Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubernetes Native Authentication Method #1827

Merged
merged 12 commits into from
May 18, 2024
Merged

Kubernetes Native Authentication Method #1827

merged 12 commits into from
May 18, 2024

Conversation

dangtony98
Copy link
Collaborator

@dangtony98 dangtony98 commented May 15, 2024
edited

Description 📣

This PR adds the new Kubernetes authentication method to Identities.

With this method, applications in Kubernetes avoid secret zero by not needing to store an additional token to authenticate with Infisical. Instead, they can use their service account credential (JWT token) present in the pod under the /var/run/secrets/kubernetes.io/serviceaccount/token path to prove their identity to Infisical — this works by relaying the JWT token through Infisical to be cross-checked with the Kubernetes API server at the TokenReview API; if successful and certain allow conditions are met, then the entity is considered authenticated and an access token granting access to the Infisical API is returned.

Workflow:

  1. The operator sets up the Kubernetes authentication method in Infisical. As part of the setup, they specify what Allowed Service Account Names and Allowed Namespaces can be trusted. They also specify the Kubernetes Host / Base URL, CA Cert, and long-lived JWT token for Infisical to use to authenticate with the Kubernetes API server.
  2. The operator programs the client application in Kubernetes to retrieve its service account credential (JWT token) at the /var/run/secrets/kubernetes.io/serviceaccount/token path and send it to the /api/v1/auth/kubernetes-auth/login endpoint containing the identityId that they are authenticating as and the jwt as params (in practice this would likely be done via SDK or other client but it can also be done manually).
  3. Infisical forwards the params to the Kubernetes API server at the TokenReview API for verification.
  4. If successful, then Infisical checks the returned identity name and namespace properties against Allowed Service Account Names and Allowed Namespaces defined in step 1.
  5. If successful, then Infisical returns an identity access token (similar to in Universal Auth).

Note 1: The Kubernetes authentication method will require additional engineering work for clients like Infisical Agent and SDKs to support it.

Note 2: The Kubernetes authentication method requires a connection from Infisical to a target Kubernetes API server to verify an application/pod.

Type ✨

  • Bug fix
  • New feature
  • Breaking change
  • Documentation

@dangtony98 dangtony98 marked this pull request as draft May 15, 2024 04:12
@dangtony98 dangtony98 marked this pull request as ready for review May 15, 2024 05:45
@dangtony98 dangtony98 requested a review from maidul98 May 15, 2024 05:45
maidul98
maidul98 previously approved these changes May 18, 2024
View reviewed changes
Copy link
Collaborator

@maidul98 maidul98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me, made some small changes in the docs. no hard requests

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts Show resolved Hide resolved
backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts Show resolved Hide resolved
docs/documentation/platform/identities/kubernetes-auth.mdx Show resolved Hide resolved
@dangtony98 dangtony98 closed this May 18, 2024
@dangtony98 dangtony98 reopened this May 18, 2024
@dangtony98 dangtony98 merged commit deefaa0 into main May 18, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maidul98 maidul98 maidul98 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dangtony98 @maidul98