Skip to content
ezoidc

Kubernetes

ezoidc has built-in support to validate Kubernetes service account tokens.

k8s issuer

If the ezoidc server detects that is is running in a Kubernetes cluster, the OIDC configuration of the API server will be fetched and stored as the k8s issuer. This issuer can then be used to authenticate service account tokens issued by the same cluster.

policy.rego
allow.read("secret") if {
  issuer = "k8s"
  subject = "system:serviceaccount:default:default"
}

This behavior can be disabled by setting automountServiceAccountToken: false in the server pod.

Service Account Tokens

Users that are authorized to create serviceaccounts/token resources can use the kubectl create token command to generate tokens that can authenticate with ezoidc.

Terminal window
export EZOIDC_TOKEN=$(
  kubectl create token "$SERVICE_ACCOUNT" \
    --namespace="$NAMESPACE" \
    --audience="$AUDIENCE" \
    --duration=10m
)

Mount the token as a projected volume

A service account token can be mounted as a projected volume in a pod, with the audience set to the ezoidc server. This allows the pod to authenticate with ezoidc using its service account without granting the pod the ability to create serviceaccounts/token resources. The ezoidc client can make use of the token using the --token-path option.

apiVersion: v1
kind: Pod
metadata:
  name: busybox
spec:
  containers:
  - image: busybox
    name: busybox
    command: ["sleep", "infinity"]
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: ezoidc-token


  volumes:
  - name: ezoidc-token
    projected:
      sources:
      - serviceAccountToken:
          path: ezoidc-token
          expirationSeconds: 600
          audience: https://test.ezoidc.dev

Install using Helm

  1. Install the Helm chart.

    Terminal window
    helm upgrade --install ezoidc oci://ghcr.io/ezoidc/ezoidc/chart

  2. To validate the server is working propertly, forward the port to your local machine.

    Terminal window
    kubectl port-forward svc/ezoidc 3501:80

  3. Create a service account token for the default service account.

    Terminal window
    export EZOIDC_TOKEN=$(kubectl create token default --audience="http://127.0.0.1:3501" --duration=10m)

  4. Read the variables from the server.

    Terminal window
     # using the client
     ezoidc variables json
    

     # or using Docker
     docker run --network host -e EZOIDC_TOKEN ghcr.io/ezoidc/ezoidc/cli variables json
    

     # or curl
     curl -H "Authorization: Bearer $EZOIDC_TOKEN" http://127.0.0.1:3501/ezoidc/1.0/variables

  5. The default configuration should grant you access to the success variable.

     {
       "variables": [
         {
           "name": "success",
           "value": {
             "string": "true"
           }
         }
       ]
     }

To customize the server’s configuration using Helm, refer to the chart’s values.yaml file.

Claims

policy.rego
claims.sub = "system:serviceaccount:default:default"
claims["kubernetes.io"].namespace = "default"
claims["kubernetes.io"].serviceaccount.name = "default"
claims["kubernetes.io"].serviceaccount.uid = "82b1702c-b569-4b07-9b1b-6690642db2fb"
claims["kubernetes.io"].node.name = "worker-1"
claims["kubernetes.io"].node.uid = "3479cba4-30df-45a7-b918-911f8db0faea"
claims["kubernetes.io"].pod.name = "app-5f5b6cb955-twgzl"
claims["kubernetes.io"].pod.uid = "9139347d-36a0-4d70-b9b0-1e87535f3b68"
claims["kubernetes.io"].secret.name = "secret-name"
claims["kubernetes.io"].secret.uid = "740478df-f6da-4f1b-8e77-ad94754efcb8"

References