Open keymon opened 1 week ago
A security review in our project flagged the static secret created for SSO.
When setting SSO, we read a static token of a Service Account, with no TTL.
https://github.com/argoproj/argo-workflows/blob/f470fdab279a4e0f28c6e324f1a337dafb73ec13/server/auth/gatekeeper.go#L320-L326
But ideally, we should instead use corev1.TokenRequestSpec.
corev1.TokenRequestSpec
I think something like
// Define the token TTL tokenTTL := int64(3600) // 1 hour // Create the TokenRequest API client tokenRequestClient := s.k8sClient.CoreV1().ServiceAccounts(serviceAccount.Namespace) // Create a TokenRequest object tokenRequest := &corev1.TokenRequest{ Spec: corev1.TokenRequestSpec{ Audiences: []string{"https://kubernetes.default.svc/"}, // Adjust based on your use case ExpirationSeconds: &tokenTTL, }, } // Request the token tokenResponse, err := tokenRequestClient.CreateToken(ctx, serviceAccount.Name, tokenRequest, metav1.CreateOptions{})
Message from the maintainers:
Love this feature request? Give it a 👍. We prioritise the proposals with the most 👍.
Summary
A security review in our project flagged the static secret created for SSO.
When setting SSO, we read a static token of a Service Account, with no TTL.
https://github.com/argoproj/argo-workflows/blob/f470fdab279a4e0f28c6e324f1a337dafb73ec13/server/auth/gatekeeper.go#L320-L326
But ideally, we should instead use
corev1.TokenRequestSpec.I think something like
Use Cases
When using SSO with RBAC. This prevents create a static secret.
Message from the maintainers:
Love this feature request? Give it a 👍. We prioritise the proposals with the most 👍.