<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 25, 2014 at 6:02 AM, Clint Byrum <span dir="ltr"><<a href="mailto:clint@fewbar.com" target="_blank">clint@fewbar.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div id=":sy" class="" style="overflow:hidden">However, this does make me think that Keystone domains should be exposable<br>
to services inside your cloud for use as SSO. It would be quite handy<br>
if the keystone users used for the VMs that host Kubernetes could use<br>
the same credentials to manage the containers.</div></blockquote></div><br><br></div><div class="gmail_extra">I was exactly thinking about the same and looking at the code here :<br><br><a href="https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/client/request.go#L263">https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/client/request.go#L263</a><br><br></div><div class="gmail_extra">it seems to use some basic HTTP auth which should be enough with the REMOTE_USER/apache feature of keystone :<br><br><a href="http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication">http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication</a><br><br></div><div class="gmail_extra">but if we want to have proper full integration with OpenStack we would probably at some point want to teach modularity and a keystone plugin to give to k8<br><br></div><div class="gmail_extra">Chmouel<br></div></div>