Coder Social home page Coder Social logo

Comments (4)

seh avatar seh commented on July 24, 2024

Ah, reading the code further, I now see that this plugin expects the token to authenticate as a Kubernetes service account, as it destructures the user name to glean the account name and containing namespace. Given that, still, it matters less that the input is a JWT; what's apparently important is that it maps to a user name that looks like a service account's fully-qualified name.

Note that a Webhook is free to return a user name that matches that format. It would be unusual to do so, sure, but nothing in Kubernetes prevents it.

from vault-plugin-auth-kubernetes.

yesteph avatar yesteph commented on July 24, 2024

Hi @seh

Ah, reading the code further, I now see that this plugin expects the token to authenticate as a Kubernetes service account, as it destructures the user name to glean the account name and containing namespace. Given that, still, it matters less that the input is a JWT; what's apparently important is that it maps to a user name that looks like a service account's fully-qualified name.

Note that a Webhook is free to return a user name that matches that format. It would be unusual to do so, sure, but nothing in Kubernetes prevents it.

I think you mix the token usage: the token_reviewer_jwt is passed to authorize the TokenReview creation on the kube api server, to validate the Pod ServiceAccount and extract the SA name, namespace and other stuffs.

We have the same problem as you: we cannot integrate an external Vault cluster with vault agent running on a kubernetes whose API server is proxied for authent.
The check to validate the format of the token_reviewer_jwt are useless because they will be done at TokenReview creation.

from vault-plugin-auth-kubernetes.

seh avatar seh commented on July 24, 2024

I see your point, @yesteph. That strengthens my original complaint, and really splits this into two complaints:

  • The bearer token used to authenticate to create TokenReview objects doesn't need to be a JWT; it just needs to be understood by an active authentication method.
  • Kubernetes user names supplied by authentication methods do not need to—and rarely will—match the service account user name format.

from vault-plugin-auth-kubernetes.

seh avatar seh commented on July 24, 2024

4.5 years later, I am still happy to see this addressed. Thank you.

from vault-plugin-auth-kubernetes.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.