vault
vault copied to clipboard
hashicorp
Audience support for k8 auth
Is your feature request related to a problem? Please describe.
When binding a k8 service account to a policy, there is no support for bound_audience like there is for GCE or JWT.
- GCP: https://www.vaultproject.io/docs/auth/gcp.html
- JWT: https://www.vaultproject.io/docs/auth/jwt.html
As a result, storing secrets in vault authenticated with service accounts is no safer than storing secrets in k8s secrets (since vault verifies the jwt derived from the service account's secret).
Describe the solution you'd like
Support for a bound_audience field when creating binding a new service account.
Vault should make some efforts to ensure authentication is being done from the correct k8s namespace.
Let me know if I should have posted this on the subproject https://github.com/hashicorp/vault-plugin-auth-kubernetes
I guess this was forgotten when this was implemented, as there is an audience parameter for the Kubernetes authentication that will validate the claim in the JWT (https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#audience).
I have noticed that the Kubernetes authentication does not actually validate the claim in the JWT when setting the audience parameter. I documented this issue in https://github.com/hashicorp/vault-plugin-auth-kubernetes/issues/175.
Ah okay sorry I didn't check the code, as it sounded like a feature request and I saw the audience parameter on the API docs. I can have a look at this on Friday.
Hi folks! Is this still an issue in newer versions of Vault? Please let me know so I can bubble it up accordingly. Thanks!
