Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[vault-secrets-webhook] Incorrect audience for JWT tokens #78

Open
adisong opened this issue May 10, 2023 · 1 comment
Open

[vault-secrets-webhook] Incorrect audience for JWT tokens #78

adisong opened this issue May 10, 2023 · 1 comment
Labels
good first issue Good for newcomers kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.

Comments

@adisong
Copy link

adisong commented May 10, 2023
edited
Loading

Describe the bug:
bank-vaults/bank-vaults#1752 added new feature that creates SA JWT tokens using api-server if they are not created automatically, which is now the default behaviour for k8s 1.24. When this token is created it is given explicit/hardcoded audience claim which makes this token invalid when it's used to authenticate with k8s api-server. Vault kubernetes auth backend can either use it's own JWT to create token reviews or it can use token presented by client. In the latter case this now fails because audience does not match.

Expected behaviour:
Tokens created by vault-secrets-webhook should not have audience claim specified or at least this claim should be configurable using annotations.

Steps to reproduce the bug:

  • configure Vault kubernetes backend with empty token_reviewer_jwt so it uses token
    presented on login to create token reviews
  • create ServiceAccount on k8s 1.24
  • use that ServiceAccount for Secret mutation with vault-secrets-webhook

Additional context:

When kubernetes auth fails vault gives this error log. It tries to use token created by vault-secrets-webhook to lookup JWT with tokenReview API but fails because this JWT is unauthorized due to invalid audience:

vault 2023-05-10T09:25:28.811Z [DEBUG] auth.kubernetes.auth_kubernetes_304be248: login unauthorized: err="lookup failed: service account unauthorized; this could mean it has been deleted or recreated with a new token"

Environment details:

  • Kubernetes version (e.g. v1.10.2): v1.24.10
  • Cloud-provider/provisioner (e.g. AKS, GKE, EKS, PKE etc): GKE
  • bank-vaults version (e.g. 0.4.17): 1.9.0
  • Install method (e.g. helm or static manifests): helm
  • Logs from the misbehaving component (and any other relevant logs):
  • Resource definition (possibly in YAML format) that caused the issue, without sensitive data:

/kind bug
@akijakya akijakya transferred this issue from bank-vaults/bank-vaults Jul 20, 2023
@akijakya akijakya added the kind/bug Categorizes issue or PR as related to a bug. label Jul 20, 2023
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Dec 10, 2023
@ramizpolic ramizpolic removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Dec 22, 2023
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Feb 25, 2024
@akijakya akijakya added good first issue Good for newcomers and removed lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. labels Feb 28, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label May 5, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot May 5, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jul 7, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Jul 7, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Jul 7, 2024
@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Sep 8, 2024
@bank-vaults bank-vaults deleted a comment from github-actions bot Sep 8, 2024
@csatib02 csatib02 removed the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Sep 8, 2024
@github-actions GitHub Actions
Copy link

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 20 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed. label Nov 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR that has become stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@adisong @ramizpolic @akijakya @csatib02