New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove usage of token_reviewer_jwt completely #128
Remove usage of token_reviewer_jwt completely #128
Conversation
I think this will affect the k8s RBAC for service accounts currently authenticating to vault. With the |
@anush-cr You are 100% correct, I forgot to update my PR with this detail after including this in the issue, and updated it now to include this! |
This is a breaking change for me. I don't prefer Vault authenticating to the Kubernetes API using any client's service account token. Enforcing a |
@mitsutaka It is possible to keep the current implementation, however there are some parts that feel like they are missing when it comes to maintaining/storing/fetching authentication tokens. Perhaps rather than removing this feature: replacing it or adding additional token validation methods might be a better pick since it can be used more widely. What do you think f.e. about the noted possible alternatives? To add to the issue: the original intent for this solution was found when reviewing access to Vault with the newly introduced service account token volume projection. To be more precise: it was reviewed on a setup which included an external Vault. And as a final note: when using an external Vault that you are currently only able to use a static |
After a lot of discussions: closing the issue as an alternative has been chosen to be implemented instead. |
@RemcoBuddelmeijer Thank you for sharing your case! this is interesting case that I didn't know about. I've come up with a way to verify the requested token, but I'm not sure this is the best solution. It may be possible to pass the JWT requested by the client to On the other hand, the way to verify the requested token without applying the ClusterRole is to call Alternatively, if the vault is running in a pod, you may be able to completely disable |
@mitsutaka I have read your case(s) .. I am not entirely sure what you are trying to say with your first case? This is how it currently is implemented, where the The issue with this I think when looking at the Perhaps the only other approach. Users would then have to define a token that is used to authenticate both (and facilitate one of them) the What I have been looking at, and still am, is an approach where you authenticate with something other than a service account token. Preferably something Kubernetes native. Since really the only other approach would be external validation which would introduce complex setup(s) that might not fit into ones and Vault's infrastructure. |
Overview
Removing the usage of token_reviewer_jwt token entry from the KubeConfig. This means that the Kubernetes Auth plugin no longer uses this predefined variable and that all the validation and authentication is done on the JWT token sent to Kubernetes.
This changes will affect Kubernetes clusters using RBAC for service accounts currently authenticating to vault. With the change, every single service account token attached to the entity attempting to Authenticate to Vault will require to have the
system:auth-delegator
RoleBinding attached to it. This is necessary to access theTokenReview
API.The original intent for this solution was found when reviewing access to Vault with the newly introduced service account token volume projection. To be more precise: it was reviewed on a setup which included an external Vault. And as a final note: when using an external Vault that you are currently only able to use a static
token_reviewer_jwt
rather than having it be loaded from the local file system, since this won't be possible since you are then loading thetoken_reviewer_jwt
from the Vault pod rather than the client's pod, excluding the possibility to use the newly introduced projection or to have the possibility to have short-lived tokens in general for this use case. This only makes things more complex as the amount of possibilities to obtain a service account tokens increase, combined with the use cases for Vault such as: internal Vault, external Vault. Having a "one shoe fits all" solution sounded like a nice idea.With this, my main concern for this issue to replace and/or remove the token_reviewer_jwt had to do with security. Having a static-based secret token with the capabilities that it has inside Vault, instead of an ephemeral token, was heavier than when changing roles in the K8s cluster; however this depends on your level of trust in your user, the impact of the role being present and the attack service. I agree that having the possibility to revoke access to the k8s API for a specific service account is very important, so this might be a good topic for discussion.
Design of Change
Removing the usage of token_reviewer_jwt token entry from the KubeConfig and while sending a TokenReview request.
Alternatives
Support various deployment models, (for external clusters) support the refreshing of the token_reviewer_jwt through f.e. TokenRequest API rather than a static secret-based service account token. Or different ways to integrate with Kubernetes outside of the TokenReview API such as: OIDC issuer validation.
Related Issues/Pull Requests
Issue #12951
PR #12980
Contributor Checklist
[x] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
My Docs PR Link
Example Nr 1
Example Nr 2
Example Nr 3
[x] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[x] Backwards compatible
Vault keeps working as before, only difference will be approach of the validation of the sent-in JWT token. However, this PR aims towards removing this functionality.
[x] Check for tests
Test outcome is the same, the validation process still returns the same valid results
[x] Add alternatives
Add alternatives to be able to possible forward the issue.