Comments (4)
Ah, reading the code further, I now see that this plugin expects the token to authenticate as a Kubernetes service account, as it destructures the user name to glean the account name and containing namespace. Given that, still, it matters less that the input is a JWT; what's apparently important is that it maps to a user name that looks like a service account's fully-qualified name.
Note that a Webhook is free to return a user name that matches that format. It would be unusual to do so, sure, but nothing in Kubernetes prevents it.
from vault-plugin-auth-kubernetes.
Hi @seh
Ah, reading the code further, I now see that this plugin expects the token to authenticate as a Kubernetes service account, as it destructures the user name to glean the account name and containing namespace. Given that, still, it matters less that the input is a JWT; what's apparently important is that it maps to a user name that looks like a service account's fully-qualified name.
Note that a Webhook is free to return a user name that matches that format. It would be unusual to do so, sure, but nothing in Kubernetes prevents it.
I think you mix the token usage: the token_reviewer_jwt
is passed to authorize the TokenReview creation on the kube api server, to validate the Pod ServiceAccount and extract the SA name, namespace and other stuffs.
We have the same problem as you: we cannot integrate an external Vault cluster with vault agent running on a kubernetes whose API server is proxied for authent.
The check to validate the format of the token_reviewer_jwt
are useless because they will be done at TokenReview creation.
from vault-plugin-auth-kubernetes.
I see your point, @yesteph. That strengthens my original complaint, and really splits this into two complaints:
- The bearer token used to authenticate to create TokenReview objects doesn't need to be a JWT; it just needs to be understood by an active authentication method.
- Kubernetes user names supplied by authentication methods do not need to—and rarely will—match the service account user name format.
from vault-plugin-auth-kubernetes.
4.5 years later, I am still happy to see this addressed. Thank you.
from vault-plugin-auth-kubernetes.
Related Issues (20)
- Missing Client Token in Authenticating in vault-agent-init Container HOT 2
- [Issue / Question] Is the role missing metadata alias entity ? HOT 4
- Vault should support reloading service account token from disk HOT 7
- Make issuer validation work with Kubernetes 1.21+ by default HOT 6
- Rename disable_iss_validation HOT 1
- Re-configuring role fails after upgrading existing deployment to Vault 1.9.x HOT 4
- Authentication backend defined token_type is not override by role token_type HOT 1
- Allow specifying a namespace selector for the allowed namespace from which to authenticate
- BREAKING CHANGE: proposal: make `kubernetes_host` array to provide fallback mechanism and retry resiliency
- JWT signing algorithm ES384 became unsupported since version 0.13.0 HOT 1
- [docs] allow patching of roles HOT 14
- Unable to authenticate to external k8s cluster HOT 3
- Kubernetes API errors are not logged as errors HOT 5
- TLS errors after failed plugin initialization HOT 3
- CA cert on local disk is not reloaded if changed
- The audience claim is not checked, the parameter `audience` in the Kubernetes auth role is ineffective HOT 4
- Context Canceled on all authentication attempts for 10 minutes after an API node has shutdown HOT 14
- Unable to make Kubernetes requests: no such host HOT 1
- GitHub Actions - deprecated warnings found - action required!
- Support for path nesting like kv2 engine when nesting multiple kubernetes clusters configs in same path
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-plugin-auth-kubernetes.