Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use audience-scoped access token #715

Open
EronWright opened this issue Oct 12, 2024 · 1 comment
Open

Use audience-scoped access token #715

EronWright opened this issue Oct 12, 2024 · 1 comment
Labels
impact/security kind/task Work that's part of an ongoing epic

Comments

@EronWright
Copy link
Contributor

EronWright commented Oct 12, 2024
edited
Loading

The operator transmits its own service account token to the workspace pod for authentication purposes. There is a risk of privilege elevation if the workspace pod were to capture the token and use it to impersonate the operator for arbitrary API Server interactions.

Kubernetes has a feature to prevent this: audience-scoped tokens. Rather than using the default token, the operator should call the TokenRequest API to get a token with a workspace-specific audience (e.g. the service endpoint). The token then has a specific workspace as its audience, and is useless for any other purpose. The TokenReview API validates such tokens as normal. On the agent side, one attaches the expected audience to the context when calling AuthenticateToken:

import "k8s.io/apiserver/pkg/authentication/authenticator"
...
ctx = authenticator.WithAudiences(ctx, []string{"http://my-audience"})
res, ok, err := a.authn.AuthenticateToken(ctx, token)

See also: https://adil.medium.com/how-to-use-tokenrequest-api-and-tokenvolume-projection-in-kubernetes-f007135b9994
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Oct 12, 2024
@cleverguy25
Copy link

Added to epic #586

@cleverguy25 cleverguy25 mentioned this issue Oct 12, 2024
Open
5 tasks
@EronWright EronWright added kind/task Work that's part of an ongoing epic impact/security labels Oct 12, 2024
@rquitales rquitales removed the needs-triage Needs attention from the triage team label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/security kind/task Work that's part of an ongoing epic
Projects
Pulumi Kubernetes Operator v2
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@EronWright @cleverguy25 @rquitales @pulumi-bot