-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate K8s ServiceAccounts into IAM solution #34
Comments
CC @reqa |
As discussed in separate emails and meeting:
An open question is, which JWT are provided to the Services by K8s. If it's |
Example contents: "Ordinary" Service Account JWT claims{
"iss": "kubernetes/serviceaccount",
"kubernetes.io/serviceaccount/namespace": "default",
"kubernetes.io/serviceaccount/secret.name": "mytestaccount-token-pnj77",
"kubernetes.io/serviceaccount/service-account.name": "mytestaccount",
"kubernetes.io/serviceaccount/service-account.uid": "a709ef71-30e2-489a-bd19-ade97031b9db",
"sub": "system:serviceaccount:default:mytestaccount"
} Projected volume token claims{
"aud": [
"thisismyaudience"
],
"exp": 1616000294,
"iat": 1615999694,
"iss": "https://api.harbor-test.garden.internal.prod.gardener-test.site",
"kubernetes.io": {
"namespace": "default",
"pod": {
"name": "projection-test",
"uid": "900f80ed-bafe-49f0-9ae2-c5f0a3ac2cbe"
},
"serviceaccount": {
"name": "mytestaccount",
"uid": "a709ef71-30e2-489a-bd19-ade97031b9db"
}
},
"nbf": 1615999694,
"sub": "system:serviceaccount:default:mytestaccount"
} The audience was freely configurable via the PodSpec. |
So indeed, the token only provides AuthN/identifying information, no AuthZ information. |
K8s supports providing identity to Pods via ServiceAccounts. A JWT is provided to the workload Pod which may be used to access the apiserver, but also may be used outside of the cluster.
The "Service Account Issuer Discovery" seems like a perfect match to integrate them into SCS IAM/UCS: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery
CC @stunivention
The text was updated successfully, but these errors were encountered: