search

jetstack / kube-oidc-proxy

Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.
https://jetstack.io
Apache License 2.0
478 stars 92 forks source link

Support for TokenRequest API #190

Closed mlbiam closed 2 years ago

mlbiam commented 3 years ago

When using impersonation, the ServiceAccount used by the proxy is privileged. Since this ServiceAccount has no expiration, it could be easily used to compromise a cluster if the cluster owner doesn't know that the token has been compromised. The best way to mitigate this vulnerability is to have short lived tokens that if they are leaked, only have a short window to be used against a cluster. Supporting the TokenRequest API in addition to static ServiceAccount tokens would accomplish this.

Supporting TokenRequest, as of now, requires three pieces:

  1. Knowing where the token is mounted
  2. Checking for when the token expires and getting a new one from the mount
  3. Mounting the cluster's CA certificate - It's not mounted right now as part of the TokenRequest mount the way it is for static ServiceAccount tokens.

1 can be a command line interface (ie --token-mount-point) as can number 3 (ie --cert-mount-point). We implemented this for OpenUnison's impersonation capability and if you'll accept the contribution we'd be happy to contribute the code to do this in kube-oidc-proxy.

mlbiam commented 2 years ago

nothing special needs to happen on this per https://github.com/TremoloSecurity/kube-oidc-proxy/issues/6