Skip to content
/ k8s-spiffe-workload-jwt-exec-auth Public

A Kubernetes exec auth plugin using the spiffe workload api to get jwts for auth

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

spiffe/k8s-spiffe-workload-jwt-exec-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

k8s-spiffe-workload-jwt-exec-auth

A Kubernetes exec auth plugin using the spiffe workload api to get jwts for auth

Building

go build .

Usage

Setup the Kubernetes cluster auth

We recommend using the Structured Authentication mechanism, as documented here: https://kubernetes.io/blog/2024/04/25/structured-authentication-moves-to-beta/

As an example:

apiVersion: apiserver.config.k8s.io/v1beta1
kind: AuthenticationConfiguration
jwt:
- issuer:
    # Update to point at your spiffe-oidc-discovery-provider
    url: https://oidc-discovery.example.org
    audiences:
    - k8s
  claimMappings:
    username:
      claim: "sub"
      prefix: ""

Kubeconfig file

Start with a copy of your kubernetes clusters /etc/kubernetes/admin.conf file.

Remove the "user" block from the "users" section and replace it with:

  user:
    exec:
      apiVersion: "client.authentication.k8s.io/v1"
      command: "k8s-spiffe-workload-jwt-exec-auth"
      # To customize, uncomment and change the settings below
      #env:
      #  SPIFFE_ENDPOINT_SOCKET: "unix:///tmp/spire-agent/public/api.sock"
      #  SPIFFE_JWT_AUDIENCE: "k8s"

About

A Kubernetes exec auth plugin using the spiffe workload api to get jwts for auth

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages