Comments (4)
sergiustheblack
commented on June 12, 2024
1
Is it sufficient to simply not configure a required audience in the Vault k8s auth role for this case?
It works well without audience configured at Vault side and no customization in SecretProviderClass.
requirements/considerations that make that undesirable?
To address this I probably need to dive deeper inside JWT, k8s, Vault auth flows. Until now I considered audience is an additional mechanism of distinguishing Vault permissions between applications, deployed to the cluster (alongside service account and namespace).
from vault-csi-provider.
tomhjp
commented on June 12, 2024
Thanks for raising this. Note there is some relevant previous discussion here: #144 (comment)
I can see how the https://kubernetes.default.svc/ audience is required, so that the Kubernetes API accepts the token. I don't yet understand the need for the app audience. Would you be able to expand on that requirement a bit please?
from vault-csi-provider.
sergiustheblack
commented on June 12, 2024
Thanks for raising this. Note there is some relevant previous discussion here: #144 (comment)
I can see how the
https://kubernetes.default.svc/audience is required, so that the Kubernetes API accepts the token. I don't yet understand the need for theappaudience. Would you be able to expand on that requirement a bit please?
"app" is just an example of custom audience in my case. It is configured as role's required audience at Vault side.
Thanks.
from vault-csi-provider.
tomhjp
commented on June 12, 2024
Thanks, but why is app configured as the role's required audience in Vault? Vault's audience config is optional, and Kuberentes' API documentation explains the audience field pretty well:
Audiences are the intended audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token.
i.e. if you were going to specify any additional audience, I would expect it to be an audience that Vault itself identifies as, not the app. It goes on to say:
A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
So I could imagine a case where multiple audiences are desirable for specifying Vault and Kubernetes audiences, and those seem like somewhat reasonable things to have a high degree of trust between. Through this lens I don't see a case to set an app as the audience, because the app and the Kubernetes API operate at very different layers in the application stack, as well as the app not being the intended audience for the token.
That brings me to my question: Is it sufficient to simply not configure a required audience in the Vault k8s auth role for this case? Or are there requirements/considerations that make that undesirable?
from vault-csi-provider.
Related Issues (20)
- volume mode "Ephemeral" not supported by driver secrets-store.csi.k8s.io (no CSIDriver object) HOT 7
- Docker image not uploaded to ECR public HOT 2
- Running Cloud Control Manager in vcluster HOT 1
- Failed to mount vault secrets store objects through Container Storage Interface (CSI) Volume HOT 2
- Vault provider not found , inter cluster connection . HOT 1
- Vulnerabilites in v1.2.0 of vault-csi-provider image HOT 1
- Permission denied when trying to access secret from vault on another kubernetes cluster . HOT 2
- Use the sync to secret feature without a pod mount? HOT 1
- Implicit mapping of secrets / objects - SecretProviderClass HOT 2
- vault-csi-provider Pod throws cannot unmarshal !!map into []config.Secret HOT 2
- Feature request: Ability to consume entire secret data rather than just a single key
- Extra fields
- Can the dynamic secrets auto renew as long as the pod is alive HOT 8
- Updating the values in the KV Secrets Engine HOT 1
- mounting from Vault fails with "invalid role name" HOT 2
- Support for AppRole auth method
- User vault-csi-provider cannot create resource serviceaccounts token
- Lease cache not working for PKI engine HOT 5
- Need to release new version as crypto CVE is fixed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-csi-provider.