You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/concepts/security/service-accounts.md
+17Lines changed: 17 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -186,6 +186,23 @@ following methods:
186
186
(which was enabled by default from Kubernetes v1.24 to v1.26), prevented Kubernetes from automatically creating these tokens for
187
187
ServiceAccounts. The feature gate is removed in v1.27, because it was elevated to GA status; you can still create indefinite service account tokens manually, but should take into account the security implications.
188
188
189
+
#### Node audience restriction for service account tokens {#node-audience-restriction}
When the `ServiceAccountNodeAudienceRestriction`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
194
+
is enabled, the [NodeRestriction](/docs/reference/access-authn-authz/admission-controllers#noderestriction)
195
+
admission plugin limits which audiences a kubelet can request when creating service
196
+
account tokens via the `TokenRequest` API. By default, the kubelet can only request
197
+
tokens for audiences already referenced by pods on that node (through projected service
198
+
account token volumes or CSI driver token requests). Administrators can grant
199
+
kubelets access to additional audiences using RBAC rules with the
200
+
`request-serviceaccounts-token-audience` verb.
201
+
202
+
This restriction applies only to kubelets (node identities) and does not affect other
203
+
callers of the `TokenRequest` API. For details and RBAC examples,
204
+
see [Service account token audience restriction](/docs/reference/access-authn-authz/node/#service-account-token-audience-restriction).
205
+
189
206
{{< note >}}
190
207
For applications running outside your Kubernetes cluster, you might be considering
191
208
creating a long-lived ServiceAccount token that is stored in a Secret. This allows authentication, but the Kubernetes project recommends you avoid this approach.
When the `ServiceAccountNodeAudienceRestriction`[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
98
+
is enabled and the `NodeRestriction` admission plugin is active, the kubelet can only
99
+
request service account tokens for audiences that are already referenced by pods running
100
+
on that node. This prevents a compromised node from obtaining tokens for arbitrary audiences.
101
+
102
+
The allowed audiences are determined from the pod spec:
103
+
104
+
- The default API server audience (empty or the API server's configured audience).
105
+
- Audiences set in projected service account token volume sources.
106
+
- Audiences configured in CSI driver `spec.tokenRequests` for any CSI driver used by
107
+
the pod, whether through inline CSI volumes, PersistentVolumeClaim-backed volumes,
108
+
or ephemeral volumes.
109
+
110
+
This is particularly relevant when using [service account tokens for image credential providers](/docs/tasks/administer-cluster/kubelet-credential-provider/#service-account-token-for-image-pulls),
111
+
where the kubelet requests tokens with a registry-specific audience on behalf of pods.
112
+
113
+
### Allowing additional audiences with RBAC {#allowing-additional-audiences}
114
+
115
+
You can grant kubelets permission to request tokens for audiences beyond what
116
+
the pod spec references. When the kubelet requests a token with an audience that
117
+
is not found in the pod spec, the NodeRestriction admission plugin checks whether
118
+
the kubelet is authorized by performing an authorization check with the following
119
+
attributes:
120
+
121
+
| Attribute | Value |
122
+
| ---------- | ----- |
123
+
| Verb |`request-serviceaccounts-token-audience`|
124
+
| API Group | (empty string, meaning the core API group) |
125
+
| Resource | The requested audience value |
126
+
| Name | The service account name |
127
+
| Namespace | The service account namespace |
128
+
129
+
You can use standard RBAC rules to authorize these checks. The `resources` field
130
+
controls which audiences are allowed, and the `resourceNames` field controls which
131
+
service accounts the rule applies to.
132
+
133
+
For example, to allow the kubelet to request audience `my-registry-audience` for
Bind the ClusterRole to the `system:nodes` group to apply it to all kubelets:
164
+
165
+
```yaml
166
+
apiVersion: rbac.authorization.k8s.io/v1
167
+
kind: ClusterRoleBinding
168
+
metadata:
169
+
name: node-audience-binding
170
+
roleRef:
171
+
apiGroup: rbac.authorization.k8s.io
172
+
kind: ClusterRole
173
+
name: node-audience-my-registry
174
+
subjects:
175
+
- kind: Group
176
+
name: system:nodes
177
+
apiGroup: rbac.authorization.k8s.io
178
+
```
179
+
180
+
{{< note >}}
181
+
This restriction is part of the NodeRestriction admission plugin and only applies to
182
+
node identities (kubelets). It does not restrict which audiences other callers of the
183
+
`TokenRequest`API can request. If you need to restrict other callers, consider using a [ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/).
0 commit comments