Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Non-empty policy variable values should apply and take precedence for Kubernetes authenticator #2067

@doodlesbykumbi

Description

@doodlesbykumbi

Is your feature request related to a problem? Please describe.

I would like for the Kubernetes authenticator for Conjur running internal to a Kubernetes cluster to be configurable via policy variables such that

  1. It defaults to internal cluster configuration available in the environment and on the file system
  2. If policy variables are non-empty use those instead

Because for example I could have a Conjur instance running in a different Kubernetes cluster to my application pods. The authenticator configuration values (service account etc.) from the Conjur instance pod wouldn't make sense in the application pod cluster. The current functionality forces Conjur running internal to a Kubernetes cluster to use authenticator configuration values available from the pod specific to the Kubernetes environment where the Conjur pod runs. The current logic is captured in this part of the source, here and there.

I could also just want the authenticator to use a dedicated service account, instead of the one that the Conjur instance pod uses. This is probably better from a security standpoint because it avoids arbitrary code running inside the Conjur instance pod access to the Kubernetes API. Instead the access is scoped to only the authenticator code.

Describe the solution you would like

For the Kubernetes authenticator, non-empty policy variables should take precedence over Conjur instance pod specific Kubernetes environment configuration values.

  1. It defaults to internal cluster configuration available in the environment and on the file system
  2. If policy variables are populated use those instead

Implementation wise this should just be

  1. Check if any of the policy variables is non-empty. Beware that fetching it will result in a 404 exception for variables that exist but have no been "initialised"
  2. If (1) use only policy variables
  3. If not (1) attempt to use values from the cluster environment (mix of envvars and files)

Describe alternatives you have considered

N/A

Additional context

N/A

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions