search

hashicorp / vault-plugin-auth-kubernetes

Vault authentication plugin for Kubernetes Service Accounts
https://www.vaultproject.io/docs/auth/kubernetes.html
Mozilla Public License 2.0
208 stars 61 forks source link

Better support for K8S projected/scoped tokens #65

Closed simonswine closed 5 years ago

simonswine commented 5 years ago

This is a general service account token, which can be used just fine with this plugin. But it also allows access to the kubernetes API itself.

{
  "iss": "kubernetes/serviceaccount",
  "kubernetes.io/serviceaccount/namespace": "gitlab-runner",
  "kubernetes.io/serviceaccount/secret.name": "christian-simon--test-token-pml6t",
  "kubernetes.io/serviceaccount/service-account.name": "christian-simon--test",
  "kubernetes.io/serviceaccount/service-account.uid": "f101dff5-98b6-11e9-ac8d-42010a8400cb",
  "sub": "system:serviceaccount:gitlab-runner:christian-simon--test"
}

I was trying to setup a projected/scoped token, which can't be used to access k8s API server and comes with a custom audiences. The pod has been created like that:

kind: Pod
apiVersion: v1
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: vault-token
  volumes:
  - name: vault-token
    projected:
      sources:
      - serviceAccountToken:
          path: vault-token
          expirationSeconds: 7200
          audience: https://vault.mycorp.net

This is the resulting JWT:

{
  "aud": [
    "https://vault.mycorp.net"
  ],
  "exp": 1561638806,
  "iat": 1561631606,
  "iss": "https://container.googleapis.com/v1/projects/mycorp-gitlab-workers/locations/europe-west1-b/clusters/mycorp-gitlab-workers",
  "kubernetes.io": {
    "namespace": "gitlab-runner",
    "pod": {
      "name": "runner-9fswzwaf-project-382-concurrent-0l99cc",
      "uid": "ff505f37-98c6-11e9-ac8d-42010a8400cb"
    },
    "serviceaccount": {
      "name": "christian-simon--test",
      "uid": "f101dff5-98b6-11e9-ac8d-42010a8400cb"
    }
  },
  "nbf": 1561631606,
  "sub": "system:serviceaccount:gitlab-runner:christian-simon--test"
}

Now trying this token with the auth plugin fails as the issuer is not as expected:

Code: 500. Errors:

* claim "iss" is invalid

I also can't use the JWT auth plugin, because Google's GKE doesn't give me access to the signing keys.

So I am proposing:

Wdyt?

I am more than happy providing a PR for that

malnick commented 5 years ago

Fixed in https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/70, closing out.