Kubernetes Authentication

A host string, a host:port pair or a base URL to the API server.

The JWKS uri is usually found by fetching the discovery information found at https:///.well-known/openid-configuration but in rare circumstances when that cannot be fetched, or is incorrect, an explicit URI can be configured.

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

CA Cert to use when talking to the Kubernetes API server. PEM encoded. This will default to the content of /var/run/secrets/kubernetes.io/serviceaccount/ca.crt unless disable-local-ca-jwt is set to true.

Keys use to validate the JWTs issued by Kubernetes. Usually these keys can be retreived from the jwks_uri endpoint, but some installations do not expose these keys.

Token to use when accessing the TokenReview API. If not set it will default to either the content of /var/run/secrets/kubernetes.io/serviceaccount/token (provided the system is run inside a kubernetes cluster and unless disable-local-ca-jwt is set to true), or the service account token under review.

In Kubernetes default tokens use kubernetes/serviceaccount as issuer, however ephemeral tokens use the api-servers service-account-issuer setting, which is often a URL. Both may have to be configured as valid issuers.

A host string, a host:port pair or a base URL to the API server.

The JWKS uri is usually found by fetching the discovery information found at https:///.well-known/openid-configuration but in rare circumstances when that cannot be fetched, or is incorrect, an explicit URI can be configured.

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

CA Cert to use when talking to the Kubernetes API server. PEM encoded. This will default to the content of /var/run/secrets/kubernetes.io/serviceaccount/ca.crt unless disable-local-ca-jwt is set to true.

Keys use to validate the JWTs issued by Kubernetes. Usually these keys can be retreived from the jwks_uri endpoint, but some installations do not expose these keys.

Token to use when accessing the TokenReview API. If not set it will default to either the content of /var/run/secrets/kubernetes.io/serviceaccount/token (provided the system is run inside a kubernetes cluster and unless disable-local-ca-jwt is set to true), or the service account token under review.

In Kubernetes default tokens use kubernetes/serviceaccount as issuer, however ephemeral tokens use the api-servers service-account-issuer setting, which is often a URL. Both may have to be configured as valid issuers.

A host string, a host:port pair or a base URL to the API server.

The JWKS uri is usually found by fetching the discovery information found at https:///.well-known/openid-configuration but in rare circumstances when that cannot be fetched, or is incorrect, an explicit URI can be configured.

If the discovery-url is a https URL, then this field can be used to configure which name must be present in the cert presented by the server. By default the host name from the discovery-url will be used.

CA Cert to use when talking to the Kubernetes API server. PEM encoded. This will default to the content of /var/run/secrets/kubernetes.io/serviceaccount/ca.crt unless disable-local-ca-jwt is set to true.

Keys use to validate the JWTs issued by Kubernetes. Usually these keys can be retreived from the jwks_uri endpoint, but some installations do not expose these keys.

Token to use when accessing the TokenReview API. If not set it will default to either the content of /var/run/secrets/kubernetes.io/serviceaccount/token (provided the system is run inside a kubernetes cluster and unless disable-local-ca-jwt is set to true), or the service account token under review.

In Kubernetes default tokens use kubernetes/serviceaccount as issuer, however ephemeral tokens use the api-servers service-account-issuer setting, which is often a URL. Both may have to be configured as valid issuers.

Service account names that are allowed to authenticate using this role. The special value * indicates that all service account names are allowed.

Service account namespaces that are allowed to authenticate using this role. The special value * indicates that all service account namespaces are allowed.

If set, the JWT audience (aud) claim must match this value.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

• enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

• ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
• ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

Do not add the default policy to the token if this is set to true.

Limit the number of times the token can be used.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

• service
• default

Should the refresh operation be allowed for this token or not.

Service account names that are allowed to authenticate using this role. The special value * indicates that all service account names are allowed.

Service account namespaces that are allowed to authenticate using this role. The special value * indicates that all service account namespaces are allowed.

If set, the JWT audience (aud) claim must match this value.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

• enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

• ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
• ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

Do not add the default policy to the token if this is set to true.

Limit the number of times the token can be used.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

• service
• default

Should the refresh operation be allowed for this token or not.

Service account names that are allowed to authenticate using this role. The special value * indicates that all service account names are allowed.

Service account namespaces that are allowed to authenticate using this role. The special value * indicates that all service account namespaces are allowed.

If set, the JWT audience (aud) claim must match this value.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

• enumeration: - none: Do not set bound-cidrs automatically. (default) - host: Set bound-cidrs to the host address when token is created. - network: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs.

Automatically set bound-cidrs of token to the host or network from where the token was created.

• ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
• ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

Do not add the default policy to the token if this is set to true.

Limit the number of times the token can be used.

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

• service
• default

Should the refresh operation be allowed for this token or not.