Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding Tokenrequest #84

Open
tychota opened this issue May 22, 2020 · 2 comments
Open

Consider adding Tokenrequest #84

tychota opened this issue May 22, 2020 · 2 comments
Labels
enhancement k8s

Comments

@tychota
Copy link

tychota commented May 22, 2020

Problem it solves

Probably "Wishlist priority"

When Installing latest istio (1.6.0) at the time of writing, I did see the warning:

Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.

What it is

See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection

What to modify on kubelet

See https://jpweber.io/blog/a-look-at-tokenrequest-api/

I think that some certificate must be created and shared, then a few options must be added to kubelet command.

Next steps

Is it interesting for hobby-kube ?

If yes, I may find some times trying this on my own cluster soon and if so I will open a PR to both Guide and provisioning.
If not, feel free to close this issue.
@pstadler
Copy link
Member

First of all, thanks for your effort creating this issue. I don't see this within the scope of the hobby-kube project at this point and adding this will certainly make things more complicated.

However, if the changes make sense for a broader audience I'd consider adding this. Are you aware of any other project or reason for enabling this API?

@tychota
Copy link
Author

tychota commented Jun 2, 2020

(Hi, sorry, I did miss the notification)

First notice that my example with istio is only here as an example. The goal is not for this project to support istio or whatever but to implement. (as english is not my mother language, i wasn't sure it was clear in the first post).

What is TokenRequest

TokenRequest were introduced here: https://github.com/kubernetes/community/pull/1460/files?short_path=31a0d46#diff-31a0d46d154a2c02fe8cb4fa8d349d26.

How much widespread is TokenRequest

TokenRequest was then implemented in kubernetes/kubernetes#58790 and available in alpha in 1.10 and in beta in 1.12. It is still beta in 1.12.

I think all the cloud providers support TokenRequest.

Why TokenRequest

As a summary of the above documents, it helps:

  • increasing security: TokenRequest are time bound and audience bound
  • helping scalibility

Why TokenRequest in hobby-kube

I'm aware that as itself fine grained security (security to protect against attack where the attackers as already access to something in the cluster) or scalability are not strong goal of this project. The name is "hobby-kube".
I see more this enhancement as a usability helper so user don't have warning or worse not working if they depends on TokenRequest.

I don't think it is yet a must have. Most third parties still allow unsecure JWT token and advice to use TokenRequest.
However if TokenRequest is really simple as follow (untested yet), it may be worth (a small modification for a small improvment of usability and security)

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement k8s
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pstadler @tychota