search

hashicorp / vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
https://www.vaultproject.io/docs/auth/kubernetes.html
Mozilla Public License 2.0
205 stars 62 forks source link

VAULT-6936 support bound service account namespace selector #218

Closed thyton closed 7 months ago

thyton commented 7 months ago

Overview

A high level description of the contribution, including: What is the change? Support a label selector to define from which namespaces clients are allowed to authenticate with their ServiceAccounts. Why is the change needed? This will add flexibility to bound namespace specification. A similar feature, allowed_kubernetes_namespace_selector, was also seen in Secret Engine. How does this change affect the user experience (if at all)? No

Design of Change

How was this change implemented? The change is based on PR #182 and how allowed_kubernetes_namespace_selector was implemented.

Related Issues/Pull Requests

[ ] Issue #155 [ ] PR #182

Contributor Checklist

[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet Docs PR Link [ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)

make integration-test
cd integrationtest && INTEGRATION_TESTS=true CGO_ENABLED=0 KUBE_CONTEXT="kind-vault-plugin-auth-kubernetes" go test '-test.v' -count=1 -timeout=20m ./...
?       github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest/k8s   [no test files]
=== RUN   TestSuccess
--- PASS: TestSuccess (0.48s)
=== RUN   TestSuccessWithTokenReviewerJwt
--- PASS: TestSuccessWithTokenReviewerJwt (0.10s)
=== RUN   TestSuccessWithNamespaceLabels
--- PASS: TestSuccessWithNamespaceLabels (0.11s)
=== RUN   TestFailWithBadTokenReviewerJwt
--- PASS: TestFailWithBadTokenReviewerJwt (0.11s)
=== RUN   TestUnauthorizedServiceAccountErrorCode
--- PASS: TestUnauthorizedServiceAccountErrorCode (0.10s)
=== RUN   TestAudienceValidation
=== RUN   TestAudienceValidation/config:_default,_JWT:_default
=== RUN   TestAudienceValidation/config:_default,_JWT:_a
=== RUN   TestAudienceValidation/config:_a,_JWT:_a
=== RUN   TestAudienceValidation/config:_a,_JWT:_b
=== RUN   TestAudienceValidation/config:_unset,_JWT:_default
=== RUN   TestAudienceValidation/config:_unset,_JWT:_a
--- PASS: TestAudienceValidation (0.61s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_default (0.10s)
    --- PASS: TestAudienceValidation/config:_default,_JWT:_a (0.09s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_a (0.11s)
    --- PASS: TestAudienceValidation/config:_a,_JWT:_b (0.09s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_default (0.09s)
    --- PASS: TestAudienceValidation/config:_unset,_JWT:_a (0.10s)
PASS
ok      github.com/hashicorp/vault-plugin-auth-kubernetes/integrationtest   2.077s

[ ] Backwards compatible

thyton commented 7 months ago

@benashz @tomhjp I appreciate the detailed first pass! I've addressed/followed up with all comments. It's ready for the next review whenever you have a chance.

mbenson commented 6 months ago

When are we likely to see a new release incorporating this change?