Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Restrict service account token usage to CIDR IP range #81362
What would you like to be added: I'd like to restrict service account token usage to certain IP ranges.
Why is this needed: We use a cluster-admin token for GitLab to integrate with Kubernetes (deploys resources to cluster, views pod logs, displays resources in namespaces). Unfortunately GitLab allows this token to be retrieved from the GitLab UI and then the token can be used from anywhere. If we could annotate a service account to say only allow token usage from a specified cidr range, that would prevent this vulnerability.
For example, this service account would only allow usage of its token from
apiVersion: v1 kind: ServiceAccount metadata: annotations: kubernetes.io/restrict-token-cidr: 18.104.22.168/32,22.214.171.124/32 name: gitlab-integration