldn't be arsed to ensure that the #solution still applies only to the #problem it was originally meant to address and isn't giving nasty #surprises to unsuspecting people?
Jun 11 at 1:13amWeb
Show threadTSM at WorkJun 12

If I get to the bottom of this #rabbithole and I don't find our very own #footguns I shall be very disappointed.

Because that means I shall have to talk to the #vendor and that seldom turns out well.

Maybe the behavior is documented. Technically. Piecewise in several different places, one of which is in a locked file cabinet in a planning office that is only open for one hour at lunch on alternate Thursdays.

Show threadThey Might Be StupidJun 12
@tsmatwork I see Kubernetes and authn/authz... are you having troubles accessing Kube's JWKS endpoint for verifying ServiceAccount JWTs anonymously, by chance? That was a helluva rabbit hole I went down, but I can point you in the right direction if so. And it's dumb.
Show threadTSM at WorkJun 13

@thelonelyghost A certain major cloud vendor's #Kubernetes implementation, and what happens when one must deal with both the "old" and "new" authn/authz schemes simultaneously in a cluster. It prefers new, but for best results, configure both for identical results, or at least as close as practical.

It wasn't our own smoking #footguns at the bottom of the #rabbithole, but at least there was a #deterministic answer that didn't require #vendor contact.