Comments (7)
For reference, this includes an example service account JWT payload: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection
The sub
subject claim is what AWS EKS uses in their IRSA flow, and might be the cleanest solution for this.
I was trying to see if I could use Flipt's JWT auth method to do this today, but it looks like only the iss
and aud
claims support validation. Would it be worth writing up a separate issue to discuss the JWT auth mechanism and supporting additional common claims like sub
, or possibly even arbitrary claims (eg. I can provide my own claim key-value pairs in configuration)?
from flipt.
Yeah great idea. I think the ability to validate custom claims makes a lot of sense. A separate issue would be good. It shouldn't be too difficult to support
from flipt.
@tstraley we just released v1.41.0 that contains support for verifying sub
claims! https://docs.flipt.io/configuration/authentication#claim-validation
Will this work for your usecase or would you still prefer we support
a list of trusted / allowed service account name + namespace pairs that are verified from the jwt claims
?
from flipt.
@tstraley we just released v1.41.0 that contains support for verifying
sub
claims! https://docs.flipt.io/configuration/authentication#claim-validationWill this work for your usecase or would you still prefer we support
a list of trusted / allowed service account name + namespace pairs that are verified from the jwt claims
?
@markphelps thanks for this. I think the recent addition is a step in the right direction, but it still doesn't solve our use-cases simply due to the fact that solution only supports a single subject that can be verified.
If we have more than one service in our cluster that should be allowed to access flipt, and they use different service accounts (or are in different namespace) then this solution doesn't work.
I think the most user-friendly solution would still be to have the kubernetes auth method support a list of allowed service accounts; but the workaround of configuring the jwt auth method by using the service account token would be reasonable if we could define a list of claims to validate.
from flipt.
Having said that, I should let you know this isn't critical for us -- we have changed our auth method to use the bootstrap static token method, so that we can manage the token like a password and pass it into trusted services via k8s secret (which won't exist in untrusted namespaces).
from flipt.
@tstraley we just released v1.41.0 that contains support for verifying
sub
claims! https://docs.flipt.io/configuration/authentication#claim-validation
Will this work for your usecase or would you still prefer we supporta list of trusted / allowed service account name + namespace pairs that are verified from the jwt claims
?
@markphelps thanks for this. I think the recent addition is a step in the right direction, but it still doesn't solve our use-cases simply due to the fact that solution only supports a single subject that can be verified.
If we have more than one service in our cluster that should be allowed to access flipt, and they use different service accounts (or are in different namespace) then this solution doesn't work.
I think the most user-friendly solution would still be to have the kubernetes auth method support a list of allowed service accounts; but the workaround of configuring the jwt auth method by using the service account token would be reasonable if we could define a list of claims to validate.
that makes sense @tstraley
from a configuration aspect, how do you envision that looking?
maybe something like:
authentication:
methods:
kubernetes:
enabled: true
allowed_service_accounts:
my-namespace:
- my-service
my-other-namespace:
- my-other-service
? I based this a bit off what we do for allowed_teams for the GitHub auth for consistency sake
from flipt.
Infisical supports something similar for their k8s auth, they support both Allowed Service Accounts and Allowed Namespaces. https://infisical.com/docs/documentation/platform/identities/kubernetes-auth
Maybe we could do something like:
authentication:
methods:
kubernetes:
enabled: true
allowed_service_accounts:
- my-service
allowed_namespaces:
- production
This would allow for specifying individual service account names, or more broadly at the namespace level
I guess this would be an OR check, like the SA is either in the allowed_service_accounts
list or allowed_namespaces
, but doesn't have to be both
from flipt.
Related Issues (20)
- [FLI-978] Issue with latest mysql 8 release
- [Bug]: OCI registry with AWS ECR HOT 9
- [Bug]: Rules aren't being linked correctly when importing features from a config file HOT 7
- Change bar theme or add a environment label HOT 2
- [FLI-1026] Support audit logs to stdout
- Allow trust self-signed or trust insecure TLS certificate HOT 2
- [FLI-1041] [Bug]: Logout seems broken HOT 1
- Add Default Variant
- [FLI-1067] Kafka Audit Sink HOT 2
- [FLI-1068] Add failed authz attempts to audit logs
- [FLI-1069] Remove cache middleware HOT 1
- [Bug]: Fails to create a directory in /var/opt due to permission by default HOT 3
- An Request Endpoint to fetch default configuration for Remote Servers
- Flipt CLI: Import issue when --address and --drop is used
- [Bug]: flipt/errors to use more permissive licensing HOT 4
- [FLI-1085] Fix test coverage since move to running unit tests in Dagger
- MSSQL as sql storage HOT 1
- [Bug]: Client SDK doesn't work correctly with EntityId segments
- [Bug] panic when using audit webhook HOT 2
- [FLI-1104] Add webhook ITs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flipt.