You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
When binding a k8 service account to a policy, there is no support for bound_audience like there is for GCE or JWT.
As a result, storing secrets in vault authenticated with service accounts is no safer than storing secrets in k8s secrets (since vault verifies the jwt derived from the service account's secret).
Describe the solution you'd like
Support for a bound_audience field when creating binding a new service account.
Vault should make some efforts to ensure authentication is being done from the correct k8s namespace.
The text was updated successfully, but these errors were encountered:
I have noticed that the Kubernetes authentication does not actually validate the claim in the JWT when setting the audience parameter. I documented this issue in hashicorp/vault-plugin-auth-kubernetes#175.
Ah okay sorry I didn't check the code, as it sounded like a feature request and I saw the audience parameter on the API docs. I can have a look at this on Friday.
Is your feature request related to a problem? Please describe.
When binding a k8 service account to a policy, there is no support for
bound_audience
like there is for GCE or JWT.As a result, storing secrets in vault authenticated with service accounts is no safer than storing secrets in k8s secrets (since vault verifies the jwt derived from the service account's secret).
Describe the solution you'd like
Support for a
bound_audience
field when creating binding a new service account.Vault should make some efforts to ensure authentication is being done from the correct
k8s
namespace.The text was updated successfully, but these errors were encountered: