Consider adding Tokenrequest

[tychota]

Problem it solves

Probably "Wishlist priority"

When Installing latest istio (1.6.0) at the time of writing, I did see the warning:

Detected that your cluster does not support third party JWT authentication. Falling back to less secure first party JWT. See https://istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens for details.

What it is

See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection

What to modify on kubelet

See https://jpweber.io/blog/a-look-at-tokenrequest-api/

I think that some certificate must be created and shared, then a few options must be added to kubelet command.

Next steps

Is it interesting for hobby-kube ?

If yes, I may find some times trying this on my own cluster soon and if so I will open a PR to both Guide and provisioning.
If not, feel free to close this issue.

[pstadler]

First of all, thanks for your effort creating this issue. I don't see this within the scope of the hobby-kube project at this point and adding this will certainly make things more complicated.

However, if the changes make sense for a broader audience I'd consider adding this. Are you aware of any other project or reason for enabling this API?

[tychota]

(Hi, sorry, I did miss the notification)

First notice that my example with istio is only here as an example. The goal is not for this project to support istio or whatever but to implement. (as english is not my mother language, i wasn't sure it was clear in the first post).

What is TokenRequest

TokenRequest were introduced here: https://github.com/kubernetes/community/pull/1460/files?short_path=31a0d46#diff-31a0d46d154a2c02fe8cb4fa8d349d26.

How much widespread is TokenRequest

TokenRequest was then implemented in kubernetes/kubernetes#58790 and available in alpha in 1.10 and in beta in 1.12. It is still beta in 1.12.

I think all the cloud providers support TokenRequest.

Why TokenRequest

As a summary of the above documents, it helps:

• increasing security: TokenRequest are time bound and audience bound
• helping scalibility

Why TokenRequest in hobby-kube

I'm aware that as itself fine grained security (security to protect against attack where the attackers as already access to something in the cluster) or scalability are not strong goal of this project. The name is "hobby-kube".
I see more this enhancement as a usability helper so user don't have warning or worse not working if they depends on TokenRequest.

I don't think it is yet a must have. Most third parties still allow unsecure JWT token and advice to use TokenRequest.
However if TokenRequest is really simple as follow (untested yet), it may be worth (a small modification for a small improvment of usability and security)