amazon-eks-pod-identity-webhook icon indicating copy to clipboard operation
amazon-eks-pod-identity-webhook copied to clipboard

Published 20 hours ago verified publisher icon aws

make MinTokenExpiration configurable by cli flag

Open everpeace opened this issue 3 years ago • 4 comments

Issue #, if available: https://github.com/aws/amazon-eks-pod-identity-webhook/issues/155

Description of changes:

  • Changed MinTokenExpiration from const to var
  • Introduced a cli flag --min-token-expiration to configure MinTokenExpiration with validation(it must be at least 10min).

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

everpeace avatar Jun 10 '22 04:06 everpeace

@micahhausler any reason why MinimumTokenExpiration was set to a constant?

@everpeace can you elaborate on the use case that a configurable minimum token expiration value is providing?

jaypipes avatar Jun 10 '22 09:06 jaypipes

I want to make k8s SA tokens refresh in roughly the same frequency as the default AWS session expiration.

When we assume some security breach scenario, a longer expiration k8s token allows attackers more chances to impersonate. AWS sessions can revoke timely on the AWS management console, but revoking k8s SA tokens timely is relatively difficult because the cluster operator must rotate the signing key of SA tokens, especially in the on-premise cluster cases.

Thus, I think making the value configurable allows users to be able to control their security risk by themselves.

What do you think?

everpeace avatar Jun 10 '22 11:06 everpeace

@jaypipes @micahhausler could you check my PR again??

everpeace avatar Oct 17 '22 10:10 everpeace

Hey sorry, I have no objection to adding this flag. I'd rather see a value plumbed down than a global variable.

micahhausler avatar Jan 26 '24 21:01 micahhausler