Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider token lookup event configurable #231

Open
andrey-dubnik opened this issue Feb 2, 2024 · 1 comment
Open

Consider token lookup event configurable #231

andrey-dubnik opened this issue Feb 2, 2024 · 1 comment

Comments

@andrey-dubnik
Copy link

andrey-dubnik commented Feb 2, 2024
edited
Loading

Hi,

In our scenario we have a public Vault endpoint and a mix of k8s clusters some with the public k8s API and some with the private only. If we are to use the service account auth it would work for the public clusters but won't work for the private ones cause token lookup can't be done from the Vault server towards the private endpoints.

Proposal is to make lookup option configurable based on the token's TTL e.g. lookup_after_ttl="10s". This way if we have a short lived token and TTL say <10m it is highly unlikely someone would revoke a token within that timeframe + it would give our offline clusters grace period where vault interaction could take place.

Token is still validated via CA so it can't be fake-issued just not going to be looked up in k8s if lookup_after_ttl is not due.

Does this feature makes sense?

Thanks,
A
@andrey-dubnik
Copy link
Author

If this is feasible issue can be accompanied with a PR

@andrey-dubnik andrey-dubnik changed the title Consider roken lookup event configurable Consider token lookup event configurable Feb 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@andrey-dubnik