Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow custom audience for kubernetes in-cluster joining #49528

Merged
merged 2 commits into from
Nov 28, 2024
Merged

Allow custom audience for kubernetes in-cluster joining #49528

merged 2 commits into from
Nov 28, 2024

Conversation

hugoShaka
Copy link
Contributor

@hugoShaka hugoShaka commented Nov 27, 2024
edited
Loading

This PR removes a common in-cluster joining footgun. Before this PR:

  • kubernetes in-cluster required the default kubernetes audience
  • kubernetes JWKS required a custom audience (the Teleport cluster name)

Many users mistakenly set the cluster name in the audience for in cluster joining, which caused the joining to fail.

After this PR:

  • kubernetes in-cluster accepts the default kubernetes audience AND the teleport cluster name
  • kubenetes JWKS requires the Teleport cluster name in the audience

This change does not reduces the security of the join. method and makes the tbot chart compatible with in-cluster joining.

Changelog: Kubernetes in-cluster joining now also accepts tokens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience). Kubernetes JWKS joining is unchanged and still requires tokens with the cluster name in the audience.

Internal slack thread that started this PR: https://gravitational.slack.com/archives/C01TYKHFVTQ/p1732733525308779

timothyb89
timothyb89 approved these changes Nov 28, 2024
View reviewed changes
Copy link
Contributor

@timothyb89 timothyb89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changelog nit:

Changelog: Kubernetes in-cluster joining now also accepts tkoens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience).

s/tkoens/tokens, I think?

And to clarify part of the description, JWKS joining behavior is unchanged? It looks like this just adds the Teleport cluster name as a valid audience for in-cluster joining?

@hugoShaka hugoShaka enabled auto-merge November 28, 2024 16:08
@hugoShaka hugoShaka mentioned this pull request Nov 28, 2024
Merged
@hugoShaka hugoShaka added this pull request to the merge queue Nov 28, 2024
Merged via the queue into master with commit 53cba46 Nov 28, 2024
40 checks passed
@hugoShaka hugoShaka deleted the hugo/kube-in-cluster-join-allow-clustername-audience branch November 28, 2024 16:44
@public-teleport-github-review-bot
Copy link

@hugoShaka See the table below for backport results.

Branch Result
branch/v15 Create PR
branch/v16 Create PR
branch/v17 Create PR

This was referenced Nov 28, 2024
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tigrato tigrato tigrato approved these changes

@strideynet strideynet strideynet approved these changes

@timothyb89 timothyb89 timothyb89 approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 kubernetes-access size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hugoShaka @timothyb89 @tigrato @strideynet