vault-csi-provider icon indicating copy to clipboard operation
vault-csi-provider copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

nodePublishSecretRef support for authentication as requesting pod

Open mitsutaka opened this issue 4 years ago • 0 comments
trafficstars

Is your feature request related to a problem? Please describe. The current implementation requires ClusterRole to request ServiceAccount token to the API server. The CSI driver already has an implementation that gets the ServiceAccount token of nodePublishSecretRef through MountRequest. It may not be preferred in some environments for providers to require Cluster-wide privileges as a design. It also makes sense to access the API server within secrets-store-csi-driver and the provider should be simplified. We've already understand that each method has pros and cons according to the original discussion.

Describe the solution you'd like Add option to read the secret of MountRequest gRPC call and use token as Kubernetes Auth method JWT.

Describe alternatives you've considered Kubernetes +v1.20 supports feature gate CSIServiceAccountToken that requests a token through the kubelet and it is considered to be the standard method for secrets-store-csi-driver. However, this is the method since v1.20, and we are discussing the method for users of v1.19 or eariler.

Explain any additional use-cases

Additional context Original discussion thread https://github.com/hashicorp/secrets-store-csi-driver-provider-vault/pull/64#discussion_r578274372

mitsutaka avatar Mar 04 '21 06:03 mitsutaka