chunlongliang-ibm
commented
2 years ago The fix is fairly easy. When calling k8's tokenreviews API, today Liberty sends request message like this: curl -X "POST" "https://{kubernetes API IP}:{kubernetes API Port}/apis/authentication.k8s.io/v1/tokenreviews" \ -H 'Authorization: Bearer {your bearer token}' \ -H 'Content-Type: application/json; charset=utf-8' \ -d $'{ "kind": "TokenReview", "apiVersion": "authentication.k8s.io/v1", "spec": { "token": "{token received in token request response}" }when ask tokenreviews api to validate the token }' Because bound service account token is audience scoped, so we need modify the request to include token audience in tokenreview api call. Here is a working request message if token is bound service account token
curl -X "POST" "https://{kubernetes API IP}:{kubernetes API Port}/apis/authentication.k8s.io/v1/tokenreviews" \ -H 'Authorization: Bearer {your bearer token}' \ -H 'Content-Type: application/json; charset=utf-8' \ -d $'{ "kind": "TokenReview", "apiVersion": "authentication.k8s.io/v1", "spec": { "token": "{token received in token request response}", "audiences": ["token audience here"] } }'
Liberty supports login with openshift service account token, one of following methods work: https://www.ibm.com/docs/en/cloud-paks/cp-applications/4.3?topic=authentication-authenticating-openshift. https://www.ibm.com/docs/en/cloud-paks/cp-applications/4.3?topic=authentication-authenticating-service-account However, if service account token is bound service account token, neither works. Bound service account token is time-boxed and audience-scoped token, and is more secured than traditional service account token, see https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/authentication_and_authorization/bound-service-account-tokens.