shaharglazner
commented
4 years ago Hey @izgeri,
It's not clear whether this is possible or what container-based attributes the authenticator should use.
One possible example is to use the image name and SHA256 hash (which are both available as Name/ImageID via the Kubernetes ContainerStatus API endpoint).
There may be other possibilities as well.Here's an example for container-based identity: https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_docker.md
At current, the Conjur K8s authenticator supports namespace, deployment, pod, service account, and stateful set based application identity.
As an application developer, I want to be able to identify my application by container-specific attributes so that other containers deployed as part of the same pod / deployment will not have access to the Kubernetes authenticator.
In particular, if I am deploying my application with the Secretless sidecar, I would like to entitle the Secretless container to communicate with Conjur without enabling my application container to communicate with Conjur.
GIVEN I deploy my application with container-based machine identity WHEN I deploy a sidecar container to the same pod as my application THEN the sidecar container is not able to use the same Conjur identity as my application to communicate with Conjur, since it has different container attributes
Developer Notes
Name/ImageIDvia the Kubernetes ContainerStatus API endpoint). There may be other possibilities as well.Additional required updates: