Comments (4)
Hi folks, the new disable_local_ca_jwt
option that went out in vault 1.5.4 should allow you to disable use of the local token: https://www.vaultproject.io/api-docs/auth/kubernetes#disable_local_ca_jwt
from vault-plugin-auth-kubernetes.
isn't this expected behaviour? this feature could work only with cluster where it runs otherwise you have to set tokenReviewer
explicitly.
from vault-plugin-auth-kubernetes.
@riuvshyn No that isn't true. If you don't specify the tokenReviewer
it uses the JWT itself.
As the documentation states
A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.
And as long as that JWT has the necessary permissions (system:auth-delegator).
I have verified this works as expected.
from vault-plugin-auth-kubernetes.
I'm happy to open another PR to expose an extra config to specify whether to default to using the Vault deployment's SA JWT or the JWT to be verified as the auth delegator, but we'd need to decide which one we want as default behaviour.
I do find it a bit odd having to grant extra auth delegator privileges to service accounts which need to be authenticated, rather than the Vault SA being granted those privileges, but happy to take input?
Edited: I just looked at your PR, and it seems like a reasonable workaround to use the local pod credentials all together when none of the CA cert and token reviewer JWT have been set,
from vault-plugin-auth-kubernetes.
Related Issues (20)
- Make issuer validation work with Kubernetes 1.21+ by default HOT 6
- Rename disable_iss_validation HOT 1
- Re-configuring role fails after upgrading existing deployment to Vault 1.9.x HOT 4
- Authentication backend defined token_type is not override by role token_type HOT 1
- Allow specifying a namespace selector for the allowed namespace from which to authenticate
- BREAKING CHANGE: proposal: make `kubernetes_host` array to provide fallback mechanism and retry resiliency
- JWT signing algorithm ES384 became unsupported since version 0.13.0 HOT 1
- [docs] allow patching of roles HOT 14
- Unable to authenticate to external k8s cluster HOT 3
- Kubernetes API errors are not logged as errors HOT 5
- TLS errors after failed plugin initialization HOT 3
- CA cert on local disk is not reloaded if changed
- The audience claim is not checked, the parameter `audience` in the Kubernetes auth role is ineffective HOT 4
- Context Canceled on all authentication attempts for 10 minutes after an API node has shutdown HOT 14
- Unable to make Kubernetes requests: no such host HOT 1
- GitHub Actions - deprecated warnings found - action required!
- Support for path nesting like kv2 engine when nesting multiple kubernetes clusters configs in same path
- Add token_reviewer_jwt as login parameter
- Consider token lookup event configurable HOT 1
- How to bypass certificate check when connect to Kubernetes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-plugin-auth-kubernetes.