Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: authentication to external k8s cluster fails #93

Closed
cyrus-mc opened this issue Jul 26, 2020 · 4 comments
Closed

bug: authentication to external k8s cluster fails #93

cyrus-mc opened this issue Jul 26, 2020 · 4 comments
Labels
bug

Comments

@cyrus-mc
Copy link

Given the following situation:

  • vault is running in cluster 1
  • kubernetes authentication setup to external cluster (cluster 2) with no token_reviewer_jwt set

In this situation authentication will always fail due to the fact that Vault will default to using the token that vault itself is running under for the TokenReviewerJWT. As this has no authority in cluster2, authentication fails.

Looking over the changes

#83

Is the PR that I believe broke this functionality due to the fact it added the following

if len(tokenReviewer) == 0 && len(localTokenReviewer) > 0 {
  tokenReviewer = string(localTokenReviewer)
}

As you can see if there is no tokenReviewer specified in the request it checks for the localTokenReviewer (found if running in a cluster) and defaults to that.
@riuvshyn
Copy link
Contributor

isn't this expected behaviour? this feature could work only with cluster where it runs otherwise you have to set tokenReviewer explicitly.

@cyrus-mc
Copy link
Author

@riuvshyn No that isn't true. If you don't specify the tokenReviewer it uses the JWT itself.

As the documentation states

A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.

And as long as that JWT has the necessary permissions (system:auth-delegator).

I have verified this works as expected.

@eh-steve
Copy link
Contributor

eh-steve commented Jul 26, 2020
edited
Loading

I'm happy to open another PR to expose an extra config to specify whether to default to using the Vault deployment's SA JWT or the JWT to be verified as the auth delegator, but we'd need to decide which one we want as default behaviour.

I do find it a bit odd having to grant extra auth delegator privileges to service accounts which need to be authenticated, rather than the Vault SA being granted those privileges, but happy to take input?

Edited: I just looked at your PR, and it seems like a reasonable workaround to use the local pod credentials all together when none of the CA cert and token reviewer JWT have been set,

@tvoran tvoran added the bug label Sep 16, 2020
@tvoran tvoran mentioned this issue Sep 18, 2020
Merged
3 tasks
@tvoran
Copy link
Member

tvoran commented Sep 29, 2020

Hi folks, the new disable_local_ca_jwt option that went out in vault 1.5.4 should allow you to disable use of the local token: https://www.vaultproject.io/api-docs/auth/kubernetes#disable_local_ca_jwt

@tvoran tvoran closed this as completed Sep 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tvoran @cyrus-mc @eh-steve @riuvshyn