Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-empty policy variable values should apply and take precedence for Kubernetes authenticator #2067

Open
doodlesbykumbi opened this issue Mar 15, 2021 · 0 comments
Open

Non-empty policy variable values should apply and take precedence for Kubernetes authenticator #2067

doodlesbykumbi opened this issue Mar 15, 2021 · 0 comments
Labels
component/conjur kind/bug

Comments

@doodlesbykumbi
Copy link
Contributor

doodlesbykumbi commented Mar 15, 2021
edited

Is your feature request related to a problem? Please describe.

I would like for the Kubernetes authenticator for Conjur running internal to a Kubernetes cluster to be configurable via policy variables such that

  1. It defaults to internal cluster configuration available in the environment and on the file system
  2. If policy variables are non-empty use those instead

Because for example I could have a Conjur instance running in a different Kubernetes cluster to my application pods. The authenticator configuration values (service account etc.) from the Conjur instance pod wouldn't make sense in the application pod cluster. The current functionality forces Conjur running internal to a Kubernetes cluster to use authenticator configuration values available from the pod specific to the Kubernetes environment where the Conjur pod runs. The current logic is captured in this part of the source, here and there.

I could also just want the authenticator to use a dedicated service account, instead of the one that the Conjur instance pod uses. This is probably better from a security standpoint because it avoids arbitrary code running inside the Conjur instance pod access to the Kubernetes API. Instead the access is scoped to only the authenticator code.

Describe the solution you would like

For the Kubernetes authenticator, non-empty policy variables should take precedence over Conjur instance pod specific Kubernetes environment configuration values.

  1. It defaults to internal cluster configuration available in the environment and on the file system
  2. If policy variables are populated use those instead

Implementation wise this should just be

  1. Check if any of the policy variables is non-empty. Beware that fetching it will result in a 404 exception for variables that exist but have no been "initialised"
  2. If (1) use only policy variables
  3. If not (1) attempt to use values from the cluster environment (mix of envvars and files)

Describe alternatives you have considered

N/A

Additional context

N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/conjur kind/bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@doodlesbykumbi