Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow using pomerium-controller mounted service account for the api server access #1033

Open
wasaga opened this issue Sep 19, 2024 · 2 comments
Open

allow using pomerium-controller mounted service account for the api server access #1033

wasaga opened this issue Sep 19, 2024 · 2 comments

Comments

@wasaga
Copy link
Collaborator

wasaga commented Sep 19, 2024

Is your feature request related to a problem? Please describe.

currently we support referencing external token from a Secret.

ingress-controller/model/ingress_config.go

Lines 40 to 43 in 9a75ad2

KubernetesServiceAccountTokenSecret = "kubernetes_service_account_token_secret"
// KubernetesServiceAccountTokenSecretKey defines key within the secret that contains token
KubernetesServiceAccountTokenSecretKey = "token"
// SetRequestHeadersSecret defines a secret to copy request headers from

This is no longer a recommended method since Kubernetes 1.22:

Versions of Kubernetes before v1.22 automatically created credentials for accessing the Kubernetes API. This older mechanism was based on creating token Secrets that could then be mounted into running Pods.

In more recent versions, including Kubernetes v1.31, API credentials are obtained directly using the TokenRequest API, and are mounted into Pods using a projected volume. The tokens obtained using this method have bounded lifetimes, and are automatically invalidated when the Pod they are mounted into is deleted.

Although the manual mechanism for creating a long-lived ServiceAccount token exists, using TokenRequest to obtain short-lived API access tokens is recommended instead.

Describe the solution you'd like

Pomerium Ingress Controller already runs with the dedicated service account.
That includes the token and the api server CA.

  1. We can add the required impersonation RBAC to this service account.
  2. We can automatically configure the token to use and CA from the mounted files.

Describe alternatives you've considered

Explain any additional use-cases

If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

Additional context

Add any other context or screenshots about the feature request here.
@wasaga
Copy link
Collaborator Author

wasaga commented Oct 9, 2024

there were security concerns with granting default service accounts with impersionation permissions https://github.com/pomerium/pomerium-zero/issues/2992

@rjbeers
Copy link

rjbeers commented Oct 21, 2024

This is likely going to be solved by using Structured something something in kubernetes 1.30 that we will implement later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wasaga @rjbeers