The operator transmits its own service account token to the workspace pod for authentication purposes. There is a risk of privilege elevation if the workspace pod were to capture the token and use it to impersonate the operator for arbitrary API Server interactions.
Kubernetes has a feature to prevent this: audience-scoped tokens. Rather than using the default token, the operator should call the TokenRequest API to get a token with a workspace-specific audience (e.g. the service endpoint). The token then has a specific workspace as its audience, and is useless for any other purpose. The TokenReview API validates such tokens as normal. On the agent side, one attaches the expected audience to the context when calling AuthenticateToken:
cleverguy25
commented
2 days ago
The operator transmits its own service account token to the workspace pod for authentication purposes. There is a risk of privilege elevation if the workspace pod were to capture the token and use it to impersonate the operator for arbitrary API Server interactions.
Kubernetes has a feature to prevent this: audience-scoped tokens. Rather than using the default token, the operator should call the
TokenRequestAPI to get a token with a workspace-specific audience (e.g. the service endpoint). The token then has a specific workspace as its audience, and is useless for any other purpose. TheTokenReviewAPI validates such tokens as normal. On the agent side, one attaches the expected audience to the context when calling AuthenticateToken: