Skip to content

Add note about revocation in structured authentication configuration #51015

New issue
New issue
Open
#51093
Open
Add note about revocation in structured authentication configuration#51015
#51093
Assignees
aramase
Labels
sig/authCategorizes an issue or PR as relevant to SIG Auth.triage/acceptedIndicates an issue or PR is ready to be actively worked on.
@aramase

Description

@aramase
aramase
opened on May 22, 2025

Doc to update: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration

  • We don't have any plans to add revocation at this time. Because of this the docs will be updated to make sure the tokens are short-lived as they are not revocable.
  • While full token revocation is not supported, it is possible to approximate revocation by writing user info validation rules (e.g., via CEL) based on a unique identifier in the token, such as the jti claim (if present). Even without a jti, any claim that uniquely identifies the token can be used to simulate revocation by checking it against a denylist or revocation list. However, we still recommend using short-lived tokens as managing revocation this way can become complex and hard to scale.

Example of a revocation rule using the jti claim:

userValidationRules:
- expression: "!(user.extra[?'authentication.kubernetes.io/credential-id'][0].orValue('') in ["JTI=e28ed49-2e11-4280-9ec5-bc3d1d84661a"])",
  message:    "credential id is revoked",

Metadata

Metadata

Assignees

Labels

sig/authCategorizes an issue or PR as relevant to SIG Auth.triage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

SIG Auth

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions