Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow create dynamic tokens with TTL for the SA used for SSO+RBAC #13884

Open
keymon opened this issue Nov 8, 2024 · 0 comments
Open

Allow create dynamic tokens with TTL for the SA used for SSO+RBAC #13884

keymon opened this issue Nov 8, 2024 · 0 comments
Labels
area/server area/sso-rbac type/feature Feature request type/security Security related

Comments

@keymon
Copy link

keymon commented Nov 8, 2024

Summary

A security review in our project flagged the static secret created for SSO.

When setting SSO, we read a static token of a Service Account, with no TTL.

argo-workflows/server/auth/gatekeeper.go

Lines 320 to 326 in f470fda

func (s *gatekeeper) authorizationForServiceAccount(ctx context.Context, serviceAccount *corev1.ServiceAccount) (string, error) {
secretName := secrets.TokenNameForServiceAccount(serviceAccount)
secret, err := s.cache.GetSecret(ctx, serviceAccount.GetNamespace(), secretName)
if err != nil {
return "", fmt.Errorf("failed to get service account secret: %w", err)
}
return "Bearer " + string(secret.Data["token"]), nil

But ideally, we should instead use corev1.TokenRequestSpec.

I think something like

        // Define the token TTL
	tokenTTL := int64(3600) // 1 hour

	// Create the TokenRequest API client
	tokenRequestClient := s.k8sClient.CoreV1().ServiceAccounts(serviceAccount.Namespace)

	// Create a TokenRequest object
	tokenRequest := &corev1.TokenRequest{
		Spec: corev1.TokenRequestSpec{
			Audiences: []string{"https://kubernetes.default.svc/"}, // Adjust based on your use case
			ExpirationSeconds: &tokenTTL,
		},
	}

	// Request the token
	tokenResponse, err := tokenRequestClient.CreateToken(ctx, serviceAccount.Name, tokenRequest, metav1.CreateOptions{})
	```

## Use Cases

When using SSO with RBAC. This prevents create a static secret.
---
<!-- Issue Author: Don't delete this message to encourage other users to support your issue! -->
**Message from the maintainers**:

Love this feature request? Give it a 👍. We prioritise the proposals with the most 👍.

<!--
**Beyond this issue**:

Are you a contributor? If not, have you thought about it?

Argo Workflows is seeking more community involvement and ultimately more [Reviewers and Approvers](https://github.com/argoproj/argoproj/blob/main/community/membership.md) to help keep it viable.
See [Sustainability Effort](https://github.com/argoproj/argo-workflows/blob/main/community/sustainability_effort.md) for more information.
-->
@keymon keymon added the type/feature Feature request label Nov 8, 2024
@keymon keymon changed the title Allow create dynamic tokens with TTL for SSO Allow create dynamic tokens with TTL for the SA used for SSO+RBAC Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/server area/sso-rbac type/feature Feature request type/security Security related
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@keymon @shuangkun