Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1695196 - Document lack of audience support in 4.1
Summary: Document lack of audience support in 4.1
Keywords:
Status: ASSIGNED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 4.1
Hardware: Unspecified
OS: Unspecified
high
low
Target Milestone: ---
: 4.1.0
Assignee: Christian Huffman
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-02 16:12 UTC by David Eads
Modified: 2019-04-05 13:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-04 19:05:02 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description David Eads 2019-04-02 16:12:24 UTC
As I understand audiences, I can request a token that has a specific audience, but if the kube-apiserver isn't configured to honor audiences, that token would still be valid for the KAS even if I specified a different audience and the is unexpected.

Comment 2 Mo 2019-04-04 20:04:53 UTC
Assigning to Christian so we can doc that SA token requests and project volumes with serviceAccountToken mount will not work in 4.1

This is not a security issue in 4.1 as:

1. There is no way to request a SA token with an audience in 4.1
2. The authenticator required to honor said token is not enabled in 4.1
3. The kubelet will error if a serviceAccountToken projected volume is used

Thus, there is no risk that a token with an audience will be issued while the audience restriction is "ignored."


Note You need to log in before you can comment on or make changes to this bug.