Allow custom audience for kubernetes in-cluster joining#49528
Merged
Allow custom audience for kubernetes in-cluster joining#49528
Conversation
timothyb89
approved these changes
Nov 28, 2024
Contributor
timothyb89
left a comment
timothyb89
left a comment
There was a problem hiding this comment.
changelog nit:
Changelog: Kubernetes in-cluster joining now also accepts tkoens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience).
s/tkoens/tokens, I think?
And to clarify part of the description, JWKS joining behavior is unchanged? It looks like this just adds the Teleport cluster name as a valid audience for in-cluster joining?
tigrato
reviewed
Nov 28, 2024
tigrato
approved these changes
Nov 28, 2024
public-teleport-github-review-bot
Bot
removed request for
camscale and
strideynet
strideynet
approved these changes
Nov 28, 2024
hugoShaka
deleted the
hugo/kube-in-cluster-join-allow-clustername-audience
branch
|
@hugoShaka See the table below for backport results.
|
This was referenced Nov 28, 2024
carloscastrojumo
pushed a commit
to carloscastrojumo/teleport
that referenced
this pull request
Feb 19, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR removes a common in-cluster joining footgun. Before this PR:
Many users mistakenly set the cluster name in the audience for in cluster joining, which caused the joining to fail.
After this PR:
This change does not reduces the security of the join. method and makes the tbot chart compatible with in-cluster joining.
Changelog: Kubernetes in-cluster joining now also accepts tokens whose audience is the Teleport cluster name (before it only allowed the default Kubernetes audience). Kubernetes JWKS joining is unchanged and still requires tokens with the cluster name in the audience.
Internal slack thread that started this PR: https://gravitational.slack.com/archives/C01TYKHFVTQ/p1732733525308779