Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict service account token usage to CIDR IP range #81362

atheiman opened this issue Aug 13, 2019 · 1 comment


Copy link

commented Aug 13, 2019

What would you like to be added: I'd like to restrict service account token usage to certain IP ranges.

Why is this needed: We use a cluster-admin token for GitLab to integrate with Kubernetes (deploys resources to cluster, views pod logs, displays resources in namespaces). Unfortunately GitLab allows this token to be retrieved from the GitLab UI and then the token can be used from anywhere. If we could annotate a service account to say only allow token usage from a specified cidr range, that would prevent this vulnerability.

For example, this service account would only allow usage of its token from, and

apiVersion: v1
kind: ServiceAccount
  name: gitlab-integration

This comment has been minimized.

Copy link

commented Aug 13, 2019

/sig auth

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.