cert-manager icon indicating copy to clipboard operation
cert-manager copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

Set default kubernetes audiences for the service account used in k8s auth additionally to the list of provided audiences

Open andrey-dubnik opened this issue 8 months ago • 2 comments

Hi,

Starting from v1.15.0-beta.1 cert manager allows providing a custom list of audiences for the service account used in the Kubernetes auth. Having the list provided enables cert-manager to work with the HCK Vault running externally to the k8s cluster (although not seamlessly as per below).

Vault k8s auth flow looks like this when short-lived k8s tokens are used:

  1. Cert Manager issues a client token on behalf of the SA with audiences provided (when this happens default k8s audiences are not attached to a token, only provided audiences do)
  2. Vault receives a client token and uses the same client token to call back k8s API controller to validate the token

Above flow poses a challenge for cert-manager users, as they must supply an audience expected by the Kubernetes API controller through a callback with the list of service account audiences used in Kubernetes authentication. If they fail to do so, Vault will return a 403 error because the Kubernetes API controller will reject the callback from Vault.

Additional challenge is presented as how the cloud providers configure the clusters and it is not consistent approach across the cloud providers + someone can always build own k8s cluster and pick some custom audience.

Cloud provider examples are:

  • EKS have https://kubernetes.default.svc as audience
  • AKS have a list of possible audiences as control plane host name audience, OIDC issuer

More details on the matter are in the #6150

I can't find any k8s API which provides a set of default audiences as this seem to be the admin node config. One of the ways to get the default audiences is to extract it from SA like in the sample below:

function jwt_decode(){
    jq -R 'split(".") | .[1] | @base64d | fromjson' <<< "$1"
}

kubectl create serviceaccount test-sa

jwt_decode $(kubectl create token test-sa) | jq -r '.aud'

kubectl delete serviceaccount test-sa

Does it makes sense to add default k8s audiences to on-behalf token requested by a cert-manager as this would make life of the users a bit easier?

/kind feature

andrey-dubnik avatar May 29 '24 15:05 andrey-dubnik