Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict service account token usage to CIDR IP range #81362

Open
atheiman opened this issue Aug 13, 2019 · 1 comment

Comments

@atheiman
Copy link

commented Aug 13, 2019

What would you like to be added: I'd like to restrict service account token usage to certain IP ranges.

Why is this needed: We use a cluster-admin token for GitLab to integrate with Kubernetes (deploys resources to cluster, views pod logs, displays resources in namespaces). Unfortunately GitLab allows this token to be retrieved from the GitLab UI and then the token can be used from anywhere. If we could annotate a service account to say only allow token usage from a specified cidr range, that would prevent this vulnerability.

For example, this service account would only allow usage of its token from 32.23.45.54/32, and 67.76.89.98/32

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    kubernetes.io/restrict-token-cidr: 32.23.45.54/32,67.76.89.98/32
  name: gitlab-integration
@atheiman

This comment has been minimized.

Copy link
Author

commented Aug 13, 2019

/sig auth

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.