Dynamically retrieve the cluster audiences #49796
Conversation
hugoShaka
force-pushed
the
hugo/fix-kube-default-audience
branch
from
9a28938 to
6443509
Compare
|
Cut a v18 test build and this fixes the issue: |
lib/kube/token/validator.go
Outdated
| return nil, trace.Wrap(err, "reviewing token and retrieving audience") | ||
| } | ||
|
|
||
| return reviewResult.Status.Audiences, nil |
There was a problem hiding this comment.
The API docs for status.audiences mention
a TokenReview returns an empty status.audience field where status.authenticated is "true", the token is valid against the audience of the Kubernetes API server.
Can we be reasonably sure that all supported kube api servers will actually populate the field?
There was a problem hiding this comment.
If Kubernetes doesn't guarantee that the audiences field is always defined, we should prioritize parsing the JWT token directly, as this ensures we know the field is set. My concern is that, since the documentation doesn't mandate it, there might have been a version in the past that didn't include the audiences field, or a future version might omit it. To safeguard against this, we should handle the token by unmarshaling it ourselves.
You can use jwt/v4 package for that
import "github.com/golang-jwt/jwt/v4"
...
p := jwt.NewParser()
claims := &jwt.RegisteredClaims{}
_, _, err := p.ParseUnverified(token, claims)
if err != nil {
panic(err.Error())
}
fmt.Println(claims.Audiences)
}
There was a problem hiding this comment.
(there is a (go-jose/v3/*jwt.JSONWebToken).UnsafeClaimsWithoutVerification method fyi)
There was a problem hiding this comment.
I changed to parsing our own token without validating. The missing audience thing is for legacy Kubernetes tokens (which are in theory still supported, but we do reject them for kube >= 1.21).
So basically:
- if there's an audience on our token we know this is a modern kube and can set the audience
- if there are no audience on our token, this is an old kube and we do the review without specifying audience, as we were doing before
public-teleport-github-review-bot
bot
removed request for
strideynet,
camscale and
rosstimothy
|
@hugoShaka See the table below for backport results.
|
Fixes #49756
I introduced a bug in #49528 by using a standard hardcoded audience for in-cluster joining. This PR makes Teleport detect the audience by looking at its own token.
Not every cluster is using
kubernetes.default.svcas the default audience, some are usingkubernetes.default.svc.cluster.localor custom values.Changelog: Fix a bug breaking in-cluster joining on some Kubernetes clusters.